UPDATE — JULY 24, 2018: Today Google began rolling out Chrome 68. Now, Google’s browser will display a “Not Secure” warning next to the website in the address bar if the site is not secured with HTTPS.
Malware, shorthand for malicious software, is a growing problem for websites. As noted by Security Week, approximately 18.5 million sites are infected with malware at any given time, and the average website is attacked more than 40 times a day. Which makes this post on anti malware strategies particularly timely.
Already infected? GoDaddy Website Security Express can start clean up in as little as 30 minutes.
The primary aim of malware-spreading hackers? Stealing data — yours or your customers — and selling it for profit. Canadian websites aren’t exempt from this trend. According to a recent white paper from The Canadian Chamber of Commerce, Canada loses 0.17 percent of its GDP each year to cybercrime. In hard numbers, that’s more than three billion dollars.
Also worth noting? The size of your website doesn’t matter. Cybercriminals aren’t looking to prove a point by hacking large websites — they’re looking for the fastest, easiest return on their investment. The result? They cast a wide net, hoping to find smaller sites that don’t use malware scanners or leave critical website services exposed.
5 anti malware strategies to use now
Canada loses 0.17 percent of its GDP each year to cybercrime — and it’s not just the big companies that get hit. Here’s what you can do to protect your business.
Update, update, update.
Pump up passwords.
Click and connect carefully.
Get a malware scanner.
Despite the numbers, it’s not all bad news: Here are five proven anti malware strategies to help reduce your website risk.
1. Update, update, update
First up? Update everything regularly.
Here’s why: Web developers have discovered that they don’t need to reinvent the wheel every time they build a new site or application. By leveraging open source (OS) code for commonly-used features, developers can shorten delivery timelines and enhance website cross-functionality. The potential drawback? Code used by millions of websites could contain unpatched (and unknown) vulnerabilities that can be used by hackers to gain entry into any website that uses that code.
Consider widespread threats like Heartbleed, which used a flaw in OpenSSL to “trick” web servers into sharing sensitive information. Open source code developers, OS designers, CMS (content management system) makers and website providers now regularly release both security updates and patches that improve overall site usability.
There’s some logic here, since patches can cause unexpected downtime and occasionally require a re-patch of the original patch to work correctly. Ultimately, however, it’s a case of inconvenience versus total website infection — wherever possible, pick the update.
2. Pump up passwords
Passwords are also a problem for many organizations. According to Fortune, the most-used passwords of 2017 included:
These are all awful for website security … but great for hackers. Some experts argue it’s time to ditch passwords altogether but, given their widespread use, passing on passwords won’t happen anytime soon.
First, make sure website accounts (for both employees and site visitors) require complex passwords that don’t contain repeated characters or simple words (find tips to share here). Next, create a policy that requires a password change every few months.
Finally, consider some type of two-factor authentication, such as a one-time text code sent to a mobile device or delivered via an authenticator app. This extra layer of protection means that even if hackers get their hands on usernames and passwords they still can’t compromise your business website.
3. Click and connect carefully
Insecure connections can give hackers the opening they’re looking for. For example, public Wi-Fi connections might allow hackers to “eavesdrop” on data being sent and received by your site visitors. Alternately, hackers can insert themselves into website sessions using man in the middle (MiTM) attacks.
Tools such as virtual private networks (VPNs) solve this problem by obscuring website details and IP addresses from would-be hackers.
Using a VPN also lets administrative staff make changes even if they’re away from the office — without risking the security of your site.
Also critical? Teach staff to be careful where they click. These two strategies remain the most dangerous malware threats:
- Phishing attacks, carried out by legitimate-seeming emails that contain malicious links or attachments.
- Drive-by downloads, which occur when unsuspecting users are redirected to malicious websites. They don’t even have to click or accept any software; it automatically downloads.
By educating employees about these risks, it’s possible to reduce the chance of accidental malware infection.
4. Encrypt everything
Want to frustrate attackers looking to steal your data? Encrypt everything. The first step is adding an SSL certificate to your website if you don’t already have one. SSLs like those offered by GoDaddy scramble all data flowing between your website and visitors, using the strongest available 2048-bit encryption.
Another reason to get an SSL: Starting July 2018, Google Chrome will label any website without SSL as ‘Not Secure.’
This is especially critical for customer credit card and personal data. If stolen, this information can be sold on the darknet for profit — and your users might find themselves facing problems with credit and tax agencies for months or years. Your brand reputation can suffer as a result, since consumers now expect companies to safeguard their information online.
5. Get a malware scanner
What if — despite your best efforts — your website falls victim to malware? It’s becoming harder and harder to avoid; more than 16 million healthcare records were stolen last year alone. New malware studies point to an uptick in “cryptomining” tools that leverage unused compute cycles to mine digital currency.
With the Express plan of GoDaddy’s malware scanner, security experts can begin cleanup in as little as 30 minutes.
Thanks to a malware-free guarantee (GoDaddy’s team won’t stop until your site is clean), you can quickly take ownership of any malware issue and reduce its total impact. In addition, the Express and Deluxe plans include a web application firewall (WAF) to help prevent reinfection. With a WAF, incoming traffic is automatically scanned to block known malware, defend against zero-day threats and reduce the risk of DDoS attacks.
Once installed, Website Security conducts daily anti malware scans to keep your site clean and detect potential problems before they become significant issues.
Anti malware strategies that work
Your site — no matter its size — presents a tempting target for would-be cybercriminals. Given the nature of malware and the potential risks of open-source code, attacks are now a matter of “when” not “if.”
Effective anti malware strategies start with regular updates to ensure your site isn’t at risk of already-resolved threats. Next, improve protection with better passwords, increased authentication, employee training, secure connections and complete encryption. Finally, leverage advanced malware scanners to identify existing issues, remediate site threats and detect incoming attacks.