For many business owners, maintaining an online presence is crucial, whether it's to promote products and services or for sales purposes. However, even the simplest websites can be targets for cybercriminals, and vulnerabilities can arise from the smallest oversights.

One of the highest profile hacks in the UK was as a result of website vulnerabilities being exploited. In 2015 the telecommunications company TalkTalk was subject to a cyber-attack which exploited vulnerabilities in three webpages.

The exploitation of this vulnerability allowed access to a database holding customers’ personal data including names, addresses, dates of birth, phone numbers, email addresses and financial information. The subsequent investigation identified that TalkTalk had failed to remove, or otherwise make secure, the webpages that enabled the attackers to access the database.

The attack was an SQL injection attack, which is a common type of cyber-attack that was well-understood with known measures that could have prevented it. The consequences were significant, TalkTalk estimated that the attack cost £77 million in direct and indirect costs, and the Information Commissioners Office fined the company £400,000.

Although this example relates to a large organisation and dates back a few years it remains a good example of poor website security being exploited. Since then, there have been countless incidents where websites have been compromised including diverting web traffic to a fraudulent site, or defacing the site, so it is important to ensure as a business that you are not leaving yourself vulnerable.

We will now focus on common security risks and highlight some of the straightforward solutions to enhance your website's safety.

1. Many websites use weak passwords or share one password across multiple accounts. Cybercriminals can easily crack them, giving them potential access to sensitive information or even control over your website. The WCRC regularly promotes the use of strong and unique passwords, and this applies to each account related to your website. The National Cyber Security Centre (NCSC) suggests using three random words to generate strong passwords. Consider using a password manager to help create and securely store complex passwords. It is also important to limit who has access to the back end of your website to only trusted individuals.

2. Websites are often built on platforms like WordPress, Joomla, or other content management systems (CMS). If these systems aren’t regularly updated, they can have security holes that cybercriminals exploit. By setting up automatic updates for your website’s CMS and plugins or regularly checking for updates you can ensure you have the latest security patches to close off vulnerabilities.

3. If your website requires users to enter information (like their names or contact details), this data can be intercepted by cybercriminals if it’s not securely transmitted. It is important to use HTTPS rather than HTTP. HTTPS encrypts data between your website and your users, making it harder for hackers to steal it. Many hosting providers offer free HTTPS certificates.

4. If your website is compromised by cybercriminals, you could lose important data or even the entire site. Without a backup, recovery can be time consuming and costly, so it is important to regularly back up your website data. Many hosting services provide automatic backups, or you can set up a schedule to back up files and data weekly.

5. Plugins can add functionality to your website, but poorly designed or outdated plugins are a favourite entry point for cybercriminals. It is recommended that you only use trusted plugins from reputable sources and keep them updated, and to delete any you’re not using, as they can still pose a risk.

6. Cybercriminals often use automated bots - software applications that run automated tasks, so you don't have to perform complex and/or repetitive operations manually - to find weaknesses in websites. Without a web application firewall (WAF), your site is exposed to common cyber-attacks which can allow hackers to gain access to your website data. By using a WAF you can monitor and filter malicious traffic before it reaches your website. Many web hosting providers offer a WAF as an additional service or built-in feature. However, organisations should not solely rely on this as it can still be bypassed or accidentally turned off.

By following these simple steps, you can significantly improve the security of your website and reduce the risk of falling victim to cybercriminals, so protecting your business and your customers. If you rely on a third party to manage your website, with this information you are armed to ask the right questions to ensure your website’s security is being properly managed.

If you want further detailed technical information about the common threats seen in web applications, have a look at the OWASP top ten which is the framework that our Cyber PATH team uses to carry out vulnerability testing of web applications.

The WCRC can also help you with website vulnerability assessments and a great starting point for improving your cyber protection is by considering our First Step Web Assessment service.