In today’s world, it is almost impossible to imagine a business without an Internet connection such as a website, email, employee training, CRM (Customer-relationship management), CMS (Content management system). E-commerce, new customer search, record search and retention, etc. simplifies and speeds up the ordering process.
Some businesses use off-the-shelf solutions, some hire professionals to build company-specific tools, and some choose to develop the software needed to solve daily assignments on their own. Nowadays, everyone has their own website, e-mail, primarily registers their customers in a database, and managers can follow the day-to-day activities of the company. Unfortunately, the overwhelming majority of businesses completely ignore the fact that every server, every website, every email address is a potential target for hackers. The thought that our business is too small and who can take care of our data is one of the many mistakes that make the modern Internet increasingly vulnerable. However, digital criminals don’t think too much about whom to attack.
The second popular excuse many businesses use for ignoring web vulnerabilities is this: web security is a very expensive service!
Let’s take a look at examples of how a hacker attack can happen and what impact it can have on your business. In addition, we will talk about what actions you should take to prevent the attack or at least to minimize your exposure to the attack, including its legal consequences (yes, hackers’ attack may cause legal problems for you and your business, as per the provisions of the GDPR, along with data loss).
Example 1:
Company A had created a “business card” website with information about the company and a feedback form. They developed this site on their own without the involvement of any web designer. But in the site coding, a data validation error was made. The site sends a confirmation to the entered e-mail address with the following message: “Mr. / Lady. X, thank you for your message ‘quoted text here'”. The hackers used the same message format to send links to sites with malicious content and used spam-list addresses as senders. The domain was blocked as a spammer and it took several days for the domain to be unlocked and removed from the spam lists of major mail servers.
Example 2:
Company B ordered a website from a professional web design team, rented a server from an ISP, and the site was set up. A licensed software was installed to transfer the data. Then complained about an inconsistent scan from that company’s server IP address. Company B’s website was immediately blocked. After performing the Penetration Test, it was discovered that the ISP was unable to change the standard username and password (admin / admin). Of course, meanwhile, the attackers had managed to easily infiltrate the server and use Company B’s software for illegal activities.
Example 3:
Company C had developed an ordering system for customers to upload data. A technical error was made when creating an access point that allowed hackers to steal all data from all their clients using SQL injection. As a result, the С Company system was deactivated for a week, financial losses amounted to tens of thousands of dollars.
These are just a few simple examples. There are many more attack options. As you can see from these examples, preventing a hacker attack on these companies would have cost much less than dealing with the consequences of being hacked.
To avoid such unpleasant situations and to find out what to do, ask our experts. And unfortunately, keep in mind that invincible systems don’t exist. Penetration Testing is a necessity, not a luxury.