Clutch surveyed 302 website managers to analyze their current website security practices. We found that although most express confidence in their current security protocols, significant, widespread vulnerabilities persist.
Most website managers want the same thing: A beautifully designed, reliable website. Whether you’re building a new website or updating an existing website, this goal is as worthy as it is universal.
But is your website safe?
To help you better navigate security issues, we surveyed 302 website managers to learn about their perceptions of website security, past experience with security breaches, and the steps (or lack of steps) they take to keep their websites safe.
- Email phishing is the most common attack, affecting 30% of websites.
- 80% of website managers are confident in their current level of security.
- However, up to 63% admit that they do not currently use common security features.
- Although 54% believe that they haven’t experienced security liabilities, experts warn that many sophisticated attacks go undetected.
- Despite gaps in security, up to a quarter of website managers report that they do not plan to add security features, leaving websites exposed to vulnerabilities.
Although website managers seem to trust their site’s security, a report by Symantec found that cyber attacks on small businesses are occurring more frequently.
This increase in attacks is alarming, but you can take action to protect your website and your reputation by better understanding:
- The key security threats to watch out for
- How to think like a hacker in order to proactively spot—and eliminate—vulnerabilities
- Actions you can take to protect your business, employees, and clients
Email Phishing Most Common Security Risk
Everyone—from everyday website users, to small businesses, to large corporations—is vulnerable to phishing attacks. (Phishing is the practice of sending an authentic-looking email that convinces someone to share personal information or that infects a computer with a virus.)
Consider the story of Reuben Kats. When Kats received an email with a FedEx tracking number in the subject line, he didn’t think twice before clicking the attachment.
Kats works for a small company that builds websites on extremely short deadlines, helping companies drive leads by getting them listed with Google. During the holiday season, his email was flooded with information about orders related to the ecommerce websites they were building.
Nothing about the FedEx email seemed out of the ordinary.
But as soon as Kats opened the email, his computer was compromised. Within an instant, his hard drive was completely corrupted.
A second look at the email revealed that the sending address, which had appeared to come from FedEx, was from a copycat masquerading the company.
Our data shows that Kats is not alone when it comes to experiencing a phishing attack. Nearly one-third (30%) of website managers reported that they also have been subject to the kind of email phishing that Kats experienced.
Nick Damoulakis is president of Orases, a full-service, digital technology agency based in Maryland. He has seen clients experience phishing attempts in which third-party hackers inject scripts into a website, allowing them to send email from the company’s domain. Others simply create new email addresses so subtly different that they appear to come from within the company.
“One of our clients experienced a phishing attempt consisting of an email seemingly from the president to the HR department, asking for everyone’s W-2,” said Damoulakis. The difference between the president’s authentic email address and the phony one could have been as simple as a missing letter or a hyphen. HR gave up all 900 employees’ information to the phisher.
“It’s a scary issue, but it’s starting to happen, and it’s very sophisticated,” said Damoulakis.
Although Kats noticed that his computer was compromised almost instantly, some security breaches are less noticeable, building over time. This helps to explain why 54% of website managers reported that they have yet to experience a security liability, according to Kevin Ng, a web developer and partner at Wildebeest, a product studio for brands that creates custom software for the Web, mobile, and IoT.
“Many people won’t know that they’ve been hacked or that there was a security breach. A lot of this equates only to collecting data which is then sold,” Ng said. “The best attack is one you don’t know about.”
He suspects the number of companies that have experienced breaches is likely much higher, but companies just don’t know that breaches have happened.
Security Threats Exist (Even if You Think Your Site is Secure)
Security may not be the main priority, since many people believe their website is secure.
Website managers expressed confidence in their current levels of security, with 80% agreeing with the statement “My website is secure.” When the question was phrased emotionally (“I feel comfortable with the level of security on my site”), the results were nearly identical, with 82% of website managers reporting that they feel comfortable with their current level of security.
As experts warn, the prevalence of quiet, nearly undetectable security breaches suggests that this confidence may be misplaced—a problem can be traced to the earliest stages of website creation.
“I don’t think we’ve ever had a client say that they needed an extremely secure site that also sells a product,” said Ran Craycraft, a managing partner at Wildebeest. “The first priority is always to have a beautiful site that works well and does a particular function.”
No matter how unlikely a security breach might seem, committing to simple, proactive steps now can increase the likelihood of blocking an attack before one occurs.
Beyond the immediate threats to your business’s operations, threats to your reputation can be even more difficult to recover from—even if you don’t think your website contains any information worth stealing.
Alex Asianov founded DOOR3, a user experience and software company. He points out that your business might not be the ultimate target of an attack.
“Someone may think that they’re not vulnerable because they run a construction company, and there’s no interest for their information, but that construction company may be building for the Defense Department, and people do care about that,” said Asianov.
When one of these attacks occurs, it could take days or weeks for clients to trace the problem back to your website. The effects on your reputation could be damaging.
“No one in the world is hackproof, but making some initial steps in terms of cyber-security shows that the company is taking the subject seriously,” said Asianov.
He points out that even if a hack occurs, having internal processes in place can mitigate reputational damage.
Should an attack on one of your clients reveal that your security protocols allowed a vulnerability that put your client at risk, it will be much more challenging to earn back trust.
For the 48% who have a personal website, reputational threats are just as serious. Hackers might spy on correspondence, steal sensitive information, or even send fraudulent emails or malware that appear to come from your account.
How Hackers Gain Your Trust
Even if you have some security measures in place and are savvy about your Internet use, hackers are becoming increasingly sophisticated, and patient, in their attempts to gain access.
Today, it’s not uncommon for hackers to plant viruses that spend weeks or months collecting data. DOOR3’s Asianov explained how this works:
“It can be as simple as watching emails between the CEO of a company and the financial controller. The hacker may find out that the CEO is going on vacation. Therefore, the controller will get email authorizations for wire transfers. Once the opportunity is presented, the hackers will fake an email that looks a lot like the CEO’s while they’re on vacation.
“To gain trust, hackers might even reference aspects of the CEO’s real vacation, such as saying ‘Bermuda is great!’ to convince the controller that she is communicating with the CEO. After that, the hackers will ask the controller to wire $90,000 to a supposed vendor.
"The controller may not notice that the CEO’s email domain is different by one letter, and it can lead to a devastating final attack.”
Password Protection Not Enough to Guard Against Security Breaches
When we asked what protections web builder users currently take to protect their sites, 98% of website managers reported taking some action, with password protection being the most common (74%).
However, a surprising number of website managers admitted that they do not currently take advantage of common tools. For example, 61% do not currently use two-factor authentication, while 49% admit that they do not back up their data frequently.
Another key finding this data reveals is that only 50% of website managers update their applications and software when prompted, which should be done regularly as an absolute minimum of protection, according to Ng. “The important thing is maintaining that on a consistent basis,” he said.
Among those who reported feeling “confident” or “very confident” that their website is secure, the number who regularly implement updates is not significantly higher. This means that despite widespread confidence in current security measures, there’s no guarantee that most websites have the security features in place to back those feelings up.
Steps You Can Take to Protect Yourself & Business
It takes commitment to proactively address risks. According to Damoulakis, many of his clients seek help building a new website only after their original site becomes unreliable or suffers a hack.
“Many of our clients’ expectations weren’t set up from the beginning in terms of the maintenance of those sites,” he said.
Our data supports this observation. Despite the fact that only 50% of website managers update their applications and software when prompted, only 18% plan to do so in the future.
Similarly, although 61% admitted that they do not currently use two-factor authentication, only 26% plan to implement it within the next year.
These and other gaps create opportunities for hackers and phishers to exploit your business.
When thinking through how to address security moving forward, it’s helpful to think of steps in two categories: tools that help reduce vulnerabilities and behaviors that encourage vigilance.
Tools for Increasing Website Security
It can be overwhelming to think about the possibility of a security breach, but there are numerous tools that can automate aspects of website security.
We introduce four simple tools and explain how you can use them to begin making your website more secure.
1. Set Up Two-Factor Authentication
Two-factor authentication (also known as two-step verification) allows you to create an additional layer of security that goes beyond simple password protection by linking your account to a specific device that can be used to corroborate your identity.
For example, even if a hacker manages to guess your username and password, two-factor authentication would require a code sent only to your device before it would be possible to log on to your account.
Two-factor authentication is increasingly common on social media platforms, and it’s a built-in feature on many cloud storage providers.
If you have an email account through Google, Gmail offers both two-factor authentication and an additional tool called “Security Checkup” that helps you review your Google accounts.
The service walks you through the steps you can take to ensure your account is secure, including:
- Recovery information, like your phone number and email
- All of the devices connected to your account
- Account permissions
- Two-factor authentication settings
Damoulakis encourages his clients to use Security Checkup as part of a regular audit of your web presence.
One particularly powerful feature is Security Checkup’s ability to reveal all devices that are currently able to access your account.
By looking at a log of IP addresses, you’ll quickly notice recurring sign-ons from your devices such as a laptop, tablet, or mobile device, and be able to spot unfamiliar devices should someone try to hack into your account.
“[Security Checkup] is one of the best tools I’ve found so far, but most people don’t know about it,” said Damoulakis.
If you notice anything that seems amiss, Security Checkup arms you with the information to investigate and shut down unwanted access if necessary.
2. Make Sure Security Plug-ins Are Up to Date
If you use plugins, it’s important to research your options carefully. (A plugin is software that adds additional features or functions to your website.)
The key to choosing a strong plugin is to look for how many active users have implemented it. Too few users means that the plugin likely hasn’t been thoroughly vetted, while plugins that have become ubiquitous may present a tempting target for hackers.
“Hackers don’t want to go after the 15 people using a plugin, they want to go after the big dogs,” said Craycraft. “There’s a risk that we take.”
Although nothing on the internet can be truly hack proof, Craycraft recommends looking for plugins created by developers who actively engage in forums and demonstrate their commitment to continuously improving their security features continuously as hackers evolve.
To safeguard against attacks, major platforms such as WordPress, also periodically intervene, freezing problematic plugins to prevent users from downloading risky software.
3. Secure Sockets Layer (SSL)
Implement a Secure Sockets Layer (SSL), which creates an encrypted link between your server and website visitors, to prevent a hacker or third party from intercepting your traffic and serving other information to their browsers.
Tip: You can tell whether a site you visit uses SSL based on its URL. Secured sites will show up as “HTTPS” rather than “HTTP.”
Beyond providing basic security, Google rewards sites that have implemented SSL in their search results. If your website used a web builder such as Squarespace or Wix, SSL may be automatically implemented. If you have an existing website that doesn’t have SSL built in, it may be worthwhile to engage a developer who can handle the technical aspects of the installation.
4. Password Managers
If you’re a typical Internet user, your passwords probably involve the name of a pet, loved one, or important date—something that is both easy to remember and easy for hackers to guess.
Experts recommend random, unique passwords for each of your accounts, preventing hackers from using easily identifiable passwords that could allow them to infiltrate multiple accounts.
This creates a common pain point: It’s difficult to remember complex passwords, and most people have accumulated dozens—or even hundreds—of accounts.
When it comes to using complex passwords, Ng suggests that individuals and companies implement mandatory use of password managers, which encrypt your passwords and allow you to access all of your accounts through a single password that unlocks the manager itself.
Using a password manager is a simple way to securely store your passwords securely until you need them. These tools allow you to set long, complex passwords that will help keep all of your sites safe.
Password managers are subscription-based, costing anywhere from $12 to $36 annually depending on your operating system and needs. It’s a relatively small price to pay for peace of mind that comes with security and the luxury of never having to deal with the frustration of remembering dozens of passwords again.
Proactive Behaviors for Increasing Website Security
As hackers become increasingly sophisticated, developing good security habits online only will become more critical.
“Not [developing good security habits] is negligent, and it’s only a matter of time before the company is called negligent,” said Asianov. “It’s key to make that a part of the budget, considerations and processes for digital.”
No matter how confident you are in your existing security protocols, the following five precautionary measures can only help your business thrive.
1. Conduct Regular Security Audits
One strong strategy is to conduct regular security audits. The components of your audit may vary depending on the nature of your business.
Some key steps to take include:
- Checking what devices have logged on to your Google account using Security Check
- Reviewing the accounts linked to your social media profiles and deleting old or outdated linked accounts
- Closing down unused accounts or credit cards
- Revoking former employees’ access to company accounts
- Making sure all operating systems, software, and plugins are up to date
2. Educate Employees About Potential Security Threats
Damoulakis of full-service digital technology agency Orases recommends that companies regularly host internal training sessions for employees.
These sessions may focus on how to spot fraudulent email addresses before disaster strikes or how to perform security checks on work computers.
3. Update Your Software Regularly
Put an office-wide recurring meeting on the calendar to check for system and software updates, and get in the habit of clicking “yes” when your computer prompts you to install a new operating system. The same goes for all plugins, software, and mobile devices.
Taking five minutes to grab a fresh cup of coffee or take a walk while you download updates and restart your computer is well worth the opportunity to avoid a hack.
If you work with a team, you could even schedule a screen-free, all-staff brainstorm or bonding activity to help build in time for your employees to update their devices.
4. Improve Login Security
In addition to monitoring for phishing attempts, the design of your website can impact its security.
A key question to ask: How do you sign into the back end of your website?
If you use a splash page (a simple landing page with fields for your login information), your website may be at higher risk.
“One important thing, which we recommend for every site, is making sure that the admin area isn’t predictable,” said Ng. “If someone doesn’t know where the admin area is, then they will have to find that out, along with usernames and passwords, which is unlikely. If someone does know, and uses the username ‘admin,’ all they have to do is guess the password.”
By creating an unlikely login page, you’ll make it more difficult for hackers to locate the door to your website’s back end—let alone walk in.
5. Batten Down Your Input Fields
Finally, input fields (such as boxes for visitors to leave comments) can create vulnerabilities.
In some cases, hackers are able to inject harmful code via input fields, allowing them to access private information, such as your customers’ credit card numbers, or to delete a database, wiping pages of your site clean.
If you’ve been asked to identify objects or type in a distorted series of letters and characters before entering information recently, you’ve seen input field security in action. These measures (known as Completely Automated Public Turing test to tell Computers and Humans Apart, or CAPTCHA) help distinguish authentic human users from bots that may be waging an attack against a website.
Similarly, form validation–code that will prevent your website from accepting harmful scripts–can help guard against this issue.
There’s No Downside to Improved Security
Whether you use a DIY web builder, an advanced content management system, or a custom site, improving your website’s security can only help your business.
Though common security features such as password protection, two-factor authentication authentication, and updating software regularly might be familiar, they are still underused.
Taking simple steps before disaster strikes is key to protecting your operations and reputation. Fortunately for Kats, his company had backed up all of his work using FileZilla. Had Kats not had access to backed up copies of his projects, the malware that rendered his computer inoperable could have left him immobilized—or even necessitated starting over from scratch.
These days, he makes an effort to look carefully at email addresses before opening any attachments.
“I’ve found that it’s always beneficial to look past the problem, and focus on the solution,” said Kats.
When it comes to online security, the best solution is to be proactive. In capturing the current state of website security, Clutch has three main takeaways.
First, although many website managers are familiar with common security protocols, those that lack password protection, two-factor authentication, regularly updated software, and others are exposed to significant vulnerabilities.
Second, no website is too small a target for hackers. Attacks are frequently designed to use your website as a stepping stone to steal information on your clients or contacts.
Third, Clutch’s experts recommend simple, inexpensive security tools to prevent attacks before they occur.
Additionally, experts recommend common sense habits to help you become adept at maintaining your website security.
Fortunately, you can achieve improved security with very little time and effort—and reap big rewards by preventing a disaster before it strikes.
Download Clutch’s free website security checklist to get started.
About the Survey
Clutch surveyed 302 website managers responsible for building, maintaining, or building and maintaining a website for personal, business, or other (i.e. nonprofit, event) use. 47% of website managers were responsible for building their website; 24% were responsible for maintaining their website; and 28% were responsible for both building and maintaining their website.
All website managers were based in the United States.
48% have a personal website, such as a blog or portfolio. 34% are responsible for a business website, with the remaining 18% split between using their website for events or nonprofit and community work.
DIY web builders (38%) were the most popular website option among website managers. Additionally, 35% use advanced content management systems such as WordPress; 20% used a custom website; and 8% did not know what type of website they used.
About the Author
Michelle Delgado is a marketer and content developer at Clutch, a B2B research firm in the heart of Washington, DC. Connect with her on LinkedIn, or feel free to reach out with any questions, comments, or concerns at [email protected] or (202) 869-3866.