Small businesses operate on a high wire, with one mistake potentially sending them into a spiral. For that reason, online security is a major challenge. Small business websites are an easy target. Most business owners have little security expertise, operate on tight budgets, and lack the financial ability to implement sophisticated protection used by large corporations.
According to GoDaddy cybersecurity research, 67 percent of U.S. very small businesses (between one and five employees) spend between $1 and $500 per year on website security. And keeping up on website vulnerabilities is a challenge: Only 30 percent of operators surveyed by GoDaddy reported that they regularly check for vulnerabilities, while 40 percent said they rarely if ever check.
When it comes to malware attack victims, 58 percent are small businesses. One of the fastest-growing attacks is ransomware, in which criminals hold electronic data hostage until a payment is made.
One in 5 small- to medium-sized businesses faced a ransomware threat in the last year, costing operators hundreds of millions of dollars. When entrepreneurs contact law enforcement, typically the advice is: Pay it.
This is the website security paradox: Most small business operators have limited security knowledge and minimal budgets so it leaves them open to attack. But those attacks often cause financial losses.
According to GoDaddy research of more than 1,000 very small businesses, nearly half reported suffering a financial loss due to hacking, with one in eight saying the loss was greater than $5,000. And it’s not just money.
Damage to reputation
There is also the reputational damage. Three in 10 small businesses who suffered a cyber breach reported they had to inform customers and clients, which can jeopardize relationships.
A compromised website can also place a small business in the online penalty box: Blocklisted by search engines or internet security companies. If that occurs, website traffic plummets as would-be customers no longer see the site in search results.
It’s the double whammy of website security: First the hacker steals, then a small business can’t make money because their website is invisible to customers.
This is where the paradox grows even deeper. Getting flagged and blocklisted for having malware effectively shuts down a small business’s website; not getting flagged when a website has malware leads to greater vulnerability to hackers.
GoDaddy found that in 90 percent of cases, an infected website was not flagged for malware and blocklisted. That means the small business operator could be continually targeted by a hacker without their knowledge.
With that in mind, GoDaddy offers up this small business website security report based on our own research of both our customers and other small business experiences. We have rich data — thanks in part to our acquisition of Sucuri Security, the leader in providing detection and protection services to websites as well as helping them recover after an attack.
Forensic analysis of compromised websites
An analysis of thousands of website requests reveals sobering data about how easy an attack can occur when website operators let their guard down. For example, of the 65,477 global requests for assistance with a compromised site over the last year, half involved outdated software on the most commonly used platform and tools — WordPress and its content management system (CMS).
Once infected, the hackers attack multiple parts and files of a website. On average, the GoDaddy security team cleaned up 110 compromised files per hack, but in some cases it was as many as 35,057 compromised files.
Once infiltrated, hackers regularly create backdoors so they can secretly re-enter a platform even after a file cleanup. These backdoors might be hidden files already on the site or uploads in a busy file directory. Through these backdoors, a sophisticated hacker can effectively gain control over an entire website.
But backdoors are not the only serious threat. Search engine optimization (SEO) spam chases away customers and increases the risk of blocklisting. As the chart above shows, it’s a favorite among hackers because they use it to redirect website visitors to malicious sites. Through this manipulation, a hacker uses a small business website as a portal to the “dark web.”
Cyber experts look for malware origins and signatures to understand the threat. In the last year the most common signature in cleanup requests was rex.multi_var.004.
The customer pointed out that some of the files had been active since 2013. Other forum participants urged him to scan and remove the files.
A key reason is malware can distort search engine results; Google, Bing and others often blocklist compromised small business websites. According to the GoDaddy research, 10 percent of websites cleaned up were blocklisted.
To break that number down, of the 65,477 infected websites GoDaddy analyzed, 6,500 were blocklisted — meaning 6,500 small businesses became invisible to search engines. However, there was a wide variation among search engines and security companies on flagging for the blocklist.
Note: In some cases multiple companies blocklisted a website, which is why the percentages are greater than 100 percent.
Getting off the blocklist
While getting blocklisted alerts a small business of a security threat, it’s the last place a small business operator wants to end up in the long term. Search engines such as Google scan vast numbers of domains for malware, SEO spam and phishing scams. If a site is deemed suspicious it can damage a business by making it invisible to online customers. As has been said:
“If Google blocklists an infected website, you’re basically off the internet until the website is fixed.” – Peter Jensen
That can cost a small business operator thousands of dollars — but what causes a blocklist trigger is not always a black-and-white issue. Each search engine or security company has its own criteria. For example, research of GoDaddy customers found that Norton and Site Adviser had three times the number of reported blocklisted sites.
To get off the so-called blocklist, a small business will likely spend money on security experts or tools to clean up the infected sites. Once malware and other malicious software is removed, a website operator must ensure hackers can’t immediately re-enter through a backdoor or compromised passwords.
It’s then up to the search engine to give the website a clean bill of cyber health, which can take multiple days — costing the small business potential lost customers, sales and reputation.
Beating the odds by knowing what you’re up against
GoDaddy research found that nearly half of small businesses surveyed in the United States reported a cyberattack, with malware/computer virus and phishing the most common. The attack can target any aspect of a business.
One in three small business owners surveyed report their website was a target, although often a hacker will attack multiple vulnerabilities. The impact is profound: Security magazine reports that 60 percent of hacked small businesses go out of business within six months. That is because thousands of dollars in losses can make or break a very small business.
According to the GoDaddy survey of small businesses, 1 in 8 reported losses of greater than $5,000 from a hack.
A key aspect is a small business’s approach to security. Only half of businesses surveyed use a monitoring service, with most on an effective password strategy.
The challenge with that approach is hackers often rely on other tricks to compromise a website. And in attacks such as phishing, it might be hard to know that a password is compromised until the hacker is in the platform — and then installing a backdoor for future mischief.
Not surprisingly, small business operators’ primary concern after a hack is that banking and other financial information is compromised.
Yet, less than half of small business operators report that they update or change bank and financial information after a hack. According to GoDaddy research of very small businesses, 48 percent report changing their financial information. A much larger share (81 percent) said they reset their passwords.
That brings it back to the small business website security paradox. Small business operators understand the risks, but don’t have the expertise or money to fully protect themselves. According to the research, 1 in 5 very small business operators don’t spend any money on website protection. Four percent spend more than a $1,000.
Likewise, only three in 10 report checking their website for vulnerabilities on at least a weekly basis. Given the demands of small business operators, it’s understandable that security can be an afterthought, but it reinforces why monitoring and detection services can save a small business from a catastrophic attack.
‘Barking Dog / Sleeping Cat’ approach to protecting a website
Cybersecurity is not about preventing a risk. That isn’t yet possible. It’s about reducing the risk. It’s understandable that very small business operators are pulled in so many directions that it’s hard to make website security a priority. But taking even modest steps can make a difference.
It’s as simple as a home burglar eyeing two potential houses to rob. In one, there is a barking dog. In the other, a sleeping cat. The choice is obvious.
GoDaddy Website Security offers detection and recovery services that can identify risks, mitigate attacks, and help a small business operators recover quickly.
Whatever tools a small business operator uses, it’s important to stay on top of cybersecurity. An online small business is the culmination of a dream. Research shows it liberates owners to work how they want, where they want, when they want. It is heartbreaking when a hacker gets to damage a dream.
While cybersecurity will long be a game of cat and mouse, there is progress in blunting hackers. New approaches to cybersecurity are being introduced, including making cyber tools as easy to acquire as downloading a song on iTunes.
Together — the entrepreneurs, domain providers, developers and cyber experts — can take back the internet from hackers, one small business at a time.
About the data in this security report
GoDaddy’s Security team analyzed 65,477 global requests from small business customers to clean up infected websites from May 2017 through March 2018. GoDaddy intends to regularly report data in hopes of giving small business operators and security experts insights into how to improve security.
GoDaddy commissioned the research firm Morar to survey 1,012 U.S. very small business operators to understand their activities and perspectives on security. The research, conducted between May 24, 2018, and May 30, 2018, surveyed businesses of five or less employees. This research is available upon request.
GoDaddy welcomes feedback and suggestions for future research. Please contact Nick Fuller (firstname.lastname@example.org) with any updates, questions or suggestions.
Editor’s note: We wanted to recognize the great work done on this research by the Sucuri Labs team for their research, specifically Tiago (Data Scientist) and Fio (Leader Malware Researcher). Great job, team.