A German study undertaken this year analyzes the websites of over 5,000 German companies to investigate the level of web security in the German industry (see original German study). It discovered that 7.5 % of companies demonstrate at least one critical security flaw. A further 30 % use software components with security vulnerabilities. A study by the German digital association bitkom revealed that 75 % of German companies were affected by cyber attacks in the last two years. Compared to the years 2016/2017, the number of attacks has increased by 22 %. The total damage incurred by security breaches amounts to 102.9 billion euros annually, an amount which has almost doubled over the last three years (55 billion euros in 2016/2017).
It is imperative for online shop operators to ensure the security of their website, in order to reduce the risk of damaging attacks to a minimum.
Visitors to website shops are placing increasing importance on data protection when ordering goods online. It is not possible to build user trust without implementing security measures.
A German survey undertaken about the security of personal data on the internet in 2019 shows that the majority of internet users (72 %) have doubts about the adequate protection of their personal data on the internet, with estimates ranging from rather unsafe to completely unsafe. The graph below demonstrates a slight improvement of data security, as the proportion of unprotected data has decreased over the last years.
The European Union’s General Data Protection Regulation (GDPR) has increased data security, leading to a more active consumer behaviour in the digital world. In a survey conducted by the German Institute for Confidence and Security on the Internet (DIVSI) in 2018, 20 % of participants were of the opinion that the GDPR improves the protection of personal data. But how can the reservations of the remaining 80 % regarding data protection and website security be alleviated? The strengthening of security measures remain necessary to prevent cyber attacks, as the hacking methods are becoming ever more complex.
This is how cyber attacks damage your website security
Hackers attack web servers for one main reason – they can earn money. Although many companies are convinced that smaller websites are unattractive for hackers, they nevertheless offer enough value. Even if they offer a comparatively smaller amount of customer data, there are still many other incentives for hackers to attack, aside from data theft.
The most familiar methods of attack on the internet
1. Business email compromise (BEC)
With the so-called business email compromise (BEC) method, cybercriminals take advantage of a senior colleague’s status to mislead employees into transfering money to a foreign account. In this type of fraud, cybercriminals send emails to employees in which they appear to be a senior colleague (e.g. CEO). Employees are directed to transfer money, thereby providing access to company funds. If employees do not inspect the sender of email with a critical eye, they run the danger of falling victim to the scamming attempt. Only when clicking to view the sender details does it become apparent that the sender is operating from outside the company. The US Federal Bureau of Investigation estimates damage amounting to several billion US dollars worldwide in 2019. In Germany, over 200 cases were investigated in 2019. This only includes the cases that were reported. The real number of attacks is likely to be much higher, as many companies do not alarm the authorities, fearing damage to their reputation.
Attacks on companies are much more promising than attacks on individual users, as they can earn higher returns. The US IT security company Malwarebytes published a report about cybercrime in 2019, which found that the number of ransomware attacks in 2019 increased by 365 %.
With a so-called ransomware attack, the company’s IT is infected. Hackers use a malware cocktail consisting of Emotet, Trickbot and Ryuk. The malware code is sent via email as an infected attachment and activated with just one click. The activation results in the encryption of company servers and access to the IT system is blocked as a result. The security of the website can therefore also no longer be guaranteed.
A message appears on the blocked screen with a demand for payment. As the name suggests, the company system is held ransom as payment is demanded in exchange for the release of the company’s system.
Scammers use the design of a familiar and secure site as a cover for phishing emails to send spam. The aim is to lead users to dangerous websites or to get them to download infected attachments. A fake website is created, on which users disclose their login or banking details. Die distribution of spam emails damages the reputation of the website operators, as spam is sent and customer data is collected fraudulently in the name of the company.
4. Cross site scripting / XSS
Cross site scripting is a frequently used method of attacking on the internet, with the aim of accessing confidential data. A malware code is introduced to a seemingly trustworthy context. Security vulnerabilities in web applications are used to attack the system of the website operator. Internet pages and login forms can be changed with XSS or sensitive information, like passwords, can be passed on. While the user assumes the login process is anonymous, confidential details are illegally forwarded to others.
The consequences of insecure websites for operators
When hackers recognize and exploit vulnerabilities in a system, the consequences for the affected companies can be disastrous:
When visiting the infected website, users could receive a warning that it is not trustworthy and they have possibly been hacked. This message does not only cause a loss of trust, but could also result in a significant loss of turnover if warning signals are sent to the community at large. Another problem closely associated with digitalization is the identity theft of a company. So-called corporate identity theft can lead to serious effects and even cause the company to crash if hackers manage to realize their malicious plans using the name of respectable companies.
Implement website security with SSL
We offer the perfect solutions for you to protect your company against cyber attacks and offer your customers more security:
How do users recognize an encrypted website?
By now, almost every internet user knows that a look at the URL is all it takes to see if a website is encrypted or not. HTTPS and the padlock symbol signalize SSL encryption and the website security. A green URL bar is a signal for the highest form of SSL encryption: the so-called EV certificates are the most secure SSL version. However, internet users run the risk of misinterpreting a green padlock sign as an indication that the website is secure. Hackers often use a green padlock as hackers sometimes use the green padlock as camouflage by encrypting their phishing websites so that they are classified as safe. Users are therefore advised to not depend on the green padlock symbol as the only indicator for a secure site. Browser providers are considering dropping the green signal so that hackers can no longer exploit any confusion. Google Chrome and Mozilla Firefox have already taken this bold step.
How the SSL certificate is displayed in different browsers:
Implementing SSL encryption is a trusted method of ensuring that website visitors feel safe and do not leave the website. SSL certificates make it much more difficult for hackers to intercept data. If a customer provides payment details during an ordering process, a DigiCert certificate, for example, makes sure that the sensitive data is only transmitted via the encrypted paths. So SSL encryption increases the trustworthiness and security of the website and conveys a feeling of safety on the internet.
SSL certificates are beneficial for more than just security
Apart from the security aspect, it should not be disregarded that Google encourages SSL encryption. SSL encryptions have a positive effect on the ranking in search engines – so that those who do not implement SSL have a disadvantage. For TLDs like .app or .dev from the Google Registry, it is mandatory to implement SSL encryption when registering a domain, so protection is a given for these websites and their visitors.
In the EU, SSL encryption for websites has been required legally since May 2018 and should therefore be an inherent component of every secure website. The GDPR regulates the protection of personal data against external attacks throughout Europe. According to Article 5 (GDPR) in conjunction with Article 32 (GDPR), the protection of personal data must be guaranteed when data is processed. Violations against this regulation can result in warnings, fines and claims for damages.
Will long-term certificates be declared unsafe?
There is currently a lot of discussion around the lowering of validity periods for SSL certificates. In August last year, Google introduced the idea in the CA/B forum of lowering the validity period of SSL certificates from the current 24 months to 13 months, with the argument that it would increase security on the world wide web. A shorter life cycle for SSL certificates would reduce cybercrime due to the reduced time frame. However, this suggestion did not catch on – the majority voted against it on the grounds that it would cause too much additional expense for website operators. However, Apple pushed through with the implementation of its own position on February 19, 2020: from September 1, 2020, newly issued SSL certificates with a validity period of more than 13 months will be classified as unsafe. Other browsers are likely to follow suit.
Take advantage of the validity period to get a discount on long-term certificates
SSL certificates that are acquired or renewed by August 31, 2020 will be recognized and acknowledged as safe until expiry despite a validity period of 24 months.
So you can profit from our discount on long-term certificates until the end of August.
We offer the ideal SSL certificate for all purposes, helping you to avoid warnings, keep your website protected and allow your website visitors to recognize this immediately. You can choose from a wide selection of SSL certificates, ranging from those provided for free-of-charge to those subject to a fee. Find out more about the differences here.
We would be happy to answer any questions you have about SSL and the protection of your website. Feel free to contact us and we will support you on your way to digital security