Although many smaller online retailers might not see the urgency, an e-commerce site left unsecured and unprotected is very likely to be hacked.
That was the experience of Tony Spiridigliozzi, founder and president of Airspeed Wireless Networks. In the first year of operating Airspeed-Wireless.com, which sells hardware, professional and managed services to small and mid-sized e-commerce businesses, Spiridigliozzi hoped the website was too small to become the target of hackers.
Then cybercriminals began targeting the site, creating what Spiridigliozzi describes as a “strong sense of urgency” that propelled him to seek effective protection immediately.
Too many smaller-business owners don’t fully grasp the dangers they are in from tenacious hackers, says Neill Feather, president of cloud-based website security program provider SiteLock.
“Technology has evolved to the point that a lot of attacks are automated,” Feather says, “so if a hacker can compromise 5,000 small businesses and take their data, that’s just as good as compromising one large business. And it’s often easier because so many smaller-business people are underestimating the risk and not employing security products.”
Most small businesses don’t have the Internet technology staff to focus on technology, he says. “They focus on running their business.”
“I can be proactive in preventing potential hacking attempts. Not only can I block IP addresses and entire networks, but I’m now able to block visitors from countries where, historically, a lot of hacking attempts come from.”
— Tony Spiridigliozzi, Airspeed Wireless Networks
But hackers can disrupt an e-commerce site’s ability to stay open by crashing it. They can affect the site owner’s ability to protect customers from being themselves hacked. In addition, each hacked website can be converted by hackers into a “bot” that churns out spam or phishing attacks to hack other sites.
When these things happen, victimized e-commerce websites can be shunned by customers, as well as blocked to potential shoppers trying to visit the site from Google or a Facebook page.
Spiridigliozzi says he felt some vulnerability even as he launched Airspeed-Wireless.com in 2013. He was using free basic website security applications, available through his hosting provider, which provided very limited options to block hackers.
Through his chatroom, he was able to watch a visitor from Iran who “kept coming to my site every night for about two weeks. Because I was using ‘free’ website security I could block his IP address. Each time I blocked him, he would come back using another IP address. Eventually, he tried to engage me in a chat, trying, I think, to say, ‘Hey, you’re continuously trying to block me, but it’s not working.’”
Visitors enter an email address in order to chat, so Spiridigliozzi searched this man’s address. “It pulled up things like his Facebook page, Google listings,” he says, “and there were all kinds of postings from him about hacking.”
Eventually the man gave up; shortly after that, a hacker seemingly based in Morocco was able to create an administrative account to a website that Spiridigliozzi had under development. “That gave him full access to my website,” he says. “I Googled the username he used to create the admin account and it led back to a hacking group from Indonesia, so he was covering his tracks by using a server that was in Morocco. I had to delete everything after he penetrated my site and then create a new website.”
With that, “I learned a big lesson, that even if my website is just in development, it could be hacked.” He began working with SiteLock through his website host provider.
“What really impressed me is if SiteLock finds a vulnerability, they can automatically fix it,” Spiridigliozzi says. “In addition, you will receive real-time warnings and alerts. I think what I like most of all is that I can be proactive in preventing potential hacking attempts. Not only can I block IP addresses and entire networks, but I’m now able to block visitors from countries where, historically, a lot of hacking attempts come from” — such as Russia, China, Ukraine and Iran.
In 2015, Spiridigliozzi installed TrueShield, SiteLock’s enterprise web application firewall. To date, it has blocked nearly 10,000 malicious threats, five SQLi attempts (code injection techniques used to attack data-driven applications) and 27 visitors from blacklisted IP addresses.
Spiridigliozzi uses SiteLock’s highest level of scanning services, Infinity, which includes TrueShield as well as SiteLock’s Secure Malware Alert and Removal Tool, which identifies and automatically removes malware.
The alert and removal tool scans continuously 24 hours a day, seven days a week, 365 days a year. On Airspeed, Infinity scans an average of 2,500 files every day.
The package also includes SiteLock’s expert services, which allows manual removal of especially challenging malware penetrations. This service removed malware planted by a hacker who penetrated the website of Airspeed’s website host provider, stealing passwords and other key data belonging to that host and its customers.
“That’s what gives me peace of mind,” Spiridigliozzi says, “knowing that I have continuous monitoring and if they find a vulnerability, they fix it.”
Feather says that SiteLock blocks some 5 million attacks against all its customers every month.
In an in-house survey conducted in February 2016, SiteLock found that if a business is compromised, 60 percent of its customers won’t return. “We also found that about one-third of consumers are concerned about their information being stolen, so they won’t shop online at all,” Feather says.
Large online sites that have been hacked see most of their customers return eventually, he says. “But if you’re a small business, and suddenly 60 percent of your customers don’t come back to your website — and you have the additional costs of cleaning up the damage left by hackers — that could be the difference between being in business and not being in business.”
Considering the damage that successful hacks can do to a company’s reputation, including the loss of customer trust and the costs of repairing the devastation that a hack leaves in its wake, Spiridigliozzi says SiteLock is absolutely worth using.
“If your online presence is hijacked, you can be ruined. And not only that, you become liable. Customers can bring legal action against you, so I consider my partnership with SiteLock a very good investment in web security, which is part of my cost of doing business,” he says.
“Considering what’s happened to me in the past and what I’ve seen happen to other websites, I will not be unprotected. SiteLock’s applications protect my business, my customers and they give me peace of mind.”
Liz Parks is a Union City, N.J.-based writer with extensive experience reporting on retail, pharmacy and technology issues.