Connect with us

General

How My Business Website Was Hacked And What Happened Next

settings

The advice provided in this article is based on real world experience of having an income producing website hacked – namely my website.

In this post, I will reveal how the baddies got in, what actions I took to restore my website, the assumptions I had around responsibilities – that were wrong, how much the attack cost my business and finally something for you – a checklist that you can use to review your own websites security right now.

If you don’t care about my wonderful tale of website hackery and just want the checklist then scroll down to the bottom and read the “Website Security Checklist” section.

But! You will be missing out on a great story 🙂

How My Website Was Hacked

About 7 years ago my website was tracking quite nicely with 30,000 unique visits per month in a niche market, revenue from advertising was good and growing. It was about this time I decided to offer a new service to the website visitors to encourage them to stay longer on the website.

I asked the web developer, who was a contractor living in another country and did odd jobs when work was needed, to locate a suitable plugin for the website. So off he went and located a plugin that seemed to offer all that I needed and even better – it was free!

So, the web developer downloaded the plugin, installed it on the production website and off I went promoting the new features to my website visitors.

Now, some of you will already be shaking your head at what I did, and believe me I am too as I write this. It’s important to note that I was not in the IT security sector at that time and did not have any idea (nor care because hackers only target big websites, right?) of IT security in general – like most small to medium business owners.

The plugin was fantastic and kept a high proportion of visitors on the website for much longer, until of course, the website got hacked – and hacked good.

There is nothing worse for a business owner to have your “shop” broken in to and “products” stolen or damaged, and that’s what happened to me.

How did it happen?

In summary and without going technical on you, the plugin was riddled with security vulnerabilities big enough to drive a virtual bus through it. The plugin developer had no clue how to write secure code and every hacker knew it. I found out later my web developer didn’t have a clue either.

The worst part is that most plugins inject meta-data into the website HTML when a web page is visited so all the hackers need to do is search Google for that meta-data “signature” and instantly a list of websites running that plugin will be shown.

Once a vulnerability is discovered in the plugin that meta-data “signature” helps them locate all the websites running it, as mentioned above. You can try this out yourself with a simple search such as “vulnerabilities” or “exploits“.

Out of those results you will end up navigating to a website that will provide a step-by-step guide on how to exploit whatever vulnerability the software contains. This is how 11-year-old kids with no training in hacking can successful hack a website – they are provided with a “dummies guide” how-to for free!

In the case of the plugin installed on my website, it was one URL with some extra text at the end of it – which was a “SQL injection attack” that resulted in resetting the admin password of the software running the plugin.

That’s right, the admin account that manages the entire website could be reset to whatever the hacker wanted with one URL call to my website!

Thanks to the plugin a hacker had admin access to my entire website with one URL call.

The hacker, was not a simple 11-year old script kiddie that just wanted to deface the website.

No, this hacker was smarter.

The hacker wanted to remain on the website as long as possible, attempting to infect as many visitors as possible. To achieve this the hacker did the following:

  1. Uploaded hacker tools to allow for additional backdoors to be added to the site just in-case the original vulnerability used to gain control of the website was discovered and fixed.
  2. Added malicious JavaScript code to the websites template so when a visitor came to the website the hacker’s code would attempt to infect the visitor’s computer. Not every visit though, it used a random generator to decide when to attempt the infection process to make it harder to detect.
  3. Downloaded the accounts of all the users to: 1) attempt to brute force the encrypted passwords (that failed since the encryption was strong) and, 2) grab all the email addresses to sell to spammers.

In fact, he was so good that it took a couple of website visitors to complain to us that every time they went to our site their web browser would crash.

When I investigated, I knew something wasn’t right so I rang the hosting provider who had a look and confirmed that the website had been hacked.

I rang the web developer only to find out that he was off on a 4-week holiday and did not bother to tell me.

Thanks for that.

I then went back to the hosting provider and asked them for help, but they only could provide assistance in a few days not right at this moment.

What to do?

The first thing I did was shut down the website, then emailed all the users informing them of the attack. I rang the advertisers and told them each personally about the attack and how I was going to refund existing payments.

Next, I was lucky enough to know another web developer who was based locally that I trusted. I contacted him and after having a look over the website concluded that it’s a better to roll back to the last backup then risk missing one of the hacker’s back-doors.

Excellent – that’s great news!

Except, when attempting to roll back we found the last 6 months of backups were corrupted! Finally, we located a backup that was not corrupted and rolled back the website to what it was 7-months ago.

This meant that my website was now missing 7 months of content!

Of course, this caused me a world of pain with issues such as: dead links back to my website, loss of 6-months’ worth of banner statistics for my advertisers, loss of trust with my visitors and advertisers, loss of revenue through refunds and the cost of the web developer helping me to roll back and secure the site.

Finally, when the dust settled and I was back online taking stock of the whole event the web developer who installed the plugin contacted me to touch base. After telling him what he missed and listening to blank silence on his end I asked him for his thoughts.

His reply?

So, do you want me to install the latest version of the plugin?

Website Security Checklist

Below is a website checklist that I hope you will find value in using.

The checklist is based on the lessons-learned from when my website was hacked. The checklist is aimed at the business owner who is not technical and relies on third parties to help manage their business website.

  1. Patch, Patch and Patch – ensure that someone is responsible for keeping your website software up-to-date with patching. Make sure you have written confirmation from that person (people’s memory on who is responsible for what when an attack occurs seems to magically change). Also ensure that your hosting provider has a patching policy and that the web server your website is hosted on is patched frequently. Ask for the patching schedule and patching policy. If they don’t have a schedule or policy then it’s time to look for a new hosting provider.
  2. Review existing plugins – If you have installed plugins on your website then review each one and have a good hard think if you need the features offered. Every plugin you install increases the chances of a vulnerability entering your website. The plugin might be secure now but that can change with each plugin update. You can also apply this review to any other software you have installed that provides a service to your website.
  3. Review new plugins or functionality – if you have identified a new piece of functionality you would like to add to your website such as a plugin, perform some basic research first on the software before installing it. Key search terms I use are: ” vulnerabilities”, ” exploits”. If the search results look alarming such as discussion about how easy it is to hack then don’t install the plugin.
  4. Review Website Admin Accounts – who has access to the admin portal(s) of your website? Which admin accounts can be disabled and only active when needed? For example, the contractor you used 3 years ago for one job probably does not still need access to your website. Are all the admin accounts known to you and are they still needed? What about FTP accounts? What about SSH accounts? Reset the password on all admin accounts if they have not been changed in years, and make sure it’s a strong password. You don’t need to force a password reset every month – maybe once a year.
  5. Check your website backups – create a dummy website and restore a backup to test that it works. I know this will be very hard for most of you but I know from personal experience that if you need to roll back and the backup is corrupted or not complete, the other options you have will be far more expensive then loading up a test site and testing your backup.
  6. Have an Incident Response Plan – basically a document that records the contact details of all the people you need to engage when the website is hacked and what steps you are going to take, such as asking the hosting provider to block all incoming traffic. Record the hosting provider’s support contact details, including their after-hours support numbers (Tip! Perform a test run by ringing the after-hours line late at night and see how good they are at responding – you may be very surprised at the result!), contact details for the web developers or anyone else who helps manage your website, your clients and any other interested parties. If your website accepts credit cards for payment then you will also need to contact your acquiring bank and inform them of the breach (read Do I Need To Be PCI Compliant? for an introduction into PCI DSS). In my next post I will provide a basic incident response plan you can use.
  7. Webserver Hardening – check with your hosting provider that the webserver hosting your website is “hardened”. This means that the hosting provider has tightened up the security of the webserver such as turning off any services that are not needed, changing configurations so the security is better and a host of other technical things that are important. If the website hosting provider does not know what hardening is or doesn’t do it then it’s time to find another provider.
  8. Software Hardening – if your website software was installed by a third-party check with them that the software has been “hardened”. Just about every piece of software can be “hardened” as most have default configurations that do not have a focus on security. Like the hosting provider, if they do not know what “hardening” is, it’s time to start searching.

Further Considerations

Since we are on the subject of securing your website, I would like to suggest a couple of recommendations that require thought, cost and planning to implement but are well worth the effort.

  1. I recommend that your website only supports HTTPS not HTTP. HTTPS allows the traffic between your website and your visitors to be encrypted. This is very important especially if you access the admin functions of your website using public networks such as free or hotel wifi. To provide a bit of encouragement in looking at HTTPS, Google has recommended using HTTPS and talk in the SEO world is that Google will prioritize websites that only support HTTPS in their search results – enough said.
  2. Consider using a service such as Cloud Flare that will sit in-front of your website and help protect it from attacks. Cloud Flare provides a “Web Application Firewall” or “WAF” which protects your website from attack via the Internet. Another WAF option to consider, if your website is using Word Press , is Word Fence which provides a security plugin for your website. I have not used this plugin myself as I use Cloud Flare but it looks interesting. NOTE: I receive no benefit from Cloud Flare or Word Fence in mentioning them. I use Cloud Flare and a person I highly respect in the IT security sector recommended looking at Word Fence.
  3. Look at a monitoring service to alert you if your website is under attack – the little bit of warning you get will allow you to alert your hosting provider who may be able to stop the attack.

Further Reading

If my post has sparked your interest in improving your businesses IT security then have a look at this post-> Five Basic (And Cheap!) Tasks That Will Dramatically Improve IT Security For Small Businesses

BusinessArticles is the popular online Hub for quality business articles. We publish unique articles and share them with our social followers.

Continue Reading

Education

Importance of Employment Contracts to Employers and Employees

people talking

In this modern world that we live in, everything needs to be done by the book. If not, then there can often be nasty repercussions, and when it comes to running a business, it’s best not to invite this willingly. In the public sector alone, around 31% of employees have some form of conflict that’s common in the workplace.

With that said, it’s good to do all you can legally and in the right manner. Most businesses and those in the position of hiring employees will have an employment contract in place. This article will discuss what an employment contract is and why it’s so important to have it in place.

There are also some helpful tips towards the end when creating an employment contract for the first time.

Employment Contracts

What is an employment contract?

Employment contracts are legal agreements between the employee and employer providing written acknowledgement of the terms between the two parties.

Depending on the type of employee the employer is hiring, this might affect the type of contract they provide. The employment contract will list the relevant information concerning the role and the various aspects of working for the employer.

You’d typically find the working hours, pay and terms of employment in general. Many employment agreement templates are available online for those who aren’t quite familiar with the structure and how to draft them up correctly.

Both parties are legally protected.

Any type of contract is good because it’s an agreement that’s legally binding. Whenever an employer wants to hire a person for their company, they want to ensure the person they’re hiring will benefit the company.

The same goes for the person looking for a job and wanting to join somewhere that does everything legally and legitimately. Both parties will be protected when this contract is drawn up, agreed upon, signed and dated. That way, both parties should have had the opportunity to dispute or negotiate anything within that first draft and be happy with the agreement.

Protecting both parties can help in keeping the relationship a trustworthy and respectful one. This contract can be seen as the foundation of any employee/employer relationship. Without that foundation, either party can find themselves running into some form of trouble as a result.

The contract can also assist either party in terminating the agreement should there be a reason to do so. For example,  maybe the employee wants to leave the job, or the employer uncovers a breach of the agreement.

Outlines everything expected from either party

An employment contract of any type is likely to be very detailed. It will contain everything that the employee needs to know before commencing their role within the company. For the employer, it’s a chance to detail everything that is needed to make the role valuable for the company.

Having communication is important, and the contract clearly outlines everything that’s expected from both parties. With 64% of businesses finding communication in their strategy, values and purpose as a key priority, there’s no doubt that this is essential.

There can often be somewhat of miscommunication or lack of in some businesses, and so to avoid this happening for yours, these contracts are beneficial. Having good communication in everything that’s done in a business will likely aid its success and growth.

From an employee’s perspective, it’s useful to know what the employer expects from them and everything they do for the business. It’s often detrimental to their own happiness and appreciation for the job.

Enforces accountability where necessary

If everything went as expected, then there would likely be very little that goes wrong. However, that’s wishful thinking when it comes to business and being part of a workforce.

Things won’t always go smoothly, and in the case of employment, not every employee or employer behaves appropriately. There may be times when workplace disputes occur, which may result in legal action from either party.

The employment contract is a written document that has been signed and dated. It, therefore, acts as proof of a mutual agreement and evidence that can be used if either party finds it necessary to do so.

It, therefore, enforces accountability to be taken should either party be found to have breached or broken their agreement with the other. For example, if you’re an employer, your employee may decide to take action against overtime that hasn’t been stipulated prior in the contract.

In the case of an employer, confidential data could have been stolen by an employee and used to damage the company’s reputation. Many cases have come up over the years relating to employment law.

Keeps confidentiality and maintains data security

data

For the average business, there is often a lot of confidential data that the company holds, whether concerning the company itself or their customers’ trust in storing.

An employment contract will ensure confidentiality is maintained when employees are accessing such data for work purposes.

Data security is one of the main concerns for businesses nowadays, especially as 95% of cybersecurity breaches are caused by human error. You really can’t be too careful!

In the contract, there will likely be more detail depending on what role the employee has and how much influence they may have regarding the company’s data. For example, some employees may have access to more data than others. It’s good to pay attention to this section of the contract for accuracy.

Keeping confidentiality and data security at the top of your list as a business will also strengthen the relationship and trust with your customers.

Creates a trustful working relationship

A successful company is often down to the happiness and productivity of its workforce. Companies with a highly engaged workforce are seen to have around 21% more profit as a result.

As mentioned above, with a contract in place, there’s this trust and reliance created between the two parties.

You must do everything possible to cement this relationship from the beginning. Your employees are an integral part of the business, and if you’re not willing to put a legal contract in place or one that isn’t detailed enough, that’s not a good start to the working relationship.

The creation of the contract should be open for discussion. Even though the employee has accepted the job and the employer has offered it to the employee, there can still be some room for negotiation if either party isn’t happy with the agreement.

Tips for creating an employment contract

So now that you know the importance of employment contracts, it’s imperative to include every detail. With that said, here are a few top tips when creating one.

Remember the basics

Some basics are essential to include, and these will be the key information regarding the role itself. Usually, this will be the job title, the department and the head of that department or manager for the employee.

There will also be the location of the business included here, so don’t forget that!

Pay and benefits package

It’s not all about the money, but it’s important for your employment contract to include details and pay.  Remember, the detail here may change depending on the type of employee you’re hiring and whether or not they’ll also be incorporated into the benefits package that a company provides.

There may also be levels of benefits that are available depending on the role.

Annual leave, sick pay and parental leave

There are certain entitlements that an employee is allowed to have regarding matters of annual leave, sick pay and parental leave. In this section of the contract, you can outline the individual benefits that the employee has when it comes to taking time off.

Employment type and duration

For your employees, not all of them might be working full-time, and there might be some who are on fixed-term contracts and others on temporary.

The employment contract will mention the type of employment and duration, as well as any mention of overtime.

Policies and terminations

Most businesses will have privacy policies relating to the internet and use of data, as well as termination procedures should either party want to terminate the contract. Notice periods will also be mentioned here.

An employment contract is a must-have and having one, and it’ll protect both parties. Not only that, but it’ll be useful should either party need to refer back to it.

Editor’s note: A shout-out to Natalie Redman for her contribution – thanks.

Continue Reading

General

How To Know If Your Factory Or Workplace Needs A Ventilation Solution

factory

You’d be hard pushed to find anyone on Earth who isn’t aware of the COVID-19 pandemic. Ventilation in the factory or workplace is the concern of all workers who value their health and wellbeing. So unless you work in the great outdoors, you should concern yourself with how fresh the air is in your work environment.

Who hasn’t taken fresh air for granted? Pre-pandemic, ventilation and air quality indoors didn’t get the same attention that it’s getting now. What’s changed? The real experiences of catching airborne COVID-19 via small droplets and particles. Today business owners realise to keep their staff safe at work, the factory or office must have an effective ventilation system.

Had to step up and take ownership of righting the wrong with ineffective ventilation systems in the workplace. However, there are steps you can take to make the air indoors cleaner and purer, too. Furthermore, there are plenty of good reasons you want to improve indoor air quality in your factory by improving ventilation. Here are 6 reasons why factories must be well ventilated.

Studies also confirm good air quality can improve productivity and vice versa, i.e. air pollution can stifle both the quality of work and how much of it is done. Remote working is now preferred by workers the world over, so to get them back to the workplace for some if not all the work week will require your business to prove you’re taking their health and wellbeing seriously with great air quality.

Health and Safety

Governments require businesses to look after workers health and safety in the workplace, so it is a must-do for every organisation. There’s no escaping climate change and how we pollute the air with industry. When in confined spaces, the quality of air has a bigger impact on our health and productivity. Therefore ventilation systems are needed to remove hazardous pollutants and fumes, including:

  • Chemicals
  • Fuel-burning
  • Heating and cooling systems
  • Moisture

There are many negative side effects of poor air quality, including:

  • Fatigue
  • Eye irritation
  • Skin rashes
  • Headaches
  • Coughing, sneezing
  • Sinuses
  • Dizziness

Plus, where there is a high mold, employees prone to asthma attacks and respiratory infections will suffer and take more sick days.

While there’s the investment to improve the ventilation system, the upside is not only fewer sick days and higher productivity, businesses will likely see an improvement in energy use.

Energy Efficiency

Good ventilation will eliminate hot and cold spots in the building. By increasing the airflow and maintaining an even temperature throughout the building, temperature and humidity – i.e. the moisture in the air are controlled. It may seem counterproductive to use energy to run a ventilation system; however, it can use less energy when it’s optimised for your environment.

Plus, you could say there’s a trade-off when you use energy to maintain air quality and flow versus not doing so and using time and resources to replace workers on sick leave and damaged goods.

Protect Your Inventory

High-quality ventilation is also good for your assets and inventory. With low humidity and dust, your physical assets, raw materials and inventory ready for distribution are protected.

Moisture can get in anywhere, and when it does, it compromises the quality of materials and products. Avoid the unnecessary need for replacements and associated costs with a ventilation system fit for purpose in your workplace.

There will be a need for managing worker habits so they don’t interfere with the optimum settings for good air circulation. Plus, you don’t want HVAC equipment working longer and harder than it has to, so you will need to educate staff on its use.

What may also assist you is knowing how to read fan curves so your engineer designs an energy-efficient ventilation system with the right fans for optimum air quality in your factory or workplace without wasting energy.

Summary

There is no escaping our activities are degrading air quality, and with the threat of pandemics like COVID-19, there is a sense of urgency to ensure our workplaces are safe and healthy for work.

Ventilation systems control temperature, humidity, and air motion. A good ventilation system combined with HVAC equipment is not a luxury item. Instead, it’s essential to the continuation of business-as-usual. Read our next article on often you need to deep clean your work environment.

Continue Reading

General

Benefits of Team Building Activities at Work

teamwork

Off-site team building events are recognised in my businesses as pivotal to keeping staff focused, productive, and happy in the workplace. Also, the change of routine encourages employees to unwind and learn more about their work peers. You may not want to know this statistic, but on average, all workers spend over 13 years of their life working. This fact may depress some of you while it may have the opposite effect and motivate you, and this is due to the different personalities we spend a lot of time with, in the workplace.

A day out of the office with management and colleagues can be fun and provide other benefits. Team building activities for work have been proven to encourage better communication and lift productivity.

Here’s another interesting opinion, did you know experts say there are only five types of people from which 16 personalities are construed? The ‘five-factor’ model gives you insight into your staff’s personality types and their strengths and weaknesses, as well as how they can perform in teams. It’s worth researching into the basic personality types of your staff before witnessing how they get on together during a group event.

Regular Team Building Exercises Benefits

Get to know the different personalities in your office

Employees are not robots, and they react in their own way to change and how they interact with their colleagues and management.

How a team member deals with challenges and the new environment will reveal more of their personality. Using an offsite location for team building will encourage more openness and present the leaders from the followers among your staff.

Increasing productivity and motivation

The camaraderie among workmates increasing productivity as well as foster individual performance. Self-confidence and feeling at ease in the company of other people will lift overall company output, and future proof the business as a strong competitor.

Improving communication

Working in a team means everyone has to deal with personal and opinion differences. And that is the reason why effective communication is critical. Not every worker has a friendly or outgoing personality, and this is something that needs to be acknowledged. Some people are shy and timid, while others are naturally extroverted.

A team-building activity is one of the best solutions to break these barriers and gaps in communication. Team building involves games and other recreational activities forcing everyone to connect on a deeper level. It is one of the simplest ways to get everyone talking and conveniently align their precepts according to the values of the company.

As such, when staff return to work, there will be less reluctance to share their opinions openly in communication and transparency speeds up the identification of issues that need resolving, thus improving overall productivity.

Reinforcing a positive work culture

We all need to know how we perform outside our comfort zone, yet most personalities shy away from putting ourselves to the test. When the team day out is ‘work’ there’s no way out, with attendance compulsory, so we look for commonality, familiarity and find our group culture. Plus there’s time to work on the goals and visions of a company with the whole team altogether. On returning to the workplace the renewed energy among the workers, even the more introverted personality types who are expressing their emotions more freely, is proof these days offsite are good for business.

There’s little doubt that happy and satisfied staff is the foundation of every successful business and investing in regular company-wide team building is a low-risk strategy for apositive work culture.

Summary

Start the new year with an offsite activity or event, so your workers can come together, share their holiday experiences and reignite their focus on their job and how your business will meet its targets.

Continue Reading

Trending