Data breaches are becoming more prevalent – and expensive. According to the March Beazley Breach Insights 2016 report, the Beazley response unit responded to 60% more data breaches in 2015 over 2014. Still more shocking, the proportion of breaches involving third-party vendors more than tripled over that same time period, rising from 6% of breaches in 2014 to 18% in 2015.
In addition, a 2015 Ponemon study sponsored by HP found the mean annualized cost of cybercrimes for 252 benchmarked organizations is $7.7 million per year, with a range from $310,000 to $65 million.
To combat these cyber threats, many enterprises monitor their IT vendors to ensure safety with robust application inventories and vendor risk assessments, but one entry point is left unmonitored, unpatched and unprotected: plugins. Websites are the one IT asset you want to be publicly available. You want the customer to engage and interact, but it still needs to be safe.
Many enterprise organizations are using or considering the use of open-source programs – namely, WordPress – to manage their site’s look, feel and functionality.
The beauty of WordPress is its open-source structure. Rather than having a few engineers creating an enterprise’s website, WordPress is the combined product of hundreds of coders. That makes the platform itself secure – important since in the US, 22% of new domains will use WordPress.
Although the platform is safe, many of its add-ons, or plugins, are vulnerable to cyber threats. In fact, several recent data breaches were on WordPress sites. WordPress plugins, designed and maintained by third parties, extend and expand the functionality of the WordPress platform. There are more than 29,000 WordPress plugins, which have been downloaded roughly 290 million times, and new plugins are created every day.
Many of these third party plugin developers are small, with limited resources and no ability to track which websites use their plugins or patch any issues. Many plugins are never updated at all; meaning users are exposed to risk. Enterprises that use these plugins are effectively opening the door to their IT infrastructure and exposing themselves to risk.
According to Verizon’s 2014 Data Breach Investigations Report, “Web applications remain the proverbial punching bag of the internet. There’s no question about it – the variety and combination of techniques available to attackers make defending web applications a complex task.”
Also, because of their size, enterprise WordPress users are susceptible to reputation-damaging and expensive cyber-attacks.
SiteLock’s own research, completed in partnership with the faculty from the University of Pennsylvania’s Wharton School of Business, found the more complex the site, the higher the likelihood of compromise. In fact, websites that were of the highest complexity were more than 12-times more likely to be compromised than websites of the lowest complexity.
As a site offers more features to engage and retain its users, the importance of preventative website security increases.
Having your site scanned is an absolute must. Companies need to either manually conduct rigorous code audits or work with a vendor to mitigate risk and review any third-party code.
Though each enterprise is a “special snowflake” requiring a personalized security plan, there are a few steps organizations must take to protect themselves from exposure and mitigate cyber risks.
1) Conduct a detailed code audit to more definitively understand how plugins might be opening the door to your company’s IT infrastructure.
2) Virtually patch identified vulnerabilities in software or plugins.
3) Enterprises also need to prevent against brute force attacks. This includes privileged areas, such as the WordPress admin entry page
4) Whether enterprises host their sites independently, via a cloud vendor, or through a hosting service, it’s of the upmost importance that teams monitor server uptime and performance. Companies can consider expanding their infrastructure by using a content delivery network (CDN) to more seamlessly and quickly deliver content to the end user. Enterprises should also invest in Distributed Denial of Service attack mitigation, which – according to American internet company Verisign – jumped by 85% between Q4 of 2014 and Q4 of 2015.
5) Develop a comprehensive incident response plan. As part of this plan, categorize potential data risks by threat level. Over-reacting to a breach can be as damaging as under-reacting.
Ultimately, investing in one’s security and reviewing vulnerability from the beginning can save a company’s reputation, and money, in the long run. Ponemon found that “companies using security intelligence technologies were more efficient in detecting and containing cyber-attacks. As a result, these companies enjoyed an average cost savings of $1.9 million when compared to companies not deploying security intelligence technologies.”
Even if a cyber threat means your downtime is .001%, the pain inflicted by that downtime is magnified the bigger the enterprise.