At least once a week, there is a news story about website attacks or other loss of data.  Let’s see, in the last few years, there was the loss of the Veteran’s Administration laptop containing thousands of patient records, the TJX (TJ Max, Office Max) loss of 95 million credit card transactions, then Clear Systems, which provides express security lanes at airports reports that it lost thousands of customer’s personal information, and finally, just a few weeks ago, Heartland Payment Systems reported that an excess of 100 million credit card transactions had been obtained by hackers.  USA Today reported just last week that attacks on government computers were up by 40% over the last two years.  The point is that the threat is real and you are under attack regardless of whether you are a small or large company.

Cyber thieves are looking for big reward and therefore are concentrating their efforts on financial opportunities.  You don’t need to be a bank to be a target, though.  Do you accept credit cards?  Do you keep financial data and customer information on computers?  Of course, the answer is yes!  There are other kinds of attacks and attackers that might find your site worthwhile even if it doesn’t offer a direct payoff.

An attacker may be a former (or current) employee that is disgruntled and simply wants to embarrass you.  The attacker may find vulnerabilities in your systems and exploit that vulnerability to spread malware to your customers, vendors, and business partners.  Or the attacker may simply be a bored teenager that thinks it’s cool to hack into your systems and wreak havoc.

As banks and other big targets harden their systems, attackers are moving on to easier prey.  That could be you.  If you think you are secure because you are obscure, you would be wrong. You may not have much of value, but if your website is simply defaced or made unavailable, you suffer a loss of reputation with your customers.

The Open Web Application Security Project (OWASP) is an organization dedicated to raising awareness of application security.  They want you to know that you need more than a good firewall to be secure.  One of their main work products is a list of the top ten vulnerabilities of custom applications.  The vast majority of all attacks are some variation of the top ten.  The number one attack is called Cross Site Scripting (XSS).
If any of your web pages are vulnerable to an XSS attack, the attacker will upload a program to your web server that is in turn downloaded and executed by other users of your website.  Those other users could be your customers (oops) or, even worse, an internal user with access to other company data.  This program, when executed in the victim’s web browser, will trick them into providing information, such as passwords or other sensitive information.  The victim may not even know that the site is compromised.  The program may also trick the user into visiting the real target of the attack: the victim’s bank.  So, while you may have little to lose in the way of data, you could inadvertently assist the attacker by hosting their script and delivering it to thousands of potential victims!

XSS is number one because it is fairly easy for anyone to learn how to program an attack and because so many websites are vulnerable to this type of attack.  Are you sure that all your web pages are immune to XSS attacks?  Don’t assume that your developers know about this and have built your site properly.  Over the last two years, I have trained thousands of experienced, skilled, and smart programmers and about half of them had never heard of this attack.  All of the developers reported that they knew of at least one place in the company’s website where an XSS vulnerability existed.

If you have customer or personal information stored in databases anywhere on your networks, you may have a legal obligation to protect it and you certainly have civil liabilities if the information is stolen.  If you accept credit cards, you are legally required to make sure that your developers are fully aware of website vulnerabilities and know how to avoid them.

Even if you don’t have a legal obligation, you cannot afford for your website to be compromised. Don’t be the next headline in USA Today.  That is publicity that you cannot afford.