The U.S. Environmental Protection Agency’s (EPA) Water Infrastructure Resiliency and Finance Center, in collaboration with the...
Keeping your website safe from online risks
Three years ago when I decided to make my company, Moti-Vitality, a full-time venture, one of the things I knew for sure was that I needed a good website. I needed a way to let people know that I offered sales, management and educational training solutions specific to the water treatment industry — not vitamins or financing, which the company name apparently suggests to some.
I consider myself fairly computer literate — I can find the on button, I know the difference between a Mac and a PC and I know how to alter the statistics in solitaire to make it look like I have won more often than the computer. But when I try to wrap my mind around the Internet, things get fuzzy.
So I decided to pay a company to design the website. It cost a lot of money, and I know it could have been done less expensively, but a website is more than an online brochure. I wanted a site that was interactive and that could easily adapt to the growth and changes I expected.
I was so satisfied with the quality of the website that I decided to make it the centerpiece of my marketing campaign. All of my advertising efforts were designed to drive prospects to the site. I decided to launch this effort in Las Vegas at WQA Aquatech USA 2012.
The plan might have worked. There may have been an increase in the number of people attempting to visit my website. I don’t know for sure, though, because my website was hacked. Everyone who may have attempted to visit it was instead redirected to a page that told them their computer was infected with a virus or that they needed to do a major update — and a few even were redirected to an inappropriate site.
I want to explain how this happened and what you can do to avoid the same thing from happening to your company’s website. But first, I will start with the basics on how a website works.
Internet Real Estate
Suppose you have a home office that no one except your friends can visit. You want more people to be able to visit, though, so you rent office space from an office complex downtown. You move everything from your home office to the new space, and now anyone can visit.
You have an address that tells them where in the city to go. You have signage that directs people first to your building, and then to your office. You may even have direct access to other offices. In fact, the more ways there are for people to find your new office, the better.
If you want to design a website, you can do it in the middle of nowhere without an Internet connection. A website is just pages and files linked together—you do not need a fancy program to design one. If a website is designed offline, it is stored on the hard drive of your computer, and the only people who can see it are those who have access to your computer. This is your virtual home office.
If you want to put the website on the Internet, you need to upload it to a public storage space online. This is renting space in a virtual office complex.
Your Internet address is called a domain name, and you can create whatever name you want, as long as it is available.
I purchased a five-year use of my domain name, moti-vitality.com, from GoDaddy.com for a reasonable price. At the end of five years, I will have to renew my rights to this address.
The virtual building in which you rent office space is called a host. One of the best things about websites is that if you do not like your landlord, or if your virtual office space is too small or starts charging more rent, you can move. In other words, you can take your entire website and move it to another host, while keeping your address. In most cases, your clients will never know that you have moved, because the office itself looks the same.
Open to Risk
Often, hackers will hijack your address but still use all of your signage, so that when people look for your website, they follow the directions to get there but end up being tricked into going elsewhere.
Originally, the company that designed my website also hosted it. The company gave me a limited amount of storage space on its servers and charged me a premium for renting this space. I justified the charges because the company had the virtual equivalent of armed security guards keeping my site secure. It provided nightly backups, and it had to approve any changes to my site.
My website offers hours of video and audio training, so I quickly ran out of space on the host’s servers. I began to search for a larger, cheaper virtual office complex. I did not think I needed the maximum level of security, because my site was still fairly small.
I moved the site to an online hosting service. Its monthly hosting fee was about 90% less than my previous host. I was nervous about moving, because I believe you get what you pay for. But, as I investigated further, I discovered I got a lot more than I had thought.
When I called the company, I talked with a U.S.-based technician who took the time to explain everything in terms I could understand. The company offered unlimited storage, as well as website monitoring and maintenance tools that covered virtually every need, including partnerships with other companies that provide website security. It is up to the website owner to utilize these tools, but the hosting company will help determine which ones you need.
In the past several years, website design has become easier, with tools and templates available that allow novice developers to create great looking sites. These sites are not designed on a hard drive then uploaded to the Internet, but rather built directly onto the hosting server — the virtual office is put together directly at the virtual office complex.
Among the most common website-building programs are open source programs. Open source means that anyone can write code for the program that will allow it to do cool stuff. These pieces of code are called plug ins. Plug ins are like the furniture or decorations you would put in your office.
The open source program I used allows you to pick from tons of free tools. For example, I wanted people to be able to take sample quizzes as practice for their Water Quality Assn. certification exams, and I needed them to be able to see the results immediately. I found a plug in that allows them to do just that. There are plug ins that will allow you to do pretty much anything you need, and most of them are free.
Anytime you open software up to the public, however, there is a risk of someone creating malicious code designed to steal information or just wreak havoc. Hackers will sometimes use plug ins to gain access to websites.
What happened to my website is a common and easily avoided problem. When a potential visitor searches for my site through a search engine, it typically shows up at the top of the results list. But when the website was hacked, instead of being directed to the website, people received a pop-up window telling them that their computers had been infected.
This was a fake warning and was, in fact, the vessel that was attempting to spread the malicious programming. If a visitor to my website clicked “okay,” the computer would pretend to perform a scan. The results would show a number of problems and recommend fake anti-virus software. Now, potential visitors to my site would not only have inadvertently infected their computers, but also given credit card information to the hackers.
Unfortunately, I was unaware of the problem. It only occurred when someone attempted to get to the site via a search engine, but functioned fine when I used a direct link to get to it. I only discovered the problem after several customers called me to ask about our services. Even then, it took a while to realize that they could not access my website.
I was able to resolve the problem and learned some important lessons about website security. For tips on protecting your company’s website, stay tuned for part two of this series in a future issue of Water Quality Products.