When it comes to web hosting, one of the great cautionary tales centers on Equifax, a goliath of the data industry. Anyone who lives in the United States (even the shut-ins, given the social media storm that ensued) surely remembers the Equifax data breach fiasco. The only positive was that everyone affected was going to be paid $125. Even though you never actually saw a penny of that money, their corporate coffers could have been half a billion dollars richer had they kept their software up to date.
As one of the top three credit rating agencies in the US, Equifax provides the data used by most consumers to get loans, credit, perform background check services and various other intrusive personal data-derived services.
When operating a site, it is crucial to set up an ongoing process to ensure that it remains updated and secured.
In 2013, a staggering data breach of some of the most personal financial data on 143 million people (mostly Americans) was one of the worst that had ever occurred. The breach was especially heinous, given that the information was a veritable ready-to-go kit for identity thieves. The data therein contained more than enough financial information to open credit lines, conduct financial transactions and more.
In response, Equifax did what many irresponsible companies would do. They stonewalled, lied to the public (and Congress) and set up a giant settlement fund for the victims affected. Then, they managed to pay all that money to lawyers and other big companies so that anyone directly affected got nothing but a heartfelt promise that Equifax would definitely, certainly, sincerely, never (ever) do it again.
Despite the massive numbers and scandal which the Equifax data breach created, the actual cause … the “smoking code,” so to speak … was not some “Mission Impossible”-style heist. It was so basic, so simple, so unnecessary and infuriatingly stupid, that I’ve spent several paragraphs building up the breach to underscore how dumb the problem was that cost them the better part of two billion dollars when all was said and done.
They didn’t update their software. Let it sink in for a moment.
There was a security update to their software available in March, and the breach occurred in May. It was a free update, and all they had to do was apply it. Yet several months later, they had not applied the security update and the rest is history.
At first glance, you might think this is a story about software updates. It’s not. I’m writing about everyone’s aversion and impatience for downtime. At MojoHost, we are a 99.999% uptime guaranteed host, which means we take managing client’s upgrades very seriously. Maybe you think the data stored on a porn site is less sensitive or valuable than that held by a credit reporting agency, and that a porn site might be lower on the totem pole than a Fortune 500 company. But, that’s not really how data breaches happen.
The fact of the matter is that most hacks are automated. While the final stages of hacks are often a human hand deciding what is interesting to exfiltrate from a company, vulnerable software is usually identified by automated bots running around the internet.
Automated vulnerability bots mean that even your modest-sized sites are still very much a target. Porn sites contain not just lots of fun usernames and passwords, but may also be targeted for credit card theft and content theft. Indeed, the content itself is quite valuable; we regularly see hacks which attempt to scrape the entire library of a site.
The essential step to keeping your website from suffering a similarly embarrassing and expensive Equifax-like hack is to keep your software patched. That means superficial software like WordPress and the entire software stack, including the underlying operating system and database. When a hack occurs, most often, there was an update available beforehand, even for less critical website components that often go overlooked.
Many site operators are reluctant to perform operating system upgrades because of the perception that these will result in downtime for the site. Although this is true in some cases, a well-planned and short downtime is still much cheaper than the costs of a breach. We ourselves have invested in new technologies that allow us to upgrade servers with absolutely zero downtime in almost all cases, to ensure folks can have the best of both worlds … regular operating system upgrades and no lost sales due to downtime.
When operating a site, it is crucial to set up an ongoing process to ensure that it remains updated and secured. For some site operators, that may mean hiring a dedicated resource to keep things up to date. For others, it may mean using a fully managed hosting company that keeps customer servers and software up to date automatically and has a team dedicated to keeping abreast of the latest security threats. Because after all is said and done, it’s just good mojo to save a few billion dollars.
Brad Mitchell is the famed founder of MojoHost, which has won numerous XBIZ Awards for Web Host of the Year and earned many loyal clients for nearly two decades. Known for his dapper style and charismatic wit, Mitchell is a regular fixture at trade shows, where he frequently shares hard-won wisdom while striking profitable deals. Contact him at brad@mojohost.com.