If you think your web host cannot be hacked and that no hacker would be interested in getting access to your website (you provide a forum for first-time parents, for goodness sake), think again. If you store the profiles of subscribers, including contact details like email addresses, the average hacker is indeed interested.
Are You at Risk?There are multiple motivations for hackers to attack a web hosting provider, including financial, political or mischievous.
- In October 2017, web hosting service provider Hetzner notified customers that its customer database had been hacked, exposing thousands of customers’ details, and urged them to change their passwords.
- In 2015, the hacker news listed the five most significant hosting companies hacked by the Syrian Electronic Army (SEC). The victims, leaders in the industry, included Bluehost, Justhost, Hostgator, Hostmonster and FastDomain.
Get Answers to Your Security Questions Before You Sign up with a Web Hosting Provider.
Everyone is at risk, so, before you sign on the bottom line, here are some essential questions you should ask:
- Do you have an audit trail of users' activities on the site? It is not only malicious hackers you need to protect, For instance, your admin staff may also inadvertently make a mistake when updating your website. An audit trail can help you troubleshoot problems.
- How does your host guard protect you against a Denial of Service (DoS) attack on another customer in their data centre? Cyber criminals may mask who their intended target is. A business may be attacked simply to get the information a cyber gang needs to breach their real target successfully.
- Who is responsible for data breaches? Read your SLA. Most providers usually institute a shared responsibility model for security. You need to know exactly what your responsibilities are.
- What professional security expertise does the hosting team have? Knowledge of anti-virus software is not good enough to protect cyber attackers, whose daily bread depends on understanding and using the latest technologies, writing expert malicious code and knowing exactly what software has vulnerabilities they can exploit. Also, ask your potential new host what certifications for security and compliance they have attained.
- What data do you encrypt? Most hosts encrypt traffic between customers and service providers, but not all encrypt intra-server transmissions.
- Where will my data physically live? Data centres in Houston experienced limited outages after Hurricane Harvey, but it’s as well to be cautious if your host’s data centre is located bang on the San Andreas fault line.
- What level of protection does the host’s data centre provide? A Tier 1 centre offers the least protection, a Tier 4 centre the most. A Tier 4 centre offers redundant capacity components, fault-tolerant hardware (from servers and air con to ventilation and chillers), multiple uplinks and dual-powered equipment.
- Does the provider have a disaster recovery plan? When does the company do backups, where do they keep them, and how many copies do they make?
- Is there a formal procedure for reporting security problems? If you have been hacked, time is of the essence. Ask your host what you should do if your site is attacked.
- What tests does your host do to scan their network? Do they do regular vulnerability scans and penetration testing? Just as a home PC is vulnerable to new types of malware, networks are vulnerable to new forms of attack. New strains of attacks emerge regularly. For instance, in 2016, Locky, a new kind of ransomware, appeared on the cyber scene. Regular network scans with updated datasets of the latest malware and viruses can help mitigate threats.
- Has your provider ever experienced an attack? The right answer is not necessarily “No”, although it does suggest they have good security. If they have been attacked in the past, how did they manage it and what were the losses, if any, incurred? Has the security hole been patched since?