Cyber insecurity bears huge economic risks, demanding policies and guidelines to safeguard against this increasing threat. Business websites are an easy target, especially those of small and medium-sized companies that may not have the necessary sources and knowledge to keep on top of security measures. However, the security of a business website is a vital element of a company's credibility and survival. Poor security can lead to inequity, giving bigger companies an advantage over small ones, according to Forbes. Below, we look at a select number of countries and check the security measures in place on national business and e-commerce websites. We’ll reveal that many are woefully unprepared against cyber threats. This lax security endangers sensitive information and undermines consumer trust and business continuity.
We dive into the essentials of web security in this first installment of a two-part series, asking how often companies use outdated software, forget about SSL certificate implementation, and leave unnecessary ports open. We'll also touch upon the growing concern of fraudulent online stores, which not only pose a significant threat to consumers but also to established brands. In the second part, we’ll look at more advanced security measures, such as phishing prevention, security-enhancing HTTP headers and the implementation of a security.txt file.
Learning from past breaches
Ransomware is one of the most common cyber threats to organizations and can cause significant financial damage. Next to that, it negatively influences a company's reputation, consumer trust, and investor relationships. According to IBM, the global average cost of a data breach in 2023 was USD 4.45 million, a 15% increase over 3 years.
Website security plays a crucial role in reducing risks. The 2017 Equifax data breach, one of the most significant and far-reaching cybersecurity incidents to date, was due to a vulnerability in a web application framework. This breach exposed sensitive data of about 147 million consumers and had far-reaching repercussions, including lawsuits, a drop in stock price, and the resignation of its CEO.
In light of heightened political tension around the world, countries and international organizations have implemented policies or national strategies to improve cybersecurity. These strategies are often part of broader efforts to protect national infrastructure, businesses, and citizens from cyber threats.
But just how effective are these strategies, and how well are businesses implementing basic and more advanced security measures? Below we’ll focus on the basic but crucial aspects of website security. We will examine the state of business, including e-commerce websites, in 13 selected countries.
Outdated and unsupported software
PHP (Hypertext Preprocessor) is an open-source scripting language for web development. PHP plays a pivotal role in website management and maintenance due to its scalability, ease of use, and compatibility with numerous web servers and operating systems. New PHP releases are fully supported for two years. After the two years, support is continued only for critical security issues for an additional 12 months. Then, that version no longer is supported.
Unsupported PHP versions can pose significant risks. They are vulnerable to exploitation by cyberattackers, leading to potential data breaches and website compromise.
In our analysis of 13 countries, the share of business websites with unsupported PHP versions ranges from 8% to 29%. Nearly a third of Turkish, a quarter of French and a fifth of Spanish business websites are operating on PHP versions that no longer receive security updates. Norway “wins” here, ranking as the country with the lowest share (8%) of vulnerable business websites.
For this research, we looked at unsupported PHP branches 4 to 7.4, but 8.0 is also no longer supported as of 26 November 2023, meaning that the true share per country is likely to be even higher. For website administrators, it is crucial to regularly check for new releases and ensure software is kept up-to-date. Hosting providers also have a role to play, alerting clients when older versions no longer receive security patches and assisting with migration to new releases.
SSL certificates at the basis of security
An SSL certificate provides fundamental protection for a website by ensuring that all communication with an external browser is encrypted. Obtaining one is fairly straightforward and is free for the most basic version. Therefore, there is no rationale for not having a certificate associated with a website.
In our sample, the Czech Republic (11%) has the highest share of business websites with no SSL certificate, followed by Spain (5%). These two also have the highest share of invalid certificates, 9% and 5% respectively. Only Turkey has a larger share; here, 10% of all business websites have an invalid certificate. The overall winner for SSL protection is Indonesia, with only a 4% share of websites with either an invalid or no certificate.
Too many open ports lead to vulnerabilities
The term 'open port' refers to a network port that is configured to accept data packets. A website needs certain open ports to receive traffic. However, open ports can be a significant vulnerability if not properly managed. The more open ports there are, the higher the risk of someone sneaking in where they shouldn't.
Figure 3 shows the median number of open ports for business websites for each country, meaning that exactly 50% of all websites fall below and 50% above that number. Norway ranks safest with a median of only two open ports. On the other end of the scale, South Africa and Chile have a median of 11 open ports, signalling a greater vulnerability among businesses in these countries.
Similar to the safeguarding physical doors against unauthorized access, it is imperative to protect open ports against cyber criminals. This involves implementing firewalls, keeping software up to date, and only opening up ports when necessary. Open ports without proper security measures invite attackers to gain access to sensitive data, execute malicious code, or disrupt services. That is why regular monitoring and management of open ports are essential components of effective network security.
Fraudulent online stores
Before we move to more advanced security measures in the second part of this 2-part analysis of business website security, let’s take a look at a more applied part of security: fake webshops. These online stores typically sell counterfeit merchandise or offer products at incredibly low prices, luring consumers to spend without ever providing the product.
Our proprietary Trust Grade provides an indication of the level of credibility an online store possesses. The scale ranges from A to F, wherein A signifies a high level of trustworthiness. A D, E, or F rating indicates less trustworthiness, with scores of E and F almost certainly indicating a fraudulent online shopping portal. Figure 4 shows the highest percentage of dubious online stores are found in Norway (4.8%), followed by Estonia (4.6%) and Indonesia (3.2%). The countries with the lowest share among e-commerce sites are South Africa (1.3%), Chile (0.6%) and Brazil (0.2%). Interestingly, while Norway scored relatively high on other security measures, their strong economy perhaps attracts a more significant number of fraudulent web stores.
Tracking suspicious online stores and taking them down as quickly as possible to minimize damage to consumers and brand reputation is perhaps a task for national law enforcement. Similar to scams in the physical world, consumers need protection to make the web safer for all.
In this first part on business website security in a select number of countries, we discovered important differences in the security measures implemented by business websites across the globe. Strikingly, the share of business websites that run unsupported PHP versions is relatively high. Additionally, in some countries a relatively large number of open ports on business websites suggest more could be done to tighten security. While open ports are necessary, Norway is leading the pack and shows that having the bare minimum of open ports is manageable for most businesses. On the positive side, SSL coverage is relatively high across all countries.
In the next part, we’ll look at additional safety measures and how well these are implemented on business sites in these same 13 countries.
Download the full Global Cybersecurity Outlook 2024 (pdf) from the World Economic Forum here.