Would you leave your home’s back door open?

Security boost to the websites of businesses and governments fails to materialise

Koen Claessens, Partner BDO Risk Advisory

Whereas cyber criminals are working on professionalising their ‘business’, and cyber-attacks have increased almost exponentially, the cyber security efforts of the majority of Belgian companies and governments seem to have stalled. That is the remarkable conclusion of our large-scale analysis of over 15,000 Belgian websites. One in 3 websites still runs on outdated technology. Does your business have an adequate cyber security plan?

The Belgian military which can no longer send e-mails, higher education institutions whose networks are shut down, MediaMarkt which was the victim of a large-scale ransomware attack, hackers who stole Red Cross data. These are just a handful of recent examples that demonstrate the severity of cyber-attacks in Belgium. Still, looking at how Belgian businesses secure their websites, it would seem that they are not overly concerned about their cyber security.

Our analysis of over 15,000 websites concluded that most sectors have made little to no progress in terms of boosting their cyber security compared with one year ago. This is bad news because, in the world of cyber security, standing still means going backwards. One in 6 corporate and government websites in Belgium is still particularly vulnerable to cyber-attacks. Although the situation has improved slightly (the figure was 1 in 5 last year), this is not exactly reason for euphoria.

“The lack of a positive evolution in the security of corporate and government websites in our country is frightening,” says Francis Oostvogels, Senior Manager at BDO Risk Advisory. “The frequency of cyber-attacks is on the rise, and hackers are exploiting software vulnerabilities more quickly than ever. Given that the company website is an indicator of how the company handles security, poorly-secured websites are the equivalent of rolling out the red carpet for hackers.”

Outdated technology

When it comes to the security of companies and governments, our study makes it painfully clear where the problem lies. Poor domain name security is a problem for nearly 3 times as many domain names compared to a year ago: 2 out of every 3 domain names – compared to ‘just’ 1 in 4 in 2021. Moreover, 1 in 3 corporate websites leaks sensitive information by using outdated technology, such as TLS-FTP protocols. Worse, 1 in 6 company websites in Belgium does not even have a secure HTTPS connection.

“Would you leave your home’s back door open?” asks Nick Huysmans, Manager at BDO Risk Advisory. “Of course you wouldn’t. But today anyone who is still using TLS and FTP protocols on their website is basically doing so. If you fail to guarantee a secure HTTPS connection, hackers can read anything that is entered on a website: from your mobile phone number to your password. Not securing your domain name allows hackers to redirect website visitors to fake websites that can be used to steal people’s information or even money. People need to be aware that hackers use all possible information they can find to improve their way of working. Meanwhile, the technology of the majority of Belgian companies and government bodies remains unchanged. If you don’t upgrade your systems, you are setting yourself up as a sitting duck.”

“One in 6 business and government websites is still very vulnerable to cyber-attacks.”

Francis Oostvogels, Senior Manager BDO Risk Advisory

Updating technology, processes and personnel

Our message is unambiguous: just as hackers are becoming more ingenious and changing their tactics to continue to mislead victims, companies need to become more alert and change their mindset. They need to invest in technology, train their staff, and develop processes in case they become the victim of a cyber-attack.

“The CEO or, worse, nobody is responsible for cyber security at just under 3 out of 4 SMEs!”

Nathalie Ragheno, cyber security expert at the VBO/FEB

The Federation of Belgian Enterprises (VBO/FEB), which represents over 50,000 companies, takes advantage of every opportunity to raise awareness of cyber security among Belgian entrepreneurs. It also reminds them that, contrary to what many people seem to think, it is not just big business that is targeted by hackers. “Too many small and medium-sized companies are too slow when it comes to investing in their IT security, making them particularly vulnerable to cyber-attacks,” says Nathalie Ragheno. As an expert, she is responsible at the VBO/FEB for monitoring developments in cyber security. “Just a quarter of SMEs are protected by a professional, an IT specialist or an external service provider. The CEO or, worse, nobody is responsible for cyber security at just under 3 out of 4 SMEs. Given their limited resources, many companies still consider cyber security to be a secondary priority.” This is why the VBO/FEB is calling on all companies, regardless of their size, to map out any cyber threats to which they are exposed. “They can use this information to take the necessary security measures to prevent or detect cyber incidents more easily. In other words, every company should at least have an action plan or procedure in place to provide an appropriate response in the event that an incident occurs.”

About the study

For the second year running, BDO conducted a large-scale web scan to map out the digital security of the Belgian business community and the public sector. Based primarily on the number of employees and the turnover of the past few years, we selected 15,000 websites spread across the country and across all sectors.

“One in 3 company websites leaks sensitive information by using outdated technology.”

Nick Huysmans, Manager BDO Risk Advisory

These websites were screened using 21 automatic, non-intrusive tests, divided into 4 categories: connection, configuration, management and security. The first category focused on the security of the user visiting the website. The second category looked at the extent to which the website reveals sensitive technical information that could help hackers get into a website or organisation. The third category tested whether certain entrances to the website’s management interface were open; while the last category focused on a number of security settings, such as how the organisation’s mail server handles e-mail spoofing (the practice of imitating e-mail so that it appears to be from the organisation).

How secure are 15,000 websites in our country?

You can consult all the results of our analysis free of charge on our interactive website webscan.tms.bdo.nl/be

Do you want to compare with the results for 2021? Go to webscan.tms.bdo.nl/be21.

Watch Canal Z’s report on the study in French or Dutch.