I have been lucky enough to work with business owner, developer and website security specialist, Krzysztof Dryja over the years on a range of websites, and consider myself very lucky! Meeting Krzysztof came about in one of those serendipitous moments that alter your professional life. I was project managing a high profile, time-sensitive and challenging website and needed a developer with a very specific set of skills. Through an online network, I reached out to Krzysztof and we began working together on the project.
His technical knowledge and supreme communication skills made working with him one of the best professional experiences of my 20+ year career and each time I work with Krzysztof I am deeply grateful for his exceptional skills, input, and his professionalism, which never fail to positively impact on all projects we collaborate on.
He began his programming journey in secondary school, at first website development and programming were hobbies and then he became involved in professional projects. Very soon it became a full-time thing and he hasn’t looked back since! Krzysztof continuously works with a range of clients and positive feedback about his work and communication skills and professional approach are nothing new to him.
He formed his company Aspexi in 2010. Prior to that, he had spent more than five years working on web application development. Since 2010, he has also founded another company AMarket Ltd and is involved in various other projects such as asecure.me and cloudintegrationservices.co.uk.
The Aspexi team works with WordPress Content Management Systems (CMS), and work with solutions such as Magento 1/2 or CS-Cart and have created their own WordPress plugins. The team is experienced with Node.js / React and similar frameworks and the core team is made up of three experienced developers including Krzysztof, and they too work with freelancers or designers.
A couple of fun facts that I found out recently is that both Krzysztof and Matt (another developer team member) are members of Mensa Society and that their plugins have been installed on more than 50,000 websites overall. The company’s short to mid-term plan is to extend their services such as plugins, and having started asecure.me offering professional WordPress website security and backup services this year they are looking forward to a wider range of projects and clients.
RecentlyKrzysztof and I were chatting about a project and the topic of website security came about. In an age where data breaches are common headlines, where even the smallest of businesses need to take into consideration data protection, (especially with the event of GDPR coming into effect on 25th May this year) many companies are talking about. It’s a subject that although feels like it might need a technical background to join in with, is essential for business owners to be aware of. I asked Krzysztof a few questions on the subject of website security.
DigitalEnablr: What do you find surprising about website security when working with clients?
Krzysztof: A very low awareness, unfortunately, we meet clients who have had their websites hacked and who are not even aware that it has happened. That’s always an issue and may cause real issues and higher costs in relation to exceeding server resources. By talking about case studies on the asecure.me website we are hoping to change that and make website owners more aware of the risks and how to protect their websites.
DigitalEnablr: How much can the ignoring of website security impact a business? Why are websites are attacked and hacked
Krzysztof: There are a couple of reasons, including:
- Hacked sites can use web server resources to send SPAM emails or bitcoin mining
- Phishing: via a hacked website a hacker can send malicious or fake emails with an invoice to your accountant or to a customer who may believe this is a real invoice from the company and could then make payment to the wrong person.
- Ads and SEO. Your website could become a tool for promoting illegal products such as drugs. A common hackers’ practice is to make these changes invisible to a site owner. In one example we had a Drupal website customer recently whose website looked okay but when a user visited the site for the first time from a mobile device, it was immediately redirected to the well-crafted fake mobile site with warnings and links telling the user that a mobile app had to be installed immediately. These messages were appearing just to the first-time users, making the hack almost invisible to the website admin. Luckily we detected the malicious code and took the appropriate actions.
- Hacked websites can be encrypted and become unavailable until you pay the hacker. This is where backup systems help a lot if implemented.
DigitalEnablr: What do you find business owners are least aware of when it comes to the topic of website security?
Krzysztof: As mentioned previously, the attacks are well crafted and in most cases are meant to be invisible to the website administrators. Also, website owners often don’t understand how important updates or backups are until they get hacked or lost their website and database.
DigitalEnablr: How are you finding this is being highlighted with the advent of GDPR?
Krzysztof: The implementation of GDPR laws show how important to protect your website and the data you have. There are no 100% solutions. Even big corporations such as Google or LinkedIn were hacked in the past, however; the more you do the better. Keeping your website up-to-date and monitoring your website’s security should be a minimum action to avoid issues with GDPR compatibility.
DigitalEnablr: I imagine that for a lot of business owners, the prospect of making a website secure may seem costly, how do you help business owners take on a website security project so that it is a project that works best for them?
Krzysztof: For computer-savvy admins, we’re always happy to help them install security plugins and set up a backup system on their own. This way they can minimize the costs. Unfortunately, work related to site monitoring or updates has to be done to keep a website secure and takes some time hence costs involved are unavoidable. However, this is definitely worth doing to avoid potential greater costs related, for example to website cleaning after a hack.
DigitalEnablr: What challenges are biggest when approaching a website security project – for you and for business owners?
Krzysztof: Website security is quite a complex and demanding topic. There are known cases of popular and highly rated WordPress plugins causing issues by changing websites to bitcoin miners. There are tools that website administrators use for protecting their websites but there is always a risk that there are zero-day attacks (attack or software used before the fix is implemented to known security holes) that can make these tools useless.
Another issue is basic passwords that can be easily guessed and used. It’s very important to use long and non-standard passwords.
DigitalEnablr: Have you got examples of helping out when it was too late? How do you help companies that have had a data breach?
Krzysztof: Unfortunately yes. In these cases, we check if backups are available and that they aren’t infected. If so, the restoring or cleaning of the website is fairly quick. Otherwise, we analyze if cleaning a badly infected website makes sense. There are cases where we have recommended rebuilding the website from scratch with security monitoring included.
In many cases, we also check how the hacker gained access to the website. There are many different known reasons such as out-of-date WordPress core or plugins, badly written templates or weak passwords. With that information, we can even better protect new sites.
DigitalEnablr: What feedback and comments have you had from clients following the completion of a website security project? What surprising outcomes have website security projects created that the business owners/ you weren’t expecting if any?
Krzysztof: In each case a business owner’s awareness of website security increases. That’s really positive. Sometimes this has created some super vigilant website owners who began tracking user logins themselves, and even when we were logging in to do our service work they were double checking if that was us or someone else. It’s great to see how a negative situation can become a learning point!