1 in 5 Belgian websites of (public) companies risk being cyberattacked

Almost 1 out of 5 websites of organisations and public institutions in Belgium are an easy target for hackers. The website of governments are at the highest risk: in almost 1 out of 4 government websites, including municipalities and local police services, hackers can illegally modify their websites, give themselves access to financial flows and even steal private data. 20 percent of healthcare websites of among others hospitals, general practices, and nursing homes are unsafe as well. The main culprit is the outdated technology that 4 out of 10 websites in Belgium rely on, as a large-scale research of 15,000 websites, conducted by consultancy firm BDO Belgium, shows.  

In the last year, no month went by without hackers blocking computers of a company and asking for ransom. Unfortunately, cyber experts predict 2021 to be an even worse year for enterprises, as confirmed in a research conducted by consultancy firm BDO Belgium: Belgian companies open the floodgates to cyber criminals via their websites.

Francis Oostvogels, manager cybersecurity at BDO Belgium: “Our research reveals that many company and public websites are not sufficiently protected, which really worries me. The safety of a website is an indicator for the level of IT security in the entire organisation. If a website is easy to hack, the rest of the IT environment may be badly protected as well, which may enable cyber criminals to further sabotage enterprises and to steal sensitive data.”

Public sector least safe, energy sector best protected

One of the most remarkable revelations from BDO’s research is the public sector coming bottom of the class. Over 1 out of 4 (28%) municipality websites and local police zones fail one or more high risk tests, scoring far above the Belgian average of 18.4%. Not completely unexpectedly does the energy sector obtain the best score, but even here, 8.54% of all actors are at high risk of a cyberattack. With its research, BDO Belgium does not only want to alarm the public sector, but raise awareness on the vulnerability of the healthcare sector as well.

Francis Oostvogels, manager cybersecurity at BDO Belgium: “It’s remarkable that the websites in the healthcare sector score the lowest in our test. 1 in 5 websites of hospitals, GP’s and nursing homes are at high risk, even though one would think they would sufficiently protect the sensitive data they process. This sector must immediately take action.”

4 out of 10 websites rely on outdated technology

Taking a look at why Belgian company and public websites are so easy to hack, BDO Belgium identifies one single culprit: outdated technologies, varying from unprotected FTP protocols to companies using unsafe http addresses.

Francis Oostvogels of BDO Belgium: “4 out of 10 websites in our country still rely on FTP. Using those unencrypted technologies, hackers can easily intercept simple passwords. And what about the 15% of websites still using unsafe http addresses? Lastly, it turns out that 1 out of 6 Belgian website domains are at risk of email spoofing, where cyber criminals steal the domain name to recreate simple email addresses. It is a frequently used technique to commit CEO fraud, where a hacker is disguised as the CEO to embezzle money.”

About the research

BDO Belgium has carried out a large-scale web scan to shed light on the digital safety of Belgian companies and public institutions. Based on the number of employees and the revenue of the past years, BDO Belgium selected 15,000 websites across the country and from all sectors. The websites were screened using 21 automatic, non-intrusive tests, brought under in 4 categories (connection, configuration, management and sector). The first category focused on a user’s safety when visiting the website. The second category researched to what extent a website reveals sensitive, technical information that may aid hackers in penetrating a website or organisation. The third category tested whether some ports gave access to the management interface of a website. The last category was aimed at the number of security measures in place such as how the mail server of an organisation deals with email spoofing, where email are faked to look as if they were sent from the organisation itself.

All results are free to consult on the interactive website bdowebscan.eu.