Google Analytics is one of the most popular tools for eyeing traffic on your website. Where your visitors are coming from, what they’re interested in, how long they typically stay … and Google Analytics can provide important analytic information for IT security professionals, too.
Using data collected by Analytics, a security-curious business owner or IT provider can see what people are doing with the contents of a website. Your website can be a convenient backdoor into your digital systems, and hackers can either exploit it to gain access to private information, or hijack it and hold it ransom.
In the event of a cyber attack, you can use Google Analytics as a tool to identify where a hacker might be located, how they entered the site, and which systems they used. It’s all about looking for the right clues.
Here are some of the ways an IT team (and you!) can use Google Analytics to learn more about your website’s security.
Time on Site & Bounce Rate
Your website’s bounce rate and average visit times can provide some clues as to when and how your website was being tested for vulnerabilities. If you see extreme spikes or dips in either report, it’s a good indication that a program or person was trying their hand at gaining access.
Here are some clues to watch out for:
- The average time on your website will be closer to 0 seconds than usual.
- The bounce rate will be closer to 100% than usual.
Where to find this in Google Analytics? Audience > Overview
Traffic Sources
All you need to do is to keep your eyes on traffic sources to find out which search engines and referral links are sending you visitors…or bots. Do any of the referral links look unfamiliar, or do they look like they’re spam?
Observe patterns in your traffic, too — in particular, look for the spikes from certain traffic sources (like direct traffic or visits from another website), and then try to identify the reasons for it.
Where to find this in Google Analytics? Acquisition > All Traffic > Source/Medium or Referrals
Visitor Locations
Hackers bounce through VPNs across the globe, and you can use Google Analytics to monitor where in the world your website traffic is coming from. This can help investigations if you experience an attack, and may even help to prevent one if you’re able to spot discrepancies.
While Google Analytics is unable to directly collect IP addresses of visitors, you can give your hosting company the cities you believe an attack is coming from. They might then be able to determine the IP addresses of the attackers, and block them to end the attack.
Where to find this in Google Analytics? Audience > Geo > Location
Visitor Technology
What’s that strange-looking operating system or browser? If you see any that you are unfamiliar with, this could be a clue as to what type of technology an attacker is using. With Google Analytics, you can find the device types, operating systems, and browsers that visitors are using to access your website.
Comb through the information above (like bounce rate or traffic spikes) to hone in on a time period you think an attack may have occurred, and then spot the technology used during that time frame.
Where to find this in Google Analytics? Audience > Technology
Site Content
Do you have private pages hosted on your website? You can see how often they’re being viewed and determine if it’s a reasonable number of visits. If there’s an unexpected increase in traffic to those pages and you suspect a breach, you can find where that traffic is originating from — whether it’s other pages on your website, search engines, etc.
And if you know your website has experienced an attack, you can view the Site Content report to see which page (or pages) the attacker was accessing the website through. Look for increases in visits to certain pages, especially those that require special access or login credentials.
Where to find this in Google Analytics? Behavior > Site Content > All Pages (add a Secondary Dimension of “Source/Medium” to see where specific page visits are coming from).
Alert Notifications
You can use Google Analytics to send you notifications when unusual behavior occurs on your website. You can set custom-made alerts as needed to track any particular type of incident you’re looking for — such as jumps in bounce rates, a certain browser being used, or an increase in visits to a specific page. These can help you respond quickly in case the signs of an attack occur.
Where to find this in Google Analytics? Admin > View > Custom Alerts
And don’t forget about Google Search Console
While Google Search Console (GSC) is a different tool than Google Analytics, the two can be connected and provide additional information about your website’s security. Specifically, GSC now offers a “Security Issues” tab that shows potentially harmful behavior.
If you’ve experienced security issues such as hacked content or malware installation, you’ll see a count of all security issues at the top of the report. If your site has no security issues, you’ll see a green check mark and an “alls-well” message.
Here’s an explainer video on the Security Issues feature in Google Search Console.
Where to find this in Google Search Console? Security & Manual Actions > Security Issues