If your organization has a website, then you have a significant opportunity to access your customers, constituents, users, etc. You also have a significant opportunity for security problems. The subject of security often seems overly complex and insurmountable for functional users and technical experts alike. But in the end, there are a number of simple best practices that you can follow that will dramatically reduce your chances of having an issue, and can also reduce the severity of any issue you do have.
In over twenty-five years of dealing with web development technology, I've seen and handled just about every type of issue. And I'd like to think I prevented quite a bit more! So let's get started.
Security issues should be prevented, not fixed
Fixing broken things is often difficult, time-consuming and stressful. Worse yet, there can be collateral damage to your organization and partner organizations, customers, etc. Preventing things is often easy and doesn't take a lot of time.
Fixing things can take a lot of technical expertise, preventing things often does not.
Okay, so that's good news. But not if you're already busy and have too much on your plate. So where to start? Unfortunately, someone needs to be assigned responsibility for your website security. If you're reading this, it might be you. Just keep in mind, you are not going to understand everything about every security problem in the world, your job is to keep things organized and to know when to get expert help.
The Risks and Our Responses
Risk #1: Passwords
The most common cause of security exposures and hacks we see is loss of password control. Users save passwords in clear text on their PC's, email it to themselves or others, or share passwords among multiple users. They login from home PC's that are riddled with viruses. Through one form or another, they lose control of their password.
- Educate your users on these bad practices, make sure they understand that hacking is most often just a password control issue, and remind them on at minimum a yearly basis to update those passwords, and not to store or email them.
- Appoint one individual in your organization as responsible to administrate your user group. This is not a responsibility that will require a lot of hours each week, but they should definitely run through a "security checklist" once a quarter at a minimum, or monthly. This should be your only, or one of your only administrative level users. Their job is to simply log in to website content management system (CMS) site manager each month or quarter and run through this Quick Security Checklist:
- Are all of these users active, and still with the company? De-activate any users who are not.
- Do any of these users have access rights they do not need? Reduce access rights as appropriate.
- Have all of these users been reminded to and successfully updated their passwords recently? If not, do so.
Risk #2: Plug-Ins
The second most common risk, and this could easily be your biggest risk if you are using any number of common Open Source CMS systems, is installing nefarious plug-ins or themes on your website. One of the main draws to using the most popular Open Source systems is the variety of plugins available for free to provide added functionality. This opens the door to a lot more risk, and requires more attention over time.
- Make sure to do a web search of each plugin your site uses, including the theme.
- If a serious vulnerability exists, you should be able to find articles or posts on technical forums regarding the vulnerability.
- If you find that you have some suspect code already installed, then it may be time to call in an expert just to verify your security has not already been compromised. The developer of your original website should be contacted.
- If that is not an option, then the next best thing is to install the latest version of the plugin that has been security patched. If you cannot find any new patch that specifically addresses the known exposure, then it’s often best to remove this plugin from the site entirely.
- To avoid this situation in the future, before you implement a new plug-in, do a web search to verify no serious vulnerabilities exist that have not been addressed in a patch.
- Make sure to plan to upgrade your CMS version on a regular basis.
- Once again, this is probably a place to call in your original website developer or a skilled web developer.
There are some common risks that your users will expose themselves and your organization to at the desktop PC level, such as email phishing scams, website scams, etc. Those risks are outside the scope of this post, but a simple rule of thumb for your users is never to click on any link or attachment in an email unless it is from a trusted source. Also, do not web surf to any unknown or potentially malicious websites.
In general, as long as your are hosting your website with a reputable provider, typically either a trusted web development partner, or a large hosting organization such as Rackspace or even less expensive options like Godaddy, then your risks on the server-side are not significant.
But do keep in mind that large hosting providers are not concerned with the security of your individual website. They will keep their infrastructure running securely, but they are not monitoring your website CMS system for the most common risks (#1 and #2 above). So that is still your responsibility, or that of your developer if you have an ongoing maintenance agreement with them.
In conclusion, avoiding security risks is typically not overly technical or time-consuming. Just be sure someone is taking the lead on doing it in your organization.