Our Thinking

How Secure is your Website?

Website security is central to the profile of each brand.  If a hacker gets into the website or prevents access to it, your brand is tugged into a very difficult place: trust suffers.  Even worse, if data is copied or stolen, your reputation is definitely in crisis.  You appear either incompetent, careless, or uncaring.  Though the media reports data breaches quite frequently, it might be argued that the public is becoming immune.

When the website of a particular organization or person is compromised, the sting is real.   While most marketers will never deal with web security directly (except in times of crisis), and most IT professionals should know how to address web security, a trust-but-verify approach is not such a bad idea.  With apologies to the non-techies, here are the rudiments of web security:

  1. Physical security:  Physical access to the actual server needs to be tightly controlled.
  2. Operating system:  Parts of the computer’s operating system that are not required should be removed.  Non-essential “ports” should be closed, and directly permissions set properly.  (And the operating system needs to be kept updated.)
  3. Physical firewall:  Depending on the level of security required, all traffic might be routed through a firewall, both to restrict all but the required type of internet traffic.  The firewall and network infrastructure should also prevent distributed denial of service attacks.
  4. Web Server software:  The latest version needs to be installed and kept up-to-date.
  5. SSL certificate:  Instead of serving pages that are not secure (eg http://), the purchase and installation of a security certificate allows the pages to be encrypted in transit (eg served as https://), and allows the user to verify that the pages actually came directly from who they said they came from.
  6. Separate web server and database server:  Instead of having the database housed on the website – which might be hacked – the database that powers the site can be housed on a completely separate machine. Using this architecture also delivers a welcome benefit: faster performance.
  7. Database and scripting languages:  The database version (SQL Server and MySQL as examples) and any scripting languages (PHP as an example) need to be kept up-to-date.
  8. Content Management System (CMS) software:  The core software (WordPress, SiteCore, SharePoint, as examples), as well as any plug-ins and modules need to be kept-up-to-date.  More importantly, the CMS needs to be “hardened” to prevent basic attack vectors.
  9. Software firewall:  This software monitors and repels hacking attempts at the CMS level.
  10. Two-factor authentication:  Instead of having a user log in only with their username and password, they also would need to put in a time-based code that would be sent to their phone, or would be generated from an app.  This prevents people from using “stolen” passwords.
  11. Social engineering:  It is too easy for an authorized individual to be conned into providing access to the website.  Staff need to be trained on their role in keeping the site secure, and the basics of site security.

Clearly, there is a cost to implementing security, but this cost needs to be balanced against the cost of rehabilitating the brand if the site is hacked.  The greater the potential cost to the brand, the more these should be implemented.

Marketer’s: a few questions to consider when creating an approach to address web security…
Do you have an external crisis plan in case of data breach?
Is there a plan-B in case e-commerce is not available?
Is there an internal communication plan, particularly for the front line (customer service)?  

Tech support: a few questions to consider …
Are there two independent back-up systems?
How long are back-ups kept?
How often are the back-ups tested?
Are there automated notifications if the site goes down?
If the site is hacked, how long will it take to get back up?
This week, use this post as a checklist: how well did you do?  What can you improve?