Website Security for Small Organisations
People read or hear about breaches in the press on a regular basis, and website breaches are one of the largest categories of breaches that take place. These don't just affect large corporates, they affect small organisations as well, especially since they don't not have the expertise to secure their websites. Here we look at what small organisations can do to secure their websites.
This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.
Access, Apps, Assets, Attack, Attackers, Breach, Credentials, Compromised, Denial of Service, DDoS, Domain name, Encryption, Firewall, IP address, Malware, Networks, Password, Reconnaissance, Risk, Scams, Spoof, Threats.
- Introduction to website security for small organisations
- Small organisations’ website risks
- Consider Your hosting and domain name strategy
- Automate domain name renewals
- Both static and dynamic websites need to be configured for security
- Third party website designers must be secure & produce secure sites
- For a dynamic website use a Content Management System (CMS)
- Content Distribution Networks (CDN) should be considered for security
- Web Application Firewalls (WAF)are a must have
- CMS plugins and extensions add security layers
- Ongoing activities
- Conclusion to small organisation website security
This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.
Introduction to website security for small organisations
Today we're looking at website security for small organisations. For many organisations, their websites are the first point of contact for their customers to find out about what they do and anything and everything about it. And because it's the shopfront for the world, it's an important to get the security right.
Small organisations’ website risks
Let’s have a quick look at why small organisations' websites are at greater risk than larger organisations.
Small organisations often have an incorrect assumption that they don't need to worry about website security, based on a lack of information or inaccurate information. Relatively few small organisations base these assumptions on a risk assessment. We see the results of this thinking in various ways:
- The mistaken belief that they won’t be a target because they are not large enough to be of use to attackers. In the belief that they won’t be targets, small organisations often don’t even put in very simple security measures. Without these measures, websites are more open to being identified as lacking simple security by the automated reconnaissance tools used by attackers. Once identified, automated attack tools often have the related tools to test and identify other simple vulnerabilities.
- Some small organisations with static websites (which means that the website information is stored like pages in a word document rather than using a database to store all the data) assume that because they only have a simple website they won’t be attacked. What is misunderstood is that attacker tools are just looking for any vulnerabilities on any IP address – and even the simplest of websites can have these just as easily as dynamic websites.
- The belief that security is only needed as the company grows larger, is misplaced faith when it comes to websites. Many years ago, there were studies identifying how long a computer connected to the internet would remain free from any automated probing. This magic number came down to a few seconds before the usefulness of the exercise was abandoned. We know that IP address connected to the internet are now scanned by automated tools continuously by both legitimate and criminal actors. The assumption that a website won’t be attacked until it has grown is wrong, leading to either the organisation being put out of operation due to the effects of an attack, or it could be spreading malware to its visitor.
- Another mistaken belief we hear often, is that, “Since we are not an ecommerce site selling anything, we won’t be attacked.” This is wrong. It is true that often attackers want to monetise their efforts, but a compromised website can provide multiple opportunities to do so.
- Next, there is the belief that no security is required to protect the website because, “we don’t collect any personal data”.
- “Our hosting services deals with all our security,” is another mistaken statement we have come across. Hosting companies often only provide hosting space rather like renting out a room, the occupants still have to have their own insurance for the contents of the room and lock it after use – the landlord's responsibilities are often very limited, just like those of hosting providers.
What many small organisations fail to understand is that attackers view a prospective compromised website as an asset which enables them leverage either on the popularity or opportunities to rent out the use of that server for storing other stolen data, or for use for attacking other targets, or for hosting spamming services.
Small organisations must understand that a website is an asset, and they are responsible for protecting it. If it is not protected, it will be taken over and become an asset that belongs to criminals, who will probably generate more revenues from its use than the real owner. The risks to the service should be considered before the website is commissioned to go live – rather than as an afterthought.
A good approach is to understand the risks to the website, and to ask someone who is a professional in this field, and able to explain the various security features that can add real value over the lifespan of the website.
This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.
Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more.