Online Risk Assessment: How Secure is Your Website?

Where to Start

Don’t know if your customers’ data is secure? Are you panicking that your website could be defaced, leading to reputation damage? We all worry about the risks that we face as website ‘owners’. That said, most attacks and incidents are well known and can be easily protected against. 

Perhaps you are new to the field of website or application development, or perhaps your new role has the nondescript ‘manage website’ bullet in the job description. Before you go screaming to the InfoSec team or looking for a new job, I wanted to provide a quick way to assess the situation so you know

1. how good/bad the website situation is; and
2. what to do next.

Much like any other risk management exercise, we want to weigh our risks versus needed website security. The first question to ask is “Does my website store any confidential information?” Here are some examples of confidential information:

• Customer names, addresses, email addresses, etc.
• Email addresses for newsletter signup
• Health or other personal data

When I say store, I mean: is the information saved on your website? Many plugins and services will store data on your web server. Some examples are WPForms or Gravity Forms for WordPress or Webform for Drupal.

If the answer is yes, we will want to be extra diligent with the next steps. Data privacy is becoming much more important and many states and countries now have laws requiring companies to protect their customers’ data. For a fuller picture of the data privacy landscape, read our blog post on the Data Privacy Landscape or check out our webinar on Data Privacy. 

Low Hanging Fruit

If you answer “no” to any of the below questions, you should take immediate action:

1. Is your website administration area (where you go to make updates to the site) located behind a secure complex password? Complex means the password:
   • Has at least 8 characters
   • Is alphanumeric
   • Is mixed case
   • Has special characters
2. Do you use two-factor authentication to log into the administration area of your website? Most managed hosts like Pantheon or WP Engine offer this as a default option. This means that you log in with some other piece of information in addition to a password, such as a code sent via text message or email. You should also consider only allowing certain IP addresses to the admin area. Here is an example Drupal module that does this.
3. Is your CMS supported and up to date? Are all of your third-party modules up to date? For example, in WordPress, go to the WP Admin, and be sure to note what updates are needed, especially those marked high priority or security. Here is some documentation on how to do that.
4. Do you have SSL installed? SSL ensures that communications between the user’s browser and the server are secure. There are also other benefits to SSL like SEO and user perception. 

More Advanced

If you answer “no” to any of the questions below, but you do not house any customer data, add these tasks to your backlog and start roadmapping now. If you answer “no” to any of the below and you are housing customer data, take immediate action.

1. Have you ever performed an application penetration test? Penetration tests probe your site for vulnerabilities and will give your developers a nice ‘punch list’ of prioritized tasks they need to perform to make your site more secure. Here are 5 options for testing your site for security.
2. Are your developers aware of the OWASP Top Ten? Website security is more than just locking down the site once. You need to make sure everyone is thinking about security so that mistakes are not made in the future. Information Security needs to be part of your culture.
3. Do you have any security software installed? For example, depending on your CMS, each will have its own security features. Here are some examples we’ve already evaluated:
   • Product Owners Guide to WordPress Security Plugins
   • Learn How to Secure Drupal
   • How to secure your Sitecore Installation
   • Three Reasons your Umbraco Site is Insecure

To sum it up, if you aren’t doing everything under the “Low Hanging Fruit” category, get that going tomorrow! We’ve done our best to provide actions you can take right away. If none of them fit, feel free to Contact Us or talk to your tech team.

If you are housing customer data and you are not doing everything under “More Advanced”, start making a plan now. You may also want to consider speaking with your dev team about a secure SDLC. 

Now go forth website owner, and own Security as well!