Talking about website security isn’t a scare tactic, it’s a fact of life

June 28, 2018
Marisa Greco Marketing Specialist

The vital importance of preparing with the basics

Let’s start with square one.

Yes, your website can get hacked. All websites are at risk of being compromised. No, it doesn’t matter what information you think someone may or may not want from you.

No, it doesn’t need to be an eCommerce site and it doesn’t need to save customer names or credit cards. Regardless of what your website does or what you use it for, it can get hacked. Every attacker’s motivation is different. They may pick your site if it uses an old, unsupported platform, or because of the speed and strength of your server. Each of those things could be used to a hacker’s advantage differently. For example, an unsupported platform means it’s easy for the attacker to hack in, modify files and add tracking scripts to see passwords or direct users to a malicious website that can do more harm to your computer.

It could be just as simple as time passing your technology by, the vandalism of a kid kicking rocks down the street or hanging out of a car window smashing mailboxes … or, yes, it could be a more sophisticated attack motivated by tracking, theft or anything more nefarious.

The bottom line is you need to make sure you’re taking the right steps to manage, secure and protect your website. It is a living organism, treat it as such.

This is particularly true if your website does more than build your brand and serve up information. If you have client, customer, patient, or physician and provider portals and logins, security is absolutely vital as you have secondary and tertiary individuals and data you must protect. If you are dealing with medical information, patient and provider relationships, or even appointment booking or submission forms, you must protect the security of the individuals interacting with your website as they manage their health care or pursue health services from your health system.

Here are our basic recommendations for putting the pieces in place to manage your website security. Of course, it takes a plan to take action in the event of a threat, vigilance so your website does not go unmanaged, and a plan to update and evolve with the times and technology.

 

Think of the big picture

Your website consists of much more than what you see on your screen. It runs on a platform that is aging, just like a car, the day it rolls off the lot. There’s that, and there’s the experience of how people get to it – through search, targeted marketing, content on social media and more. Maintain a line of sight to all of it. Understand how your users are getting to and using your website. Build a map of where your site is, and how it is accessed and performs on mobile and desktop browsers. Test and manage that functionality across the board and be prepared to deploy updates as needed.

 

Build familiarity

It should go without saying that a team that is familiar with your website – its technology, the platform it was built on, everything behind the scenes – will be vital to your success. With that in mind, it’s important to have a maintenance and a hosting contract in place that includes regular and preventative maintenance by a team that knows your site, its technology, your users and your needs.

 

Plan for change

Dedicate time to set aside each month or quarter for security updates to be deployed, not just to your site platform (WordPress, Django, etc.) but to your server operating system and software. Make sure you know who is responsible for this so it isn’t missed. Ask your web partner to install monitoring software so notifications are sent out when there is a site outage. These can be sent via email or text, whichever it is, it should be treated as something around which you build a plan to react and make necessary fixes or changes.

 

Back that thing up

Make sure that as part of your hosting contract, regular backups of your site database are being created. We recommend daily backups, but sometimes that isn’t always feasible. At the very least, look into doing weekly backups. Should your site go down, your host provider can quickly get the site back up and running by using the most recent copy. You can’t necessarily plan for a site compromise, but you can and SHOULD have an action plan ready if it happens so you can take preventative measures.

 

In the event of a website attack …

  • Implement a site freeze immediately. This locks out all users to prevent any changes from being made to the site. As part of this plan, determine ahead of time which users should keep access. The users who keep access during the site freeze should be super users or administrators.
  • If needed, get the site back up and running by using your most recent backup. Sometimes, that’s all you need to do, restore to a previous version because the corrupted files weren’t infected yet by the hacker.
  • As a next step, complete any platform or security updates.
  • Lift the site freeze and instruct all users to update their passwords. In more severe cases, you may want to complete a full site audit if you haven’t easily identified what has been attacked. If you manage your site on your own, don’t be afraid to reach out to someone for assistance, there are specialized shops all around that focus on site audits, security updates and maintenance.
  • Enact preventative measures and ensure they are followed on a regular basis to maintain your site. Schedule regular service maintenance and ask your agency to address the terms of when your current platform loses support. This is called “End of Life” and you should plan for it. Put simply, you can’t expect a site to run for five to 10 years without updates and maintenance. Far too many times, websites will enter into this period and it makes completing future feature updates extremely difficult. Ask your agency to direct you to the location of where you can monitor platform version updates, or ask them to keep an eye on this and recommend when your site should be updated. Support of platform versions varies, but you are usually covered for more than two years before you need to make any significant updates.

 

Why does it happen?

Again, understand the basic truth … an outdated website platform that doesn’t receive regular updates is vulnerable to security threats. Running an outdated server operating system will make any kind of update more challenging, and in severe cases, make updating near impossible. In an absolute worst case scenario, an outdated website platform AND outdated server operating system make it extremely difficult for the developer to make any changes. This comes from deprecated documentation, and software libraries that are no longer maintained. This means a costly rebuild, as the developer has to circumvent these problems with hacky, patchwork solutions that are not easy to maintain, meaning a larger technical debt. At that point, after the damage is done, it could actually be better for you, and more cost efficient to start from scratch and build a new website.

 

Keep Evolving

As time passes, technology evolves. You need to ensure your website evolves with those changes. Ultimately, taking these steps for web security and web maintenance will give you peace of mind and guarantee minimal to no site down time. In this ever changing world, where technology leads behavior and behavior leads technology, if your digital experience is always evolving, like your customers’ needs, it will be one of the best.

 

Marisa Greco is a Marketing Specialist at Core Creative.