You’ve Been Hacked!
A financial services company provides a website portal for their clients to access their investment accounts. Clients visit frequently to review their accounts and browse the company’s rich library of helpful information about saving and investing. One afternoon, while the company president is at lunch with a client, he receives a panicked message from his IT manager: the site has been hacked and an ISIS banner is prominently displayed on the home page. After the initial clean up and damage control, the president vows that they will never again risk such an event, and demands that marketing and IT do whatever it takes to make the site 100% secure.
It is not uncommon for business websites to get hacked, and vowing airtight security begs a host of questions:
- How secure can any site really be?
- What are the best practices for sites requiring strong security?
- What are the additional costs of building a site with maximum security? Is there a point of diminishing returns?
How Secure Can Any Site Really Be?
“The first thing I…tell website owners is that security is about risk reduction, not risk elimination. You must get your head around this simple fact…there is no such thing as a 100% solution to staying secure.”
-Tony Perez, Sucuri
Website attacks generally fall into two categories: an automated attack of opportunity (by far the most common type), or a targeted attack (the type more likely to occur on larger entities or governmental organizations). To be frank, at some point one of these will likely happen to your site. It’s not so much a matter of if a site will be attacked, but when. However, taking well-planned and reasonable tactics to prevent hacks puts the odds in your favor. Many of the horror stories we hear about, like the 2013 Target hack, are the result of human failure, not because of the software or applications themselves. Most commonly, people fail to follow processes and best practices in IT management, website maintenance, and updating.
What are the generally accepted best practices for sites requiring high security?
It begins with experienced developers who understand the current applications and best practices when building a site. They should know the most likely points of vulnerability, and how to write code that allows desired data to pass, but blocks potentially harmful data. They also should understand how to plan and build for enterprise-level security, as well as hosting applications that can help manage security risks.
Once a site is built, it’s chiefly about who gets access. There are basic security precautions (e.g., making sure access information is not obvious, and is regularly refreshed) that should be implemented, and the site should be properly maintained as new software patches and updates become available. It’s also important to have the right hosting setup, and applications to monitor for security risk. Lastly, have a response plan for how to handle such threats, and worst case, a malicious hack. This includes having a separate backup to get your site immediately up to speed again.
There are costs to maximizing security when building the site. Is there a point of diminishing returns?
One can make the case that a more secure site is one that is custom built from the ground up. However, significant liabilities come with a custom built CMS (Content Management System), compared to off-the-shelf CMSs like WordPress or Joomla:
- It’s much more time consuming, and thus more costly, to build
- If your developer or IT person goes away, so does the one repository of the knowledge of your CMS and how it was built. Code can be as individual as people, so bringing in another developer would be time consuming and expensive
- A home-grown system does not guarantee security. In fact, even if built perfectly, they are notoriously unreliable over time because owners fail to keep them updated
The advantage of going with an existing content management system (CMS) solution vs. custom development is the availability of the functionality that makes content management easier and less costly to implement and to keep updated. These systems are constantly improving because they are open source platforms. (Open source software is software whose source code is available for modification and distribution by anyone.) The White House, the FBI and the CIA all use open source software for their websites, rather than custom, built from scratch code. The core features to look for in decent Content Management Systems include:
- Strong security
- Theming functionality
- Page templates
- Menu systems
- User/role base authentication and access control
- Revision control
- Regular updates
Along with these core features, a CMS should have the capability to support modules, plugins, and extensions. There are various prominent open source and third party licensed extensions that bring enhanced functionality to a CMS. These enhancements include search engine optimization, tools for analytics, social network integration, etc. Of course, all should be added with the understanding that security is a priority.
The most widely used CMS platform is WordPress, and with proper development and maintenance, businesses experience minimal security problems. The New York Times, CNN, Sony, UPS and IBM all use WordPress. For companies with extreme security concerns, there are other CMS platforms, such as Drupal, that are solid candidates for consideration. Drupal has strong coding standards and a rigorous community code review process that gives it security and stability.
“Security is hands down the biggest differentiator between WordPress or Drupal. Drupal has enterprise level security and site scale. Numerous government websites are built with Drupal, with the most famous being Whitehouse.gov.”
Adam Hermsdorfer, Big Tuna Interactive
Currently The Economist, Cisco, Voya Financial (formerly ING U.S. Inc.), Novartis, GE, Pfizer, U.S. Department of Transportation, The White House, and many more entities are using Drupal.
Ultimately, there is no 100% secure system. A mature CMS with a proven track record provides the best return on investment, due to the amount of existing development that can be leveraged. Following the best practices for maintenance and updates is a practical and effective way to keep your site secure, without having to re-invent the wheel in an effort to maintain full ownership of the codebase. In addition to the CMS platform, there are content delivery networks (CDNs) that can be placed in front of your site to reduce the workload, as well act as a website firewall. (But that’s another blog.)
The best website security is proactive prevention.
Hire the right experts to help you implement best practices, including the initial site development, proper hosting, and ongoing maintenance. Have a smart access and content management process, and make sure your team has an action plan in place to manage a security emergency. Follow these tips to reduce your risk of being hacked.
Does your site have the proper security built in? Do you need to learn more about proactive maintenance to minimize risks? Just click the button below.