The Four Ss of website security
Today 30,000 websites will likely be hacked. Same tomorrow. And the next day after that. Worse yet, that rough estimate probably dramatically understates the issue, given how many hacks are kept quiet.
So, the issue isn’t whether your site will be hacked—but when. How do you make your website secure? And how capable is your site at detecting and deflecting attacks?
If you’re responsible for creating, maintaining, updating and/or monitoring your organization’s web properties, there are so many potential vulnerabilities you could worry about. Injection flaws. Authentication weaknesses. Cross-site scripting. Exposed data. Security misconfigurations. And the sleep-robbing list goes on and on.
If you don’t have the specialized knowledge to assess all these threats and make your website secure, it’s critical that you ensure your website partners do.
No longer is creating a website just about eye-catching imagery, an engaging user experience, great SEO-friendly content, conversion-motivating calls to action, and an easy-to-use CMS. Yes, all those are important, but your website partner needs to be as adept in developing a battle-ready website—and in monitoring, updating, and making your website secure over time.
While there are countless details involved in security-focused website design and monitoring, those details can be categorized under four major checkpoints that we integrate into every web development project. We call them the Adams & Knight Four Ss of Web Security.
1. SECURE endpoints.
In the simplest of terms, a website “endpoint” is the doorway that lets someone connect to your website. For many of your site visitors, these access points are the URL of your website, your customer portal, or other destination/landing pages through which people can access your information through the internet. But your site also likely has many other connection points. For example, if your developers used APIs to allow for the exchange of information from your site to another, that’s a key endpoint. Say you have a lead generation form on your website that directly integrates into your Sales Force application. That’s an endpoint.
Technically, all these endpoints need to be secured, so you can prevent people from maliciously intruding and altering your site’s data from any of these access points.
2. SCREEN traffic.
A huge part of securing your site involves screening its traffic. How will you detect if a hacker is trying to access your website code or underlying data—or is using your site to gain access into other connection points? Who will be notified and how? How automatically can you stop them? How quickly can you block or at least mitigate any damage? You’ll need to make sure your website developers are building sites that are both intuitive to use and impervious to intruders.
3. SAFEGUARD users.
Not only do you need to prevent the wrong people from getting into your site, but you also need to protect the visitors you’re welcoming in. If your prospects or customers are being asked to enter data through your site, how are you ensuring that their data is secure? How will you prevent others from accessing or altering their data once submitted? Just as you would if you were welcoming them to your physical location, you need to ensure your visitors’ safety when engaging with your online properties.
4. SUSTAIN vigilance.
Every day hackers are honing their techniques. So, every day you also need to be continually reviewing your online security posture and bolstering your defenses. That means staying abreast of the latest trends affecting online security. That requires constantly reassessing and upgrading the software, tools, and techniques you use to detect and mitigate threats. And that necessitates automated and “eyes-on” monitoring of your sites’ security status—patching vulnerabilities as needed in the short-term and even rebuilding your site periodically.
These Four Ss of Website Security are seemingly simple objectives addressed by often complex, detailed processes that are proportional to the complexity of your online communications. Simple, straightforward sites can leverage the security features provided by established managed hosting providers. But more complex systems may dictate distributed endpoint protection and device management agents, and AI-based email protection with consolidated log analysis—all monitored by a managed Security Operations Center (SOC) in real-time.
Regardless of the complexity of your site, by ensuring your internal and external resources are attending to these four key areas, you can determine how to make your website secure, and in the process, protect your organization’s data—and your brand’s reputation.
For more insights on how we build secure websites, contact Eric Truntz at Eric.Truntz@adamsknight.com.