Despite the obvious risks to a technology based business posed by hackers, phishers and other bad actors, sometimes a project’s security needs get left by the wayside. Human nature leads us to think firstly “it happens to others, but it won’t happen to me”, and secondly to assume that “someone is taking care of it”, even though we don’t have a clear idea of exactly what “it” is and what “taking care of it” involves.
The most common way this might happen is if a CEO or project leader assumes that developers are following standard security practices as they carry out their work. In many cases this is a reasonable assumption, but even if it’s true there are at least three problems: firstly that different developers will have different standards and even the most diligent can miss something or make a mistake, secondly that coders are generally focused on their own area of expertise and can miss the bigger picture, and thirdly that many potential security risks are not directly related to the code itself but instead to the working practices of those employed on a project.
In Verizon’s 2020 data breach investigation report, they identify phishing attacks, accidentally sending of classified information to the wrong people and accidental public publishing of classified information, as the 1st, 4th and 5th leading causes of data breaches respectively. While hacking attacks do come in 2nd, this really highlights the dangers of careless behaviour and a lax approach to procedures.
Threats to website security
To understand what sort of security practices are a good idea, it helps to first consider what sort of threats we are defending ourselves from.
There are two main categories of hack which are commonly used to target a business.
- Access phishing – when the hacker tricks people with legitimate access to the system into giving them access they shouldn’t have.
- Exploitation of vulnerabilities in the code – one common way this happens is when a security vulnerability becomes well known and hackers start to systematically try it on a whole series of sites. This is the type of hack usually addressed by the regular security patches offered by many systems, and the reason it’s a good idea to stay up to date on security patches issued by a product’s developer.
It’s clear that regardless of how they get access to a company’s website or app, a successful hacker can potentially cause a lot of damage. The defacing of a website is embarrassing, but in some ways it’s the best case scenario, as it alerts you to the hack and allows you to begin the process of fixing the problem. More sinister operations don’t let you know they were there; they might take valuable internal information to sell, use their access to pose as an employee and trick your clients into paying them, use a code injection to hijack your servers to send spam emails in your name, install ransomware, and much more.
Simple steps to improve website and mobile app security
Whatever the role your website or app plays in your business, it’s security has an impact at least on your reputation, and likely much more. How can you go about securing it then?
Install security updates
One of the simplest steps to take is to regularly check the suppliers of software you’re using for security updates and to install them. Obviously there are plenty of threats this won’t protect you from, but it does help ensure you don’t become a victim of some of the more common attacks. Ekreative’s CMS service license agreement is primarily focussed on making a weekly check for developer issued updates and, after first checking that they won’t disrupt anything in the existing setup, installing them. If you’ve got a capable tech team though, this can be easily covered in-house.
Follow security hygiene best practices
Another good starting point for improving your security setup is to analyse your work processes and make sure that you’re following best practices and not leaving any obvious holes. Again this can be done in house, but it’s often a good idea to invite a third party audit to take a look as they will a) give an additional perspective that isn’t too close to the measures being discussed and b) specialise in noticing vulnerable areas and unsuitable practices.
Getting a full IT security audit
What’s true for applying best practices to your work process is also true for the other areas of your project security. That is to say, they can potentially be improved in-house, but your team’s closeness to the project and involvement in the decision making process can sometimes blind them to vulnerabilities that would be clear to an outside set of eyes.
Despite this, we sometimes see companies that are unwilling to invest in this sort of audit, even though it’s clearly in the long term best interests of their business. In most cases their hesitance is due either to a lack of understanding about the seriousness of the threat or a mistaken belief that the security measures their employees automatically include when developing their processes is enough. They might also be put off by the thought of trusting an outside group with access to their systems.
While the threat is extremely serious and we’ve explained above why internal security alone is often not enough, the question of trust is definitely an important one when it comes to choosing a third party auditor.
Choosing the right company for your website security audit
In actual fact you don’t need to give a lot of access to auditors (though it depends exactly what sort of audit you want). For basic penetration testing of your site, auditors would simply try attacking your infrastructure the way that malicious hackers would, but any problems they find they write into a report of suggested fixes rather than exploiting them the way a hacker would. For this sort of testing, zero access is required.
Of course even if this is all you plan to do, you still want to choose a reputable company with proven experience under their belt.
Having someone examine your working processes obviously requires some degree of access, still it’s unlikely that auditors would need to see anything sensitive. Note that there can be a difference between your official practices as laid out in company policy and actual practices used by those who work for you, it’s relatively easy for policy level practices to be audited remotely, requiring only access to policy documentation.
High levels of access might be necessary for some deeper assessments, but these are more unusual. Assessing actual practices is more complicated for example, often involving employee surveys and interviews and a degree of access. For most companies though, simply thinking through their official policies and finding holes in those is enough to highlight any inconsistencies between this and their actual practices.
Similarly, alongside basic penetration testing, some companies might want a code level review for a more thorough assessment of their vulnerabilities. This obviously requires a deeper level of trust with the auditing company, which is why we’d suggest building a relationship with your auditors over several years and multiple interactions.
The need for regular security audits
Developing a long term relationship and building up trust with your information security auditors is essential for a business long term health. As times, norms and workforces change, regular reassessment of our work becomes a vital element of ongoing security. Obviously as a project is developed its code base grows and changes and new vulnerabilities can appear, here the need for regular checks is obvious. In fact it’s part of the reason QA engineers have such an important role in software development.
We’ve already discussed why it’s desirable to make regular checks for security updates and patches, preferably weekly. The need for other types of security checkup isn’t quite so frequent, but still a yearly reassessment is a good idea, bringing you peace of mind and ensuring that you’re not making any basic mistakes that could be easily exploited by a malicious party.