One great result of modern technology is that it’s easier than ever to set up a website. 20 years ago, you would need a webmaster who knew how to code and host your website on a complicated server. Today, there are so many free website and content management system platforms that you can set up in a short time. Because the cost is so compelling, many smaller organizations, businesses, and even cities go this route to set up a very low-cost website.
That approach leads to significant security risks. For example, a recent SC Media article points out that WordPress websites (which are quite popular) are prone to ransomware attacks from criminals specifically targeting them. Why go after WordPress websites? It’s not because there is anything bad about the platform. Instead, it’s because criminals know that many of these sites are set up by non-technical people who will not know how to configure, manage, code, and update their websites to eliminate security issues.
If you took a low-cost approach to get your city’s website up and running, you may be at risk. To perform a quick assessment, ask yourself the following questions.
1. Where is my website hosted and what do I know about the hosting provider?
Free or cheap website hosting providers may not adhere to strict security standards, leaving your website at risk. Are they regularly providing security updates? Are they monitoring for security vulnerabilities? Where are they hosting the servers? Within sovereign U.S. borders? Is the information hosted in a country where security and compliance laws might differ from the United States? Will they allow for a third party to scan your website for security vulnerabilities? If you’re not sure of the answers to most of these questions, then you might want to reexamine where you’re hosting your website. In some cases, less reputable vendors can even go out of business or sell their platform to another vendor who may not have your best interests in mind.
Another common situation with cities involves a single employee acting like a webmaster who holds all of your information hostage. If that employees leaves, gets fired, or even dies, then you may not be able to access your website. Cities that host their own website in-house on a server may also not follow security best practices if they have limited or reactive IT resources at their disposal.
2. Who manages your website’s security?
If you’re thinking “I need to manage my website’s security,” then you’re in trouble. Website security involves a lot of aspects including:
- Permissions: Who gets administrative access? Who gets to upload and edit content? Who gets review-only permissions?
- Password management: Are you enforcing strong password best practices that help prevent hackers from accessing your website? Too many stories still occur where a hacker gets into a website because an organization’s password is something simple like “123456” or “admin.”
- Technical backend security: We won’t go into technical details here, but hackers have many ways they can take advantage of poor website configurations to attack your website through everything from uploading malicious files to using your error messages to discover ways to hack your website. You also need IT professionals to assess and vet any third party plug-ins to your website.
3. How is payment information secured on your website?
It’s likely that you allow citizens to pay for tickets, fines, utilities, licenses, or other services online. How is payment information secured when citizens share it with you? In order to comply with PCI DSS standards, you need to secure and encrypt payment information when it’s entered, in transit, and in your hands. Otherwise, it’s easy for hackers to steal credit card information, banking information, and personal details such as birthdays or a physical address.
4. Who is regularly patching and updating your website software?
Technically, this may seem part of #2 above. But in light of the WannaCry ransomware attack and Equifax data breach this year, it’s important to specifically highlight patching and updating software. A failure to patch software led to many organizations losing data to ransomware this year – especially a shame because patches existed for many months that could have prevented those attacks.
Websites inevitably contain bugs and security vulnerabilities that need patching on an ongoing basis. In addition, software updates improve your website’s performance and give you access to new features that will enhance how you use the software. If you’re not keeping up on patching or your website software doesn’t provide regular updates, then your website may be at risk.
5. Do you have a backup plan if your website data is lost?
Like any repository that stores data, there is a risk of permanently losing that data. That means you need a data backup and disaster recovery plan in case something goes wrong. If you host your website onsite, then you will need both an onsite and offsite data backup and disaster recovery plan. Otherwise, a fire, flood, or tornado could completely eradicate your website.
Even if you’re using a website hosting provider, you need to ensure that they have a data backup and disaster recovery plan. They can still lose data from human error or a disaster at a data center. What are their contingency plans? If they can’t answer you with confidence and specificity, then you might want to consider another hosting provider.
Going the free or cheap route with a website involves consequences that might become more costly in the long-run. Make sure your website is hosted, managed, secured, patched, updated, and backed up so that it continues to run and keeps your citizens’ information safe.
Questions about the security of your website? Reach out to us today.
Original Date: 12/6/2017