Wednesday, 6 July 2022

12 questions to ask your web developer about cyber security

Grant McGregor outlines some of the questions you should be asking your website developer to ensure that your website is as protected as it needs to be.

Our team is focused on business support and cyber security rather than web design. Nevertheless, the security of your website is important to us.

In this blog, we’ll outline some of the questions you should be asking your website developer to ensure that your website is as protected as it needs to be.

Your website is your shop window to the world. But what happens when that is compromised? Or when pages are replaced with malicious content or spammy links? Or when hackers steal valuable information or take payment details from your customers?

These potential problems all underline why it is important to ensure your website has the right cyber-security protections in place. In this blog, we’ll look at some of the questions you can ask your website developer to make sure that’s the case.

#1. Are you going to use a website builder or a CMS?

When you use a website builder, you are limited in terms of the security options available to you. However, the company that provides the website builder service will usually take care of security for you. This means they will be responsible for securing the environment on which your website is hosted. Usually these policies will be available for you to check out before signing up. If in doubt, ask!

If you are using a CMS tool to create a website that you will be hosting yourself – whether on-premises or in the cloud – the security picture looks very different. You will need to ensure that the right cyber security tools are in place. This means, at a minimum, having a web application firewall, web scanning, malware detection and removal, vulnerability patching and DDoS protections.

#2. Where is it going to be hosted?

It is important to understand where your website is going to be hosted, so that you can understand the protections that are in place. If your website developer is proposing to host the website themselves, you’ll need to reassure yourself that their environments are protected and have the right cyber-security tools in place.

Hosting in the cloud is usually the preferred option these days. Your cloud provider will usually offer native tools for protecting your site and data, but you will need to put these in place. It is always worth taking the time to find out what your options are and planning carefully to make sure your environments are secure.

If you need any help securing your cloud environments, the Grant McGregor team is on hand to help.

#3. How often will the CMS be updated?

It is always important to keep all of your software up to date so that any vulnerabilities that could be exploited by hackers are closed as soon as possible. In this, your website software is no different.

Some hackers will use bots to scan websites to identify those websites which are vulnerable to attack. So, if you’re not staying on top of your updates, it’s easy for hackers to exploit your tardiness.

If you’re using a website builder service, you don’t need to worry about this so much as the platform will usually handle software updates for you.

However, if you’re using a CMS, for example a self-hosted WordPress, you’ll need to ensure that you keep your version of WordPress (or whichever software you’re using) up to date. This means installing the latest updates when necessary, as soon as they become available.

#4. Which plugins are you going to use?

Many CMS solutions offer extended functionality through the use of plugins. WordPress, for example, has a vast library of plugins available for users to install.

However, it is important to bear in mind that these plugins can be built by anyone. Some of the poorer quality plugins contain harmful bugs or even malicious code! Be wary about which plugins you install and use on your website.

Carefully check out the reputation of any plugin before installing it. Only install plugins made by trusted developers. Read the reviews carefully.

#5. How will those plugins be updated?

As we’ve noted, software needs to be kept up to date to ensure that it doesn’t contain vulnerabilities that can be exploited by malicious actors. This means that not only do you need to ensure your CMS or website software is up to date, you also need to ensure that all the plugins you use on the site are kept up to date too.

If a developer has stopped maintaining or patching a plugin, it might be time to switch to a different plugin that offers similar functionality. And remember to remove plugins when you are no longer using them.

#6. Which anti-malware will you use?

Your website environment needs protecting from malware in the same way as any other IT environment. Make sure you have up-to-date anti-malware software monitoring the environment.

#7. Do we have an SSL certificate?

You’ll be familiar with Secure Sockets Layer (SSL) technologies as the little padlock icon that sometimes appears in the address bar of your browser. The padlock indicates that the site uses SSL.

SSL is a method for encrypting the data that passes between your users and your website.

All sites should use SSL. Google now warns users that they are entering a site without SSL and this message can put off visitors from visiting your website. What’s more, such sites are discriminated against by Google when it comes to SEO.

Note that there are different levels of SSL. Which you choose will depend on the data being shared on your website. For example, if you are taking payments on your website, you’ll want to use the most advanced level of protection.

#8. Who is going to have access to update the website content?

Who in your organisation is going to be responsible for maintaining the content on your website? At the very least, you’ll probably want subject matter experts and marketing staff to have access to update and add content.

As with any permissions, we recommend taking a “least privilege” approach. Give users the absolute minimum of permissions they require to do their job. Run monthly audits to ensure users still need those permissions. Remove any users who no longer require access as soon as possible.

It’s also important to make sure that everyone who has access to update the website is aware of good cyber security practice. For example, they should never login to update your website when they are using public Internet, such as from a coffee shop or other shared location.

#9. What is the best practice for passwords?

Password security is essential. A recent survey of small businesses found that 40 percent of small businesses have suffered a cyber breach after an employee’s password was compromised. Don’t let that happen with your website!

First off, change the default settings as soon as it is handed over to you.

Ensure anyone who has access to edit your website content uses a strong password and, ideally, multi-factor authentication. For the latest rules about strong passwords and multi-factor authentication, read this recent blog.

#10. How are we going to manage comments?

It’s great to receive comments on the blogs you publish. It lets your team know that your audiences value their insights. And it adds credibility to your posts.

However, open comments on blogs frequently attract bad actors who will try to flood your comments with spammy links and malicious code. This puts your website users at risk. The last thing you want is for one of your customers to click on a dodgy link on your website and have their own systems compromised.

This is why it is important to have a system in place for moderating comments before they are published. Never let comments be published automatically without first being screened.

#11. How often do we take backups of the website?

A good backup strategy is your best protection against the growing threat of ransomware.

We have long advocated the need for regular backups. Your website is no different in this regard. How often you take these backups will depend on the information your website holds. If you aren’t collecting user information, usually once per day will be enough.

However, if you are storing data such as user logins, you’ll have a very different recovery point objective (RPO). Consider carefully what your RPO should be and why before making any decisions about the right backup solution.

Whatever backup solution you choose, it needs to be tested regularly to make sure it works and that your website can be restored quickly and in full should the worst happen.

#12. How often do we run tests to check the security of our website?

Another way to boost the cyber security of your website is to have a trusted third party run checks to look for potential vulnerabilities.

You can do this by purchasing penetration testing services, usually on an annual or quarterly basis. The frequency you choose will depend on your budget, on the sensitivity of the data you hold and on the importance of the website to your business.

It is a good idea to use these services at least on an annual basis. This way, you can identify potential weaknesses and fix them before they can be exploited by hackers.

What now?

If you’d like more information about any of the cyber security issues discussed in this blog, please reach out to the Grant McGregor team.

Book a 15-minute chat  >>>

You can reach us on: 0808 164 4142