We take significant steps to make sure your website is safe while also recognizing that this topic can seem overwhelming. It’s easy to get bogged down in technical jargon, so here are the two main things we think you need to know about website security, in laymen’s terms.
Not all attacks are the same
There are all sorts of ways that people can try to gain access to your website but they all fall into two main categories: targeted and non-targeted. Think of your website like your house…
Non-targeted attacks: These aren’t people trying to break into your house. These are people checking every house on the block looking for unlocked doors, unsecured windows, or keys under the mat. Most website attacks are automated, looking for things like known vulnerabilities in outdated software or systems that use generic (or default) passwords.
There are lots of different tactics used for these but they’re all essentially looking for the same thing: an easy target. These types of attacks are easy to defeat since we can lock the proverbial doors, add a deadbolt, security fence, alarm systems, etc.
Targeted attacks: These are attacks out to get you specifically. They are tougher to combat because the intruders are less likely to give up easily. They may attempt some of the same techniques used in non-targeted attacks, but they might also employ more advanced tricks like social engineering to gain access.
These attacks require more robust security solutions that involve security software and monitoring, but also cybersecurity training for your staff. If you have any reason to believe that your website will be specifically targeted, be sure to discuss this with your website agency.
How to measure your risk
The other thing to think about is, what happens if someone does get into the house: are you protecting the crown jewels, or is the house filled with old newspapers?
Low Risk – Many websites, even large and robust ones, essentially function as online brochures. The information is non-proprietary and entirely public. In these cases, there’s nothing to steal if someone breaks in. The biggest risk here is temporary defacement. For instance, someone may break in and put disruptive or malicious messaging on the site. While far from ideal, a defacement is easily reversed by restoring site backups and then closing the security loophole to prevent a future one.
Medium Risk – This might include websites that have password-protected content that isn’t available to the general public and/or user information such as names and email addresses of member accounts. If the theft of this information could create a potential public relations or legal issue, you’ll want to ensure extra steps are taken to secure it.
High Risk – Some websites store extremely sensitive information in order to function, such as credit card information or social security numbers. When dealing with this type of information, security becomes paramount. In some cases, there may actually be legal requirements for storing this data such as PCI compliance (for e-commerce websites), HIPAA (for health or patient information), COPPA (regulations concerning children’s online privacy), etc.
Another factor to consider besides the sensitivity of the information is the impact if the site is offline. If you’re dealing with a security issue that prevents users from accessing the site, will you lose billions of dollars or will people lose access to an important resource? If uptime is mission-critical, that also puts you into a higher risk category.
The Bottom Line
It all comes down to how big a target you are and how big your level of risk is. Organizations that have big targets on their backs and also manage lots of sensitive data should be prepared to make security a top priority and should budget time and finances accordingly. Organizations that aren’t big targets and only manage public information on their websites will be fine with a robust but inexpensive security setup.
While website security is an incredibly nuanced topic, knowing what level of risk you’re exposed to and how big of a target you have on your back will allow you to have an informed and productive conversation with your agency partner. If you have specific questions about these or any of the more granular details on the topic, please get in touch.