Three web security resolutions for the new year

(Image credit: Shutterstock)

After a mass migration to remote work over the last year, companies may now be largely confident in their new infrastructures – despite one or two shortcuts taken with security to accelerate digital transformation.

Kris Lovejoy, EY Global Cybersecurity Leader and former CISO of IBM revealed that in response to the pandemic, “84% of the world introduced some work from home capability, 60% introduced technology to enable that, and 60% of those either completely skipped or abbreviated the security checks as part of that implementation.” 

With new vaccines and an economic rebound potentially on the horizon, businesses will now be experimenting with growth strategies for 2021. However, it is critical that they double – and triple – check they have the right security measures in place for a growth trajectory.

About the author

Brent Stackhouse is Senior Director, Security, GRC, and IT at WP Engine 

Here are three web security tips for business leaders, marketers, and developers alike to include in their New Year’s resolutions:

Do the basics brilliantly

The most common web security question going into the new year will be the same: ‘What is my likelihood of getting breached?’

Websites are hacked typically when they are running vulnerable plugins that aren’t patched. Despite the all-too-common myth of WordPress Core as a point of vulnerability, it’s the third-party plugin vulnerabilities that represent 55.9% of the known entry points for attacks. (By analogy, consider the confidence of Android’s security versus the known vulnerability of apps on the Play Store.) However, this represents half of the equation - the other half is proper management of WordPress accounts, especially through using a Multi-Factor Authentication (MFA) plugin.

The solution is simple: avoid running any more plugins than you need to and ensure the ones you do use have a good history of updates after published vulnerabilities. To tackle the burden of keeping plugins up to date and the risk of mission critical sites breaking, machine learning and visual testing tools can now even automate plugin updates on a nightly or weekly basis without causing unintended consequences that could result in downtime or lost traffic. Make sure to limit admin access to “must have” users and make sure they are using MFA.

Build the right team

The security skills gap is well-documented by now: around 653,000 businesses (48%) have a basic skills gap, according to the DCMS. That means, the people in charge of cybersecurity in those businesses lack the confidence to carry out the kinds of basic tasks laid out in the government-endorsed Cyber Essentials scheme. They also are not getting support from external cyber security providers. The pandemic has since exacerbated that gap as remote workforces move to cloud environments without the cloud security expertise to assess the risks of that move.

To ensure you have the right team in place, you should start mapping out the risk profile unique to your business. Identify your risk, security, WordPress and ecommerce experts and consider how your industry poses particular challenges, such as websites in the healthcare sector, which have undoubtedly experienced different kinds of traffic surges this year. For those weighing between hiring and training more in-house staff or bringing on a vendor, revisit the basics of vendor management and how you are drawing the lines of responsibility, depending on who fits where in your security puzzle. If you are working with a partner, they will need to have made those investments into skills and technology on your behalf.

Prepare for the peaks

For retailers and ecommerce platforms, major seasonal shopping periods such as Christmas, Boxing Day and January sales pose a tricky challenge. Website managers will be scrambling to meet a high volume of revenue-driving activity on their site while at the same time tackling an increase in cyberattacks such as distributed-denial-of-service (DDoS) attacks, which have already been doubling every quarter this year. During this lucrative period for cybercriminals, the UK’s National Cyber Security Centre has already updated its guidance for online shoppers.

Load testing, which is performance testing that simulates real-world loads on software, applications, or websites, can help answer the question of ‘how many people can visit my site at once?’ Proper load testing can help site managers assess things like scaling capabilities, lifecycle hooks, susceptibility to DDoS attacks due to high load, automatic code deployment, health checks and target tracking. Without proper planning and action, retailers are at an increased risk of successful DDoS attacks that lead to a significant revenue loss.

As we go into the new year, it is critical that the desire to cash in on the shopping season doesn’t come at the cost of security. It can be incredibly frustrating when Black Friday rolls around and your website is crashing because of the increased traffic. The primary concern is the way in which a vulnerability in a business’s website has been exposed. A website that is dropping because of a sudden increase in traffic becomes a sitting duck. It can easily become a target. So before enticing an influx of new customers to a webpage, organizations have to load test accordingly.   

By now, business leaders understand the importance of security on customer and brand health but are often uncertain about where to begin. If organizations want to take their security seriously, and not running before they can walk, they have to focus on doing the simple things well. Companies need to have basic web security measures in place so that while WordPress Core may be secure, they are giving the right attention to the plugins they use and securely managing their WordPress users. They also need to strike the right balance between people, process and technology to ensure they have the right skills and staff in place. Finally, they need to plan ahead for key consumer moments and seasonal periods, looking not just for visitor traffic spikes but for different kinds of cyberattacks. The road to recovery in 2021 won’t be easy, but with these steps it’ll be a much smoother ride.

Brent Stackhouse is Senior Director, Security, GRC, and IT at WP Engine