CybersecurityDigital DefenceTech News

From ineffective to impassable: The fundamentals of safeguarding your online platform from cyber criminals

Sophisticated security software is no longer reserved for just large enterprises. Today’s cyber attackers are highly skilled and have a growing number of resources available to aid their crusades, making businesses of all sizes potential victims.

Business leaders often understand the impact the right security measures have on consumer trust and brand health but are often uncertain about where to begin. Here are three fundamental web security tips all businesses should put in place to safeguard their websites this year.

Nailing the basics

The most common web security question this year is: ‘What’s my likelihood of getting breached?’ Websites are hacked typically when they’re running vulnerable plugins that aren’t patched.

Despite the all-too-common myth of WordPress Core as a point of vulnerability, it’s the third-party plugin vulnerabilities that represent 55.9% of the known entry points for attacks. However, this only represents half of the equation – the other half is proper management of WordPress accounts, especially through using a Multi-Factor Authentication (MFA) plugin.

The solution is simple: avoid running any more plugins than you need to and ensure the ones you do use have a good history of updates after published vulnerabilities. To tackle the burden of keeping plugins up to date and the risk of mission-critical sites breaking, machine learning and visual testing tools can now even automate plugin updates on a nightly or weekly basis without causing unintended consequences that could result in downtime or lost traffic. Make sure to limit admin access to “must-have” users and make sure they are using MFA.

Bringing the right skills onboard

The shortage of cybersecurity skills is a global issue and Australia is no exception. AustCyber predicts by 2026, the nation will face a skills shortage of 18,000 security experts, which means organizations will not only struggle to hire internal security leaders but also to source external help.

To ensure organizations have the right team in place, leaders should start mapping out the risk profile unique to their business. Identify employees who are experts in WordPress and eCommerce and consider how your industry poses particular challenges, such as websites in the healthcare sector, which have undoubtedly experienced different kinds of traffic surges this past year. For those weighing between hiring and training more in-house staff or bringing on a vendor, revisit the basics of vendor management and how you’re drawing the lines of responsibility, depending on who fits where in your security puzzle. If you’re working with a partner, they will be required to make those investments into skills and technology on your behalf.

Prepping for peaks

Seasonal shopping periods like Valentine’s Day, Christmas, Black Friday, and end of season sales pose a tricky challenge for retailers and eCommerce platforms. Website managers often scramble to meet a high volume of revenue-driving activity on their site while at the same time facing increasing numbers of cyberattacks such as distributed-denial-of-service (DDOS) attacks, which doubled every quarter in 2020. During these lucrative periods for cybercriminals, the Australian Cyber Security Centre regularly updates its guidance for online shoppers

Load testing, which is performance testing that simulates real-world loads on software, applications, or websites, can help answer the question of ‘how many people can visit my site at once?’. Proper load testing can help site managers assess things like scaling capabilities, lifecycle hooks, and susceptibility to DDOS attacks due to high load, automatic code deployment, health checks, and target tracking. Without proper planning and action, retailers are at an increased risk of successful DDOS attacks that lead to a significant revenue loss.

This year, it’s critical that the desire to cash in on the shopping season doesn’t come at the cost of security. Companies need to have basic web security measures in place so that while WordPress Core may be secure, they’re giving the right attention to the plugins they use and are securely managing their WordPress users. They also need to strike the right balance between people, process, es and technology to ensure they have the right skills and staff in place. Finally, they need to plan ahead for key consumer moments and seasonal periods, looking not just for visitor traffic spikes but for different kinds of cyberattacks. The road to recovery in 2021 won’t be easy, but with these steps it’ll be a much smoother ride.

Show More

Brent Stackhouse

Brent Stackhouse, CISSP, CISM, CRISC, is a 20-year cybersecurity and risk management professional with deep technical experience across multiple verticals, and who leads the WP Engine Security and GRC teams in their ongoing efforts to protect WP Engine and its customers. With 6 years providing virtual CISO services to financial institutions, as well as 6 years at Microsoft and Amazon in various roles, Brent knows what works in securing cutting-edge, cloud-scale environments.

Leave a Reply

Back to top button