Building to last, Let’s talk website Security
When the HSE in Ireland got attacked with a Ransomware Malware a while back, which is a type of computer virus that encrypts all data on your systems while spreading like wild fire to any computer on the network, the Irish Businesses started to take note.
And they should, computer viruses, malware and hackers are all real things. Based on a report from 2018 the average website is attacked 44 Times a day. This number has since grown significantly and we have seen with our corporate clients a daily attack rate of 100 times that.
Because of that we decided back in 2018 to move away from WordPress for our websites and create all our SaaS platforms completely from scratch in house.
In a 2019 report on hacked websites WordPress accounted for 94% of all the hacks! Because WordPress is easy to install and allows for installation of additional off-the-self features, it’s a great platform for small agencies and businesses to work with but this often comes with very lacks security implementation and frequent “holes” or vulnerabilities in the system.
To look at this in more debt we decided to do a short security audit on a number of airports, as we have some experience in that area. We decided on 3 small airport websites in 3 different countries using 3 different technologies just to highlight that it’s not just a Content Management Issue:
1. Shannon Airport (Ireland) Public
Some fundamental security issues are lacking when it comes to Security headers and Content Policies, luckily. These issues are easily fixed and would take half a day to get into a more acceptable rating like a B or A.
2. Eindhoven Airport Netherlands Public
Although a slight better summary scores the basic security headers aren’t configured correctly.
3. Farnborough Airport United Kingdom (Private)
Basically, this one has no security header implementations done at all. it’s also running WordPress.
The big difference between the first two airports and the last one is policy enforcements. While Shannon and Eindhoven are public airports with state involvement enforcing security policies. The Private Airport in our example is privately operated and does not have these “limitations”.
So what can be done to fix this? Here are 5 things you can do right away
1. HTTPS is a must; you need to make sure your website traffic is travelling over a secure network. Google has started the enforcement of HTTPS across their sites and not having HTTPS will impact your visibility on the web.
2. Implement security headers. This process if implemented correctly would have elevated the other two airports to a minimal score of B
3. Make use of a Content Distribution Network (CDN) , For the price of exactly $0 you can have your website shielded from potential Denial of Service attacks and it will mask your server IP address for any other potential hack attempts
4. Disable older security protocols for SSL and TLS, Compatibility is important but allowing your webserver to be 100% compatible will hugely increase your security risks. The majority of web browsers support newer versions of the security protocols and disabling the old ones might cause issue with a 0.1% of your potential website visitors
5. Enforce password policies and 2-Factor Authentication, Gone or the days of simple passwords. If you want to keep using passwords make sure a proper password policy is in place with a minimum number of characters including the weird ones ??. For an even better password implementation include 2FA which will send a SMS message or notification on the user’s mobile phone to approve the login attempt.
For some more interesting facts on Cyber Security and Hacking have a look at these Hacking Facts from 2020 and if you like some help in getting your platform or website secured, fast and safe get in touch [email protected]