Beware the Security Risks of “Free” Websites
Adrian McWethy, Account Manager Sophicity: We put the IT in city
One great result of modern technology is that it’s easier than ever to set up a website. 20 years ago, you would need a webmaster who knew how to code and host your website on a complicated server. Today, there are so many free website and content management system platforms that you can set up in a short time. Because the cost is so compelling, many smaller organizations, businesses, and even cities go this route to set up a very low-cost website.
That approach leads to significant security risks. For example, a recent SC Media article points out that WordPress websites (which are quite popular) are prone to ransomware attacks from criminals specifically targeting them. Why go after WordPress websites? It’s not because there is anything bad about the platform. Instead, it’s because criminals know that many of these sites are set up by non-technical people who will not know how to configure, manage, code, and update their websites to eliminate security issues.
If you took a low-cost approach to get your city’s website up and running, you may be at risk. To perform a quick assessment, ask yourself the following questions. 1. Where is my website hosted and what do I know about the hosting provider?
Free or cheap website hosting providers may not adhere to strict security standards, leaving your website at risk. Are they regularly providing security updates? Are they monitoring for security vulnerabilities? Where are they hosting the servers? Within sovereign U.S. borders? Is the information hosted in a country where security and compliance laws might differ from the United States? Will they allow for a third party to scan your website for security vulnerabilities? If you’re not sure of the answers
to most of these questions, then you might want to reexamine where you’re hosting your website. In some cases, less reputable vendors can even go out of business or sell their platform to another vendor who may not have your best interests in mind.
Another common situation with cities involves a single employee acting like a webmaster who holds all of your information hostage. If that employees leaves, gets fired, or even dies, then you may not be able to access your website. Cities that host their own website in-house on a server may also not follow security best practices if they have limited or reactive IT resources at their disposal. 2. Who manages your website’s security?
If you’re thinking “I need to manage my website’s security,” then you’re in trouble. Website security involves a lot of aspects including: • Permissions: Who gets administrative access? Who gets to upload and edit content? Who gets review-only permissions? • Password management: Are you enforcing strong password best practices that help prevent hackers from accessing your website? Too many stories still occur where a hacker gets into a website because an organization’s password is something simple like “123456” or “admin.” • Technical backend security: We won’t go into technical details here, but hackers have many ways they can take advantage of poor website configurations to attack your website through everything from uploading malicious files to using your error messages to discover ways to hack your website. You also need IT professionals to assess and vet any third party plug-ins to your website.
inspiring
34
SOUTH DAKOTA MUNICIPALITIES
