4 minute read
Beware the Security Risks of “Free”Website
Beware the Security Risks of “Free” Websites
Adrian McWethy, Account Manager Sophicity: We put the IT in city
Advertisement
One great result of modern technology is that it’s easier thanevertosetupawebsite.20yearsago,youwouldneed awebmasterwhoknewhowtocodeandhostyourwebsite on a complicated server. Today, there are so many free website and content management system platforms that you can set up in a short time. Because the cost is so compelling, many smaller organizations, businesses, and even cities go this route to set up a very low-cost website.
That approach leads to significant security risks. For example, a recent SC Media article points out that WordPresswebsites(whicharequitepopular)areproneto ransomware attacks from criminals specifically targeting them. Why go after WordPress websites? It’s not because there is anything bad about the platform. Instead, it’s becausecriminalsknowthatmanyofthesesitesaresetup by non-technical people who will not know how to configure, manage, code, and update their websites to eliminate security issues.
If you took a low-cost approach to get your city ’s website up and running, you may be at risk. To perform a quick assessment, ask yourself the following questions.
1. Where is my website hosted and what do I know about the hosting provider?
Freeorcheapwebsitehostingprovidersmaynotadhereto strict security standards, leaving your website at risk.Are they regularly providing security updates? Are they monitoring for security vulnerabilities? Where are they hosting the servers?Within sovereign U.S. borders? Is the information hosted in a country where security and compliancelawsmightdifferfromtheUnitedStates?Will they allow for a third party to scan your website for security vulnerabilities? If you ’re not sure of the answers to most of these questions, then you might want to reexamine where you ’re hosting your website. In some cases, less reputable vendors can even go out of business or sell their platform to another vendor who may not have your best interests in mind.
Another common situation with cities involves a single employee acting like a webmaster who holds all of your information hostage. If that employees leaves, gets fired, or even dies, then you may not be able to access your website. Cities that host their own website in-house on a server may also not follow security best practices if they have limited or reactive ITresources at their disposal.
2. Who manages your website’s security?
If you ’re thinking “I need to manage my website’s security, ”thenyou ’reintrouble.Websitesecurityinvolves a lot of aspects including: • Permissions: Who gets administrative access? Who gets to upload and edit content? Who gets review-only permissions? • Password management: Are you enforcing strong password best practices that help prevent hackers from accessing your website? Too many stories still occur where a hacker gets into a website because an organization’s password is something simple like “123456” or “admin. ” • Technical backend security: We won’t go into technical details here, but hackers have many ways they can take advantage of poor website configurations to attack your website through everything from uploading malicious files to using your error messages to discover ways to hackyourwebsite.YoualsoneedITprofessionals to assess and vet any third party plug-ins to your website.
inspiring
3. How is payment information secured on your website?
It’s likely that you allow citizens to pay for tickets, fines, utilities,licenses,orotherservicesonline.Howispayment information secured when citizens share it with you? In order to comply with PCI DSS standards, you need to secureandencryptpaymentinformationwhenit’sentered, in transit, and in your hands. Otherwise, it’s easy for hackers to steal credit card information, banking information, and personal details such as birthdays or a physical address.
4.Whoisregularlypatchingandupdatingyourwebsite software?
Technically,thismayseempartof#2above.Butinlightof theWannaCryransomwareattackandEquifaxdatabreach this year, it’s important to specifically highlight patching and updating software. A failure to patch software led to many organizations losing data to ransomware this year especially a shame because patches existed for many months that could have prevented those attacks.
Websites inevitably contain bugs and security vulnerabilities that need patching on an ongoing basis. In addition, software updates improve your website’s performance and give you access to new features that will enhance how you use the software. If you ’re not keeping up on patching or your website software doesn’t provide regular updates, then your website may be at risk.
5. Do you have a backup plan if your website data is lost?
Like any repository that stores data, there is a risk of permanently losing that data. That means you need a data backup and disaster recovery plan in case something goes wrong.Ifyouhostyourwebsiteonsite,thenyouwillneed both an onsite and offsite data backup and disaster recovery plan. Otherwise, a fire, flood, or tornado could completely eradicate your website.
Even if you ’re using a website hosting provider, you need to ensure that they have a data backup and disaster recoveryplan.Theycanstilllosedatafromhumanerroror a disaster at a data center. What are their contingency plans? If they can’t answer you with confidence and specificity, then you might want to consider another hosting provider.
Going the free or cheap route with a website involves consequences that might become more costly in the longrun. Make sure your website is hosted, managed, secured, patched,updated,andbackedupsothatitcontinuestorun and keeps your citizens’information safe.
