Web Security – Basic Principles for the Business

More and more organisations are now using a website as an integral part of their business strategy with UK statistics* suggesting that just under 80 per cent of companies now have a website presence.

However, a website also creates new dangers. Attacks on business-critical information can come from outside - potentially from geographical and legal territories far from home. The risk of the threat coming from internal sources must not be ignored either. There's plenty of cases where disgruntled employees or those facing the sack have wrought considerable havoc upon a company's website by accessing the back-end.

So it's not a question of ‘if’ you will be attacked, but ‘when’.

The security of your organisation's website must always remain a top priority and can be achieved by taking some simple steps. This short introductory article will look at things you need to consider in providing adequate web security.

Web security - basic principles

You will need to:

  • globe padlocks, web securityIdentify what business assets need protection

Do you know how many websites you have or what social media sites you are using? What intellectual property do you have on the website?

  • Determine what exposure to risk your assets may face

Some websites may be more vulnerable than others. In this age of unified communications what's posted on one site can reappear on another within seconds. Who has access to your website, both frontend and backend? Are they reliable?

  • Develop a web security policy

Your written web security policy must have buy-in from the boardroom and made available to everyone throughout the organisation.

  • Protect the assets cost-effectively and reduce exposure to risk

Do you use a back-up service to protect software and information on your website?

  • Obtain fit-for-purpose security for the site’s system design, development, deployment and maintenance

Off the shelf security is fine for standard websites that don't have a lot of functionality. But once your website gets sophisticated consider purchasing bespoke security from a reputable security software provider.

  • Provide good access control

Who has access to your website, both back end and front end? Lock the website down, restrict access and make sure you have monitors checking web chat and discussion rooms, where appropriate.

  • Use encryption to safeguard important data and require effective authorisation

Encryption is especially important if your website contains sensitive information such as personal or banking records that could be used for crime.

  • Ensure compliance with legislation

Does your website comply with all the rules and regulations in each country in which it can be accessed? Or have you tried to limit your liability by placing correct disclaimers on the site? Use E RADAR's IT Legislation Tracker

  • Set out contingency/business continuity plans in the event of disaster

What happens if you or your website hosting company has a fire, is evacuated due to a bomb threat or has a major power failure? Have you got security insurance?

  • Regularly monitor, review and update security

Consider using external consultants to give you a non-biased opinion of your web security. Make sure that you regularly train your staff on the latest web security issues and keep up to date with the latest threats using free security alerts.

* Office of National Statistics ICT Activity of UK Businesses (2010 Edition)