Taking web security seriously

But where to start? Here’s our security starter for 5 that organisations of all shapes and sizes should consider:

• If a member of staff leaves, ensure that their access details are deleted.

• Be clear on who has access to your website and limit the number of administrators to a maximum of 3.

• For those who need to access certain sections of the site for updating/editing purposes, grant an editor profile. This will give people access to just the bits they need – not the whole site.

• Strong passwords are not just a requirement for your email or financial transactions online, they are also imperative for your website server, admin and database passwords.

• Make sure your password is a combination of alphanumeric characters, symbols, upper and lower case characters and is at least 12 characters long to protect against brute force attacks.

• Don’t use the same password for all your different website logins. Change your passwords regularly to keep them extra secure. Store users’ passwords in encrypted form (sites built using Drupal have this already). This ensures that even if there is a security breach, attackers do not get their hands on actual user passwords. A password manager is a good way to help keep track of all of the passwords you use, but it's important to make sure that it stores the information in a secure and encrypted way.

• Only people with server admin access should be able to log in and be sure to limit the number of people with access. Instead of using passwords, use cryptographic keys. Ensure you have a strong firewall that blocks what you don’t need. Keep the server upgraded and ownership of the file system clearly demarcated.

• As a site owner, it’s your responsibility to ensure that all software that your site uses to run, is kept tip top and up to date. Software companies are continually updating their products to include enhancements and updates to security in response to what is happening in the cyber world NOW. It’s imperative that you ensure your site has the most up to date versions of software to protect both your business and your customers. It’s your choice whether you take responsibility to ensure that this happens, or you outsource to technological experts.

  • We’re currently talking to customers about migrating all the websites we host that are built on Drupal 7 and Drupal 8 to Drupal 9, as Drupal 7 and 8 are coming to end of life.

• Every website has the potential to be attacked by hackers and cyberbots. Whilst prevention is the best cure, it’s essential to have a plan in place in case a security breach does occur. If your site does get compromised, you will need a way to restore an uncorrupted version. This requires a rapid investigation of the incident to understand the nature of the attack and when the attack happened which may be a while before it was identified. Recovery involves eradicating the security vulnerability that was exploited and then reinstalling a clean version of the website.

The National Centre for Cyber-Security issues regular cyber security guidance and has an excellent, easy to understand and straightforward guide on how increase your protection from the most common types of cyber-crime. You can download it at https://www.ncsc.gov.uk/smallbusiness

We are Olamalu, Drupal experts and experienced web developers. We’re a friendly and down to earth team based in West Oxfordshire, who work together to achieve brilliant outcomes. We’ve been building websites and designing tailormade tech solutions for a huge range of different challenges for over 10 years. We work alongside clients and really get under the skin of the business, understanding not just what is needed now, but also how to plan ahead and consider the business needs in the future.

www.olamalu.com