Be excited by 2014’s digital opportunities . . . but beware security threats

The good news is that customer experience, mobile and content marketing are seen as the most exiting digital marketing opportunities for 2014.

That’s according to The 2014 Digital Trends Briefing report by Econsultancy in partnership with Adobe, which highlights key digital trends, challenges and opportunities which marketers need to be aware of during 2014. The report covers all the trends online marketers will want to sink their teeth into this year.

The bad news? There appears to be no mention of any threats that companies are facing with regard to their online strategies.

Perhaps it’s not seen as being particularly sexy, or even directly relevant for digital marketers – but from our perspective – website security is going to make or break digital strategies in 2014.

Forget big-name brand hacks like what has already happened at EA Games and Bitcoin, what about your company website running right now? What about your Twitter and Facebook passwords that control access to company social media pages?

Just how secure are your digital investments?

The problem

In the old days, flat html websites may not have offered much interaction or advanced features – but they were pretty secure. A straightforward html page is difficult to hack from the front. But with the popularity of CMS systems like WordPress and Joomla, ensuring security is kept up-to-date has become much more complicated.

Every day a website CMS runs online, the more out-of-date and insecure it becomes. That’s because hackers actively seek out CMS vulnerabilities in a website’s CMS core, look and feel theme files and plugins. With our hosting partners, we are currently rejecting thousands of hacking and spamming attempts every day on the 120-odd sites we manage. Despite all the precautions, sometimes they get through!

Right now we are working on securing a site that has been compromised – most likely because of an insecure server application. We became aware of the security vulnerability early this year and notified the client that there was a problem, recommending an urgent upgrade for a few hours maintenance work. The security modifications were not approved and the site was compromised as a result – forcing a more time consuming clean-up process.

In this case, the hackers just edited a master theme page and inserted spam back-links. But the reality is that they could have done anything. They could have dropped the site entirely. They could have spammed people directly from the server. If the client had any of their client’s data stored online, they could have gained access to it. Further, they could have used that data for spamming purposes . . . from the client’s web server.

The vulnerabilities are real. The hacking attempts are not just real – they are constant and they are evolving. The possible fallout is devastating for a brand and even from a company liability perspective.

The solution

The first step in fixing the problem of website security is to identify why websites are becoming vulnerable. Technically, it’s because core website CMS systems are not being updated. Themes with vulnerabilities are also not being updated and associated website plugins are similarly left out-of-date.

From the outside, it seems easy to upgrade the CMS to the latest version. And it a way, it is! For example, all you need to do to upgrade WordPress is have admin rights and click a few buttons. The CMS automatically upgrades itself. All very clever, right?

Wrong! More often that not, the latest version of WordPress is incompatible with at least one of the plugins that were required to build the site to the clients specifications in the original build. Or to be more precise, the plugin developers still need to update their code to be compatible with the latest version of the CMS. That could be this week, this month or next year. It will be updated when they get around to it.

The same goes for themes. Not all themes run on all versions of WordPress. And both broken themes and broken plugins have the ability to drop a CMS website entirely.

What this all boils down to is that to upgrade a CMS website to it’s latest version could take many hours to upgrade. So who is paying for those hours?

Three strikes and you are out

Your ISP? Your ISP runs the platform upon which your website is based. They need to make sure that their own servers are secure but they wisely distance themselves from the security of individual websites. They are only interested in your website security as far as it impacts their own security and the hundreds, if not thousands of other websites they are hosting right next to yours.

This is where there is some confusion. In the old days with html sites that are inherently more secure, almost all the vulnerabilities were located at the ISP on their own infrastructure. Not the vulnerability could come from either the front end or the ISP back end. Just don’t think the ISP is going to fess up to a major security breach on their side of the fence.

With most ISPs, it’s three strikes you are out. Typically, if they find your website is either vulnerable or hacked they take the whole site down immediately without question. They pack it kindly in a zip file on the server and notify the site owner, or web developer, about the vulnerability. If you try to clean the website up, but are not 100% successful and they find a vulnerability or evidence of a hack again, it’s strike two. Do the same again by mistake when your best efforts to fix the problem are insufficient and it’s strike three – they take the site down and ban it for life.

No, the typical “stack-em-high, sell em cheap” ISP is not interested in your website security. Much less your online brand reputation. What they are interested is their own security and their own brand reputation. What did you think you were buying for R9-00 a month, anyway?

Variable skill levels

Your web developer? It stands to reason that your web developer should take the lead in keeping the website up-to-date. But who is going to pay the bill?

Most web developers are contracted to build a website once off. The website is built and the final version is approved. Often the web developer hosts the website on behalf of the client and the client pays, typically, a few hundred rand a month for the hosting service. What is also common is a website updating contract – but that is typically for updating pictures, videos and other content.

That’s the web developer’s bread and butter. That’s also what they teach at whatever passes as a web design college too. Which means that unless they are hugely experienced (and expensive too?), it’s likely that your web developer is not great in the security department.

Website security needs to be purchased

In our business, we have come to the realisation that the only way websites are going to become more secure is through a major shift in attitude from all the partners concerned. ISPs need to help web developers by discovering ways to work with them to ensure website are more secure. Right now, they simply bury their collective heads in the sand by blaming developers and making little attempt at offering a more comprehensive service.

On the other hand, both web developers and clients are at fault by rushing to support the cheapest ISPs they can possibly find! What, honestly, should one expect from a monthly service that costs less than a single cup of coffee? The answer is little to nothing – which is exactly what you paid for.

What we have done as a web development company is partner with a smaller ISP that hosts their server on a large ISP’s infrastructure. What we get in return is all the advantages of a large ISP from an infrastructure perspective, but the levels of service from a small team of people who are dedicated to ensuring high levels of both server and website security.

The client’s responsibility

What we have been less successful at communicating, is how important website security is right now. It’s not a looming threat or one which may occur at some time in the future. The threat is real. The threat is not going away. The threat grows larger every day.

From our side, we have tried to bundle responsible hosting and updating services with website security updating contracts to ensure websites are constantly kept up-to-date with the latest CMS system, plugins and themes.

But it’s not an easy sell.

The economy is still strained and most business owners and marketers are suspicious of whatever new fangled scheme someone has come up with to relieve them of their cash on a monthly basis. Especially when the assumption is that they already pay for the ISP to take care of website security!

Regardless of what assumptions are made, hackers, like all criminals, are quick to exploit vulnerabilities. A company that fails to secure their digital assets is going to be hurt one way or another. It’s really just a matter of time.


0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *