- Security TWENTY
- Women in Security
Enterprise security is getting tougher and why enterprises must take particular care of their websites, says Jeff Mills, pictured, UK Country Manager at content platform provider WordPress VIP.
That much of the world spends much of its time online, is not a new occurrence. But the past four or five months in 2020, with many of us working from home, food shopping online, home-schooling, watching Netflix or Amazon Prime and generally using the internet for almost everything, the ubiquity of online has been highlighted more clearly than ever.
We rely on the internet for many elements of our day-to-day lives and this is a trend that is unlikely to change any time soon. Large enterprises – whether they are retailers, publishers, healthcare providers, banks, insurers or something else – are therefore hugely reliant on their websites remaining stable, available and running at the highest levels of speed and performance. How those websites are kept safe and secure is also of the highest importance for enterprises.
The volume and variety of cybersecurity threats are growing all the time – even Covid-19 brought with it a fresh wave of malware attacks – and cybercriminals will always look to exploit any vulnerability they can find. Data breaches are increasingly common, but instances of malware, ransomware and phishing campaigns are also still widely deployed. There are many ways in which an enterprise can be breached, and its content platform is one of them.
Data breaches and data privacy compliance
It has never been a busier time for cybersecurity teams at large enterprises. There are more attacks than ever, cybercriminals are more professional and organised and there are more ways for defences to be breached, despite advances in cybersecurity technology. Cyber-attacks are constantly evolving and adapting, and an increasingly used entry point for criminals is via an enterprise’s website.
Even if the enterprise in question is confident in its own security measures, has invested in and deploys effectively the best cybersecurity tools, a website usually involves a wide range of suppliers and third parties, all of which are potential areas of vulnerability. The bigger the more enterprise, the more third parties are generally involved in the website. That is why the selection of the right content platform provider is one of the most important cybersecurity decisions facing many organisations.
Not only are they at risk of a data breach, with all the implications that holds, but there is now also much more regulatory compliance to be mindful of. Recent compliance such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) can lead to enormous fines for non-compliance, as well as the brand damage of being publicly known as an organisation that does not look after its customers’ data effectively. Furthermore, new legislation is emerging all the time, such as the upcoming federal law on consumer protection in the United Arab Emirates, so enterprises must be constantly aware of the changing global picture.
Locking down the content platform
Because there are so many entry points, enterprises need to have absolute assurance and confidence that their content platform will not be the weak link in their cybersecurity, bringing the entire website down with it. This means that when selecting a content platform, there are several key requirements that the enterprise must raise as a priority.
A good place to start is checking with a potential content platform provider about its compliance certification. Data centres should have SSAE 18 SOC 1, SSAE SOC 2 certifications, while providers should adhere to the EU-U.S. Privacy Shield Framework and the Swiss–U.S. Privacy Shield Framework. Physical security is important too and servers should hold the International Organization of Standardization (ISO), International Electrotechnical Commission (IEC) 27001 certification and Standards for Attestation Engagements (SSAE) No. 18 (SOC1) and SOC2 Type 2.
Then it is a question of assessing which security features are most important to that particular enterprise. Data encryption in transit from edge to origin, with options for encryption at rest; network and host-based firewalls with real-time notification processes; and logging and auditing at the application, web server, load balancing, database, and operating system layers are all important. Ideally a content platform would offer all of these.
Another consideration would be whether a provider has their own data centres – and therefore can control and demonstrate transparency over security measures – or not. If a content platform does not host on its own hardware in its own data centres, then there is another potential layer of security vulnerability for the end user to worry about.
Cybersecurity is far too complex and too important for a large organisation to leave itself vulnerable by working with a third-party that has non-enterprise security features and functionality. Cybercriminals are already highly professional and targeted – do not make it easier for them by compromising on content platform security and exposing the business to data breaches, cyber-attacks and more.