- Security TWENTY
- Women in Security Awards
Most organisations know the importance of a website, writes Doug Cunningham, CTO of the content management systems provider Forrit, pictured. It is, effectively, a shop front displaying your business to the world; it increases your credibility, shows who you are and what you can provide.
But while many companies often focus on the content of the website, it’s equally important to consider the security implications. After all, a website that is riddled with bugs or unsecured files speaks very poorly of the business.
It’s common for many organisations to hire a content editor or content manager to run their website. This person will have a range of responsibilities, including updating and managing the website. Typically, they will have a communications background, with experience in writing, marketing, and editing – not technology or security. In fact, some companies have moved people from their call centres to content management departments based on their customer and product knowledge. Technological know-how doesn’t necessarily come into play with content management hiring decisions.
On the surface, this makes sense. While traditionally a company would have to send content to its IT department to post on the website, technology has become ubiquitous enough that most people are now familiar with basic content management systems (CMS) and can post materials online. But choosing the right CMS is crucial to the security of the website, not just to its presentation.
A CMS can effectively act as a guardrail, guiding users away from making errors and potentially causing a content security risk. A robust and compliant CMS platform is the first line of defence against constantly changing cyber crimes.
A modern PaaS based CMS can provide an added layer of security to your website management in several ways:
– Configurable role-based access control, to ensure employees can only access the information they need to do their own jobs and cannot interact with data they don’t need.
– Traceability, keeping track of changes and who made them, keeping an audit trail to keep everyone accountable.
– Layers integrate firewalls, NSGs, vNets and private endpoints.
– Scanning content both in transit and at rest, and flagging when unsecured content is detected.
– Requiring go-live approval from more than one person, ensuring an additional level of checks and balances.
– PaaS based rather than IaaS based, meaning the underlying infrastructure is updated and patched automatically
Given all these elements of security inherent in the right CMS, it’s easy to question why a content editor would need any form of security knowledge of their own. But a CMS is just a rail, not a fence – it doesn’t prevent content editors from doing their work. The relationship between a CMS and a content editor should be one of synergy, where the content editor’s knowledge and the CMS’s mechanisms work together to keep the website secure.
And where there are questions of security, it’s easy to go around the CMS and make your own decisions: most CMSs will give you the opportunity to override it when it flags up a concern such as an unsecured link. It is the responsibility of the content editor to understand what this means and be able to determine whether or not that link should go live.
It’s now almost cliché to say, but the events of the past 18 months have driven home the importance of constantly considering security. More and more people are working remotely either full or part time, a trend which isn’t likely to abate even as offices reopen, and cyber criminals have more opportunity than ever to take advantage of an organisation’s vulnerabilities. It must fall to everyone – not just members of the IT department – to keep a business secure.