Unfortunately, the threat of a website security breach is very real. You will no doubt have heard of numerous cases of such security breaches in the news. In the legal sector, the Law Gazette reported in April 2022 that the Bar Council and Bar Standards Board have been targeted, and the Solicitors Regulation Authority reported 75% of law firms sampled have been a victim of a cyber attack.
In the last month, legal firms have been urged to strengthen cyber defences by the National Cyber Security Centre (NCSC). The NCSC has just updated its Cyber Threat to the Legal Sector Report, last published in 2018, it covers all aspects of cyber security and contains case studies detailing the impact such breaches can have.
What causes website security breaches?
It’s an unfortunate fact of modern life that malicious people will try to break into websites. They may be motivated by political reasons, corporate espionage, financial gain or just mischief. Your website could be specifically targeted for some reason; or more likely it may be the subject of a random mass attempt to find a vulnerable site. Whatever the motive, the existence of the threat is a given.
It is the defences of your website that play the ultimate part in whether an attack will be successful or not. The holes in a website defence are most likely to be:
- Human error e.g. forgetting to update your password regularly, clicking a phishing link, leaving your laptop in a restaurant, or not removing the credentials of an individual that no longer works for you;
- Lack of website maintenance e.g. not updating old code or keeping your software up-to-date with latest releases;
- Lack of website security features such as two-factor authentication;
- Low budget website hosting;
- Complacency and not prioritising website security; not having processes and procedures in place to mitigate human error, for example forcing strong passwords and periodic changes to them.
Protect yourselves with a website security audit
We can’t guarantee that you will never be hacked; if the Pentagon’s site can be hacked, so can yours. But a security audit of your website – and implementation of any recommendations – can give you peace of mind knowing your defences are reasonable strong and the risk of intrusion is low.
As part of our audit, we review five key areas to improve your website security:
- Hosting and backups
- Website maintenance (including software updates)
- Password security
- Website forms
- Security software & integrations
The audit will review these areas in detail, and flag up any remedial work that needs to be carried out. You will receive a report on your current website security status and a list of actionable recommendations.
Hosting and backups
High-quality hosting and regular back-ups are critical to ensuring both the smooth operation of your website and to ensure your site can be restored quickly, and in full, should the worst happen and it is subject to attack. Our audit will check if your site has:
- High-quality hosting with a premium on security
- An active SSL certificate to protect data sent through forms
- Daily backups from your hosting service
- Additional external backups
- Firewall from Cloudflare or similar service
If any of the items are missing, we will recommend that they are implemented and suggest some options.
Website maintenance
Poor website maintenance can be an easy way in for malicious activities, so it is critical that code, plugins and themes are kept up to date.
Plugins add functionality to your website; an example is Complianz which we recommend to handle cookie consent banners and multi-region privacy policies. Plugins are regularly updated by their developers to improve performance, resolve bugs, add features or close security loopholes. It is important that these updates are pushed quickly to your website; one of the main causes of WordPress security breaches is the use of outdated plugins.
A theme is the design of your website (and the template files involved). You may have bought this from a theme gallery, or had an agency or developer create a custom theme for you. Either way, themes should be built using best coding practices but also updated periodically to keep in sync with changes to PHP (the scripting language used to build a WordPress website).
Data is added or amended in your database every time you make a change to the site using WordPress. Databases get bloated over time, and redundant data should be cleared out periodically for performance reasons. And other database settings can be tightened for security.
Our audit will check that:
- Your server is using PHP version 8.0. (Security support for the previous version, PHP 7.4, will be discontinued at the end of 2022.)
- All plugins & themes are up to date
- Any unused plugins or themes are removed
- A strategy is in place to manage regular updates to plugins and themes (plugin and theme updates are included in any one of our monthly support packages).
Password security & logins
The easiest way to break into something is to steal the keys. Ensuring proper password security is in place is essential to prevent easy access to our cyber properties and platforms.
For many, it is tempting to reuse passwords so as to reduce the mental load of having to keep on top of them all, but this does rather undermine their purpose. Luckily, a variety of helpful password management tools and systems have been introduced to reduce this activity. Our audit will review the login security in place on your website and make recommendations on how to improve security. Here are some of the login systems that can be used:
- Force strong passwords (this prevents people from using 123456)
- Two-factor authentication (this could be a one-time password to be sent by email or SMS)
- Trusted devices (will only allow login from previously vetted devices)
- Geolocation (will only allow login from a previously identified specific location)
- Password age limit (will force a new password after 3 months say)
- Passwordless login (the dream – a login link will be sent to the destination of your choice)
- reCAPTCHA (a puzzle may accompany the login process)
- Refuse compromised passwords (passwords will be compared to a register of passwords known to have been compromised)
In addition to this, we will review precisely who has access to your website and make sure that everyone on the list should be on the list.
Website forms
Electronic communications are another way to spread malicious activity, and so these need to be monitored carefully. The audit will check:
- What anti-spam measures are in place?
- Is spam being submitted through forms?
- Do payment forms use a secure processor?
- Do forms appear to be GDPR-compliant?
- Is data submitted through forms deleted after an appropriate period of time?
Security software & services
Most of the points above cover preventative security measures: stopping someone gaining access to your site in the first place. But additional defences and tools can help in the unwelcome case that someone manages to intrude. Additional security software on your website can help in both areas; features we will check for include:
- Daily site malware scans (to check if any malware is present), using either an onsite or integrated third-party service.
- User logging (so that any activity by any user can be traced)
- Version management (so that earlier versions can be reinstated if required)
- Enforced use of your SSL security certificate.
- HTTP security headers (additional security layers).
- Hide backend and login URL (a non-standard WordPress admin URL is used so as to minimise the chance of automated attacks).
- Non-standard database table names.
- In special cases where security is critical, periodic penetration testing.
What does a website security audit not cover?
A website security audit does not cover the cyber security practices of your whole organisation. It just covers the cyber security practices active on, or absent from, your website. If you would like information on how to guard your entire organisation against cyber attacks, please review the information available from the National Cyber Security Centre.
Next steps
To find out more about our security audits and pricing, please email us at [email protected].