I recently joined Free Rein to lead on the Business Development work, confident that I would add value to the business. But in the first few weeks the Free Rein guys have introduced me to the standards of coding and security they work to, not just for the Government clients, but for everyone.
So I thought I would look at a selection of local business websites from local agencies and just run some passive checks on security, responsiveness and speed. To say I was astounded at the results would be a severe understatement. In particular, Wordpress have gained a reputation that anyone can put a site together and it would pass muster – not true.
I started by looking into web security across nearly 200 websites cross-sector. We carry out various passive tests to check on a website’s vulnerability. From the 200 about 120 had security issues and of those around 75 were WordPress sites. These issues range from easily being able to access login pages, as well as being able to see user and login names (nice gift for a Brute Force Attacker) to lack of encryption due to either non-existent or mismatched SSL certificates.
Under the GDPR next May it will be compulsory for anyone to notify the ICO of any data breach and, where inadequate security contributes to a breach, companies can be fined up to 4% of global turnover – not profit, turnover.. If you do not encrypt your data entry pages you are running a risk of ‘dropping client info’ details to a dodgy attacker. But there are other benefits to protecting your site like this.
Many websites are also susceptible to ‘Drown’, ‘Poodle’, ‘Freak’ and ‘Crime’ attacks (have a play on Google if you want the details) where the encryption and/hosting set up has not been completed correctly.
We apply the same secure build principles to a simple brochure website for a start-up as we do for a Government department or bank as a natural part of our service. Hence we can probably fix your security issues in a fraction of the time that creative agencies do it. They often phone us and ask us how to do it anyway. A fraction of the time means a fraction of the cost for your peace of mind.
Case in point:- I checked websites based on case studies of one large digital firm. Every single one was a WordPress site with security issues. The creative agency’s website itself is not secure!
If I have given you food for thought, then great. But should your web development agency have not told you about this already AND fixed it? If they haven’t, do they know what they are doing or are they best at the creative work and need help from competent developers?
Simple reminder saying is ‘if you get hurt by the bear don’t go asking the same bear to help you. Ask a friendly Siberian Tiger. They are stronger and very secure’ (Seikatsukara Shinjitsu).
Andrew