Planning for the security of your website is your responsibility

Planning for the security of your website is your responsibility

In today’s business landscape most businesses need a website. Customers often research online and if your business doesn’t show up on a web search, they may well go with someone who did.

Many businesses choose a web design company to undertake this work for them however what happens and who is responsible if things go wrong once the site is up and running? The answer depends on how the site was set up and what contract terms were agreed with the provider.

An all in one provider may offer the best solution for a business that doesn’t want to or doesn’t have the resource to take on responsibility for updates, upgrades and maintenance of their site.

A good all in one provider will obtain space for the site, choose and install the framework it will run on, design and upload it. They will make sure the site receives any new security patches, bug fixes, and updates promptly, and manage good security for the site. This would include:

  • Changing default credentials and logon portal addresses
  • Changing passwords periodically for good security while following good password practises
  • Obtaining an SSL certificate for site encryption and security
  • Setting up DNS servers to allow your site to be visited and found from search engines.

If you choose an all in one provider for your business here are few important questions to ask:

  • How often the provider will check for new updates and apply them
  • How often they will take a backup of the site and where it will be stored
  • How they have verified the security of their server – that it is safe from attack and that sites hosted on it are secured from each other
  • What platform they plan to host it on, if that platform has any known vulnerabilities and how they will secure against these, and why they are sure this is the right platform for your needs
  • What assurances they can offer that your site is safe from attacks such as XSS (cross site scripting) and SQL injection attacks among others
  • If they will do any vulnerability scanning or penetration testing against the site and if so how frequently
  • If you will take card payments, what ecommerce platform they will provide and the Payment Card Industry Data Security Standard (PCI DSS) compliance of that platform.

It’s important to be clear who is responsible for these critical security and maintenance tasks. If you take payments through your site, it is important to know your responsibilities for PCI DSS compliance and make sure they are being met.

If your site is compromised a PCI investigation into your business could result in significant costs. Compromises include installing malware on a customer’s computer, a redirect being applied to a malicious site or even having code installed to skim card numbers, all resulting in fraud for your customers.

The reputational damage of a site breach or implication in fraud could be catastrophic, so make sure to keep your exposure to this risk as low as possible through good management practise. 

Assuming these tasks are being carried out by a contractor isn’t enough. You must have a plan to make sure the companies you have chosen are doing the work you have contracted to keep your business safe and secure online.

FSB members have access to a free Cyber heath check and advice. Contact the FSB Legal Helpline on 0345 0727 727 if you are interested in having one done.