Data loss, financial penalties, reputational damage and the erosion of customer trust… a website security breach can lead to some very serious consequences. So how can you stay vigilant?
This special Ignite Perspectives sets out our Ten Top Tips for website security with added expert insight from Joanne Gill, Director at Cyber Crisis Readiness and Response.
Follow our LinkedIn page for the Upward Spiral newsletter, featuring new blogs and more.
Your website is more than just an online brochure. It’s the cornerstone of your business operations, the location of your customer interactions, and critical to your brand reputation.
Any website security breach can lead to serious consequences - from data breaches to financial losses, from reputational damage to significant erosion of customer trust.
Beyond the cost, inconvenience and potentially disastrous consequences, this can disrupt services for business partners and cause associated reputational problems longer term.
Because of this, third-party IT and web security has become a significant security concern for larger clients who now ask their vendors to undergo security assessments and implement protective measures as a standard practice for supply chain security.
Website security at Spiral
We work with banks, insurance companies, universities, transport providers, security companies and others. They all have strong requirements for internal and external IT security.
This has led to the extensive testing and refinement of our own security practices.
While much of this is compliance to a client's internal standards, we do have some clients that use public testing sources. So we are happy to share our Security Scorecard A rating and Cyber Essentials certification.
So, what are our Top Ten Tips for better web security?
Your domain name is the first point of control on your website, so it should be held by a secure, reputable Domain Name Service (DNS) provider and accessible only through a 2-factor secure login.
You need to clearly define who is responsible for managing any DNS renewals or changes, or 3rd parties could acquire your site name and point it to a different site of their own choosing.
It could start with something as simple as an approach from disreputable SEO services or DNS providers. But it can quickly lead to someone hijacking your name, creating a fake site, installing malware, diverting your email or otherwise impersonating you. So yes, controlling your own name is vital.
Your server should be well managed, up-to-date and secure to stop it getting compromised.
You could avoid this by hosting your website as a managed software service such as using WordPress Managed Hosting or WP Engine. But this can lose you flexibility and may not hit the highest security requirements.
Using containerised services from Amazon AWS or Microsoft Azure can also reduce some server management requirements but tends to require experienced admins to deal with any issues.
Generally, unless you are managing servers in-house and have experienced staff, you are better off having your web servers managed by an experienced developer.
Spiral has almost 30 years’ experience managing websites and can deal with everything from tiny legacy static sites to bespoke LAMP platform web tools.
Backups are essential to help you recover from accidents as well as potential attacks. We recommend the 3-2-1 backup rule – three different backups, in two different formats, with one of these at a different site.
So, for websites, this might be:
Backup rotation is also important to avoid long running threats that can slowly compromise a site before exploiting it.
Spiral keeps a clean development version of a site after release or major revisions, then implements a tried, tested methodology for depth of backup security.
CMS Websites and their components need regular updates to fix any exploits that have been found. Many CMS websites, such as WordPress allow this to be automated, which is great for maintaining security when no one's available, but can lead to glitches if an automated update isn't quite compatible with your site content.
At Spiral we review and update internal systems each Wednesday, and review and update our own and client web systems each Friday.
Testing, particularly external testing, is the best way of finding site problems you have overlooked. This can range from external testing tools to 3rd party companies.
It’s a big and technical area to make quick recommendations on so we’d generally say you want to find an expert if you're new to this area. Find out more here: Open Worldwide Application Security Project (OWASP) it has excellent free testing guides and tools.
When a disaster strikes, you’ll want to have all the details of your site and plans to recover it in one place - you don’t want to be winging it during a confusing and unexpected high-stakes situation.
Getting an expert to assist you with a crisis management plan helps remove your bias and plan for situations that you did not anticipate. Joanne Gill, Director at Cyber Crisis Readiness and Response, is here to tell us more:
The need for crisis preparedness
On 21 April, Marks & Spencer was hit by a ransomware attack that caused widespread disruption across its operations. Online orders were suspended, internal systems were down, and customers left frustrated.
It’s still dealing with the fallout from the attack and doesn’t expect to have services back up and running fully until next month – in reality, it will probably take longer.
M&S is no stranger to risk. Its leadership team will have planned for supply chain disruptions, trading volatility, or even the reputational damage of a product recall. But it’s clear the company was not fully prepared for a ransomware attack, despite growing industry awareness and warnings from Government and cyber experts.
Having a crisis management plan - and a team that knows how to use it is the bare minimum for any responsible organisation. But it’s no longer enough.
Today’s leadership teams need to go further. They must look beyond the traditional risks that can be fixed fairly quickly and identify where business as usual is most vulnerable to disruption.
And business as usual for any critical function is underpinned by tech, without access to company systems HR, finance, risk, legal, procurement and customer service can’t function, which means a cyber crisis is everyone’s problem and responsibility.
Three-quarters of UK business leaders say cyber threats are keeping them awake at night and only half have a formal crisis management plan according to Experian
Companies that invest in structured, well-rehearsed cyber crisis readiness through plans and training exercises, empower their leaders to step up under pressure—with clear roles and responsibilities, a shared understanding of the situation, and a decision-making framework built for speed, not panic.
They also protect themselves legally. A good plan enforces documentation, helping organisations demonstrate that they acted in good faith and with due diligence—critical if regulators or lawyers come knocking.
Being able to lead a company through its worst day, or months in the case of a cyber crisis, isn’t a ‘nice to have.’ It’s what employees, customers, investors, and the public expect. And it’s what separates businesses that recover from those that don’t.
Cyber Crisis Readiness & Response is a specialist cyber crisis management consultancy providing planning, training, and exercising services for blue-chip companies globally. To find out more, visit www.cyberreadiness.co.uk
Whenever anyone adds content to your site - in comments, forms or file uploads - there’s potential for exploitation. It's crucial to lock down these points of entry as much as possible to maintain site security and integrity.
You should secure all Open Forms with strong input sanitation and implement a filter or CAPTCHA to disrupt automated traffic and significantly reduce the amount of spam you receive.
If you let the general public upload files, you should be extremely careful to thoroughly restrict the types and sizes of files that can be uploaded, and use onsite virus detection or automated file conversion processes to neutralise any malicious files.
A WAF acts as a shield between your website and the internet, filtering and monitoring HTTP traffic. It can protect against common web attacks like SQL injection, cross-site scripting (XSS), and denial-of-service (DoS) attacks by blocking malicious traffic before it reaches your server.
Keeping an eye on your website is good for both search and content optimisation as well as security. Good logging tools can show you unusual spikes in traffic, repeated failed login attempts or unexpected file modifications. Early detection is key to minimising damage from an attack.
Human error is often the weakest link in security. It is wise to train your employees on cybersecurity best practices, so they can recognise phishing attempts, get safe browsing habits, and understand the importance of strong passwords.
Wrapping it up
Web security is a massive topic and we wouldn’t pretend to be able to cover everything here. However, there are a lot of resources available to help you and implementing any security practices can help reduce your exposure to all kinds of malicious actors.
At one end are the old automated systems hoping to drop some advertising or malware on your site, on the other end there are highly organised hacking gangs using sophisticated data theft and extortion against you.
By proactively implementing good security measures, you can significantly reduce your risk of cyberattacks, protect your valuable data, and maintain the trust of your customers and stakeholders. Like it or not, a website security strategy is essential and an ongoing process – so stay vigilant, seek expert advice and be ready to adapt your defences as new threats emerge.
