Website risk management is not a topic that receives a great deal of attention but in this article I’d like to talk about one particular aspect of the subject and emphasise the need for ongoing support and maintenance of business websites.
There are many types of risk associated with having a business website but one of the most serious is that the security of the site is compromised. The consequences of this could be that your site is taken offline, that it is used for criminal purposes without your knowledge, that unauthorised information is posted on your site etc. All of these will lead to serious damage to the reputation of your business.
Some people would take the view that the chance of such security breaches are so low that taking action to deal with them cannot be justified either in time of money and so the risk remains. While it is true that the chances that your website security will be compromised is low, the consequence of such a breach are high. Both the probability of occurrence and the impact of a risk need to be assessed to be able to make a realistic appraisal.
There are many complex ways of measuring IT risks (see this Wikipedia article for example) but one simple formula for assessing and comparing risks is to evaluate the probability of the risk occurring on a scale of 1-5 (with 1 being very low and 5 being highly likely) and making an estimate of the cost to your organisation if the risk were to occur, again on a scale of 1-5. Impact should be considered both in terms of reputational damage and the cost of cleaning up your website. Multiplying the two figures together gives the overall risk figure.
So if a situation has a high probability of occurring (5) and a significant impact on your organisation (5), the overall risk is 25. By considering all risks in this way, a priority list can be created with the aim of taking action to reduce the probability of risks occurring and mitigating their impact.
Using this formula, it would be fair to say that if your website security was breached and your site were taken offline for a few days the impact of the risk might be given as between 3 and 5. If unauthorised and damaging content were placed on the website and your organisation was locked out of the site for any length of time the impact would be a 5; similarly if the site were an e-commerce website which was your primary sales channel. The probability of serious security breaches occurring is relatively low, let’s say a 1 or 2. So, multiplying the numbers together, this gives us an overall risk in the range 3-10.
Despite the fact that the risk is moderate rather than high, action should be taken to control this risk and, the effort required to do so is not prohibitive and could save your organisation a great deal of trouble.
Let’s take an example. In the last week two security vulnerabilities have been reported in WordPress: one in many popular (and not so popular) plugins and one in the main WordPress core itself. I’m not singling out WordPress for criticism here as any content management system is liable to security weaknesses. In fact, in these recent situations, both issues were recognised before any damage was done and there is no evidence of any site being compromised. Solutions to both were available quickly.
However, in order for the issue with the plugins to be resolved on individual websites, the site owners had to manually update the software within their WordPress installations. I strongly suspect that this has not been done on many business sites are that they are still running the faulty plugins. The issue with the WordPress core was an auto-update to sites provided that the site owner had this feature turned on.
Your Website Risk Management
Who in your organisation is responsible for management of your business website and are they actively managing security updates? If you can answer yes to these questions then you are reducing the probability of security vulnerabilities from damaging your website and your business reputation. If you cannot state who is responsible (internal or external to your company) then you expose your business to greater risk.
Who is responsible for taking backups of your website and how frequently do they do this? How many ‘generations’ of backups are kept? If you can identify someone and are satisfied with the frequency and number of backups then you are actively managing the impact of a security vulnerability on your website. This assumes that the backups can be restored and that you have a 'clean' backup that was taken prior to any security breach.
As a business owner with a website that represents your business I believe you should be certain about how these risks are managed and mitigated otherwise you could face significant reputational damage and loss of business if one of these risks materialises.
AttractMore has responsibility for the support and maintenance of a number of business websites and we continually keep up-to-date with developments and issues that might affect the sites we manage. We updated the plugins affected by the WordPress security weakness shortly after the fixes became available and we ensure our sites are set to auto-update the core so that main security fixes are applied immediately.
If you are uncertain about your own website risk management and would like to consider handing this over to us to look after on your behalf, please contact us so we can discuss this with you. We can provide assurance that the reputation of your business is in safe hands with website risks being managed and mitigated to best effect.