Whilst it is seemingly impossible to cover all the bases we have a primary duty of care to :
- Identify risks – treat or mitigate
- Demonstrate that security is taken seriously
- Constantly improve
Unfortunately too many organisations take a knee jerk approach to Website Security Due Diligence – reacting to legislative or regulatory demands such as GDPR or the professional body they are a part of. Others rank the importance of web security based on its impact on performance e.g. how security, such as SSL impacts on SEO ranking. We continue to be surprised (shocked, amazed, appalled) by the number of ‘professional’ websites – public and private sector, that we encounter that are waving Cyber Essentials and Information Security banners and badges yet lack the obvious – encryption, an appropriate and relevant privacy policy, opt in on contact forms, exposed credentials…
- Audit – brainstorm, scan or look for issues.
- Action – take immediate action, schedule next action.
- Assess – monitor effectiveness. Can anything be done better ?
- Account – document all the above to form an incident record.