When it comes to website security, what’s the biggest challenge facing businesses today?

If you think most security problems stem from programming issues, you need to look a little deeper, said Peter Pröll, security expert for the TYPO3 Association.

“Many security issues occur, not because of programming, but because there have not been any updates or security patches provided by software developers,” he said.

Why the lack of updates and patches? Pröll said it’s simply because business leaders are unaware they’re needed.

“The biggest challenge is to make decision makers aware of security matters,” he said. “After that, it’s pretty easy.”

Hackers Getting More Sophisticated

According to Symantec’s 2015 Internet Security Threat Report (registration required), non-targeted attacks make up the majority of malware, which increased by 26 percent in 2014.

The report also notes that in 2014, there were 17 million new pieces of malware created, presenting nearly one million new threats each day.

Pröll attributes the rise in Internet crime to the fact that today’s attacks are automated, and can be carried out on a very large scale.

“Today, hacks are very professional and organized,” he said. “Attackers don’t need to find specific targets; they just go to Google, look for search terms, take all the results and attack.”

What Can You Do?

Peter Proll
Pröll recommends that business leaders sit down and talk with their web agencies to discuss their policies regarding patches and updates, as well as educate themselves on security issues.

Talk to Your Agencies and Service Providers

“Usually, a company goes to an agency and asks them for a website,” he said. “They discuss functionality and design, the service provider does the implementation, and the hiring company thinks everything is ok.”

The topic of security is hardly ever mentioned, he added.

“Agencies don’t care about it,” said Pröll. “They can’t sell security updates because the best outcome is that nothing happens. You can’t sell something where the outcome is that nothing happens.”

Agencies that do offer security services such as fixes, patches and upgrades, he continued, have said that customers find these expensive.

“A lot of agencies just ignore the security issues,” said Pröll. “A few agencies are willing to pay attention and have ethical standards.”

Leaders need to take charge of these issues to protect themselves and their customers against cyber attacks, he said.

“It’s a dangerous situation,” explained Pröll. “More and more, I talk to decision makers who want their websites to be secure, but they have never asked their agencies or service providers about whether or not they do security updates.”

Learning Opportunities

The solution?

“Speak to your agency or service provider and ask if all software used within your website project is security updated, and if there are service agreements that guarantee updates after the project is released,” he advised. “If not, find someone who can help with those updates.”

Educate Yourself

The next defense against cybercrime, continued Pröll, is education about the latest security issues.

“When you’re coming up with a new project, you not only need to look at the systems and software in terms of functionality, but also look at the history of the software vendor,” he said.

“Have they experienced any security issues? The web server should be updated, with updates merged into the website project. Once you know these are in place, you can validate and make good decisions.”

Although he noted that online research might not be the most efficient way for decision makers to stay up to date on the latest security issues, he said that discussing these issues with other professionals is a good option.

“It’s easy to educate yourself,” he said. “There may be educational sessions in your region. Check your business networks about events regarding Internet security.”

He also suggested consulting the computer emergency response team (CERT) associated with your region, such as US-CERT. These organizations act as security watchdogs, assessing code, responding to security issues and issuing security bulletins.

For example, a quick glance at the US-CERT site shows updates related to security and USB drives, phishing scams, online gaming risks and cyber threats to mobile phones.

“You and your agency have the chance to learn about security updates that need to be merged into your website project,” concluded Pröll.

“Every company employee with a computer is connected to the internet. Companies need to know how to work with this situation, and how to deal with threats.”