Overview
With Cyber-security being a current hot topic, Conetix is seeing an increased number of customers who are paying for vulnerability testing and penetration testing to be conducted on their websites. While we applaud customers for taking proactive security steps, we’re seeing a very large gap between what’s contained in the reports and what will actually help protect customers.
What’s critical is that before you pay for any testing, you have a risk treatment plan. This should be part of your overall risk management policies in place to cover existing issues within your company.
What if I don’t have any risk management?
If you don’t have any risk management frameworks in place at your current business or company then the likelihood of getting a tangible result from paying for testing is very low. Instead, we highly recommend you follow our checklist below to cover the basics first.
Once this is in place, you should engage with a professional company to help identify and produce a risk management framework for your business.
Can I send a report through to Conetix to review?
Conetix can provide generic advice in the form of existing articles (such as this one), however any detailed review of security reports will be at the cost of $190/hour. Again, we will also require what risk treatment you wish to apply so that we can produce a remediation plan. Some elements of this remediation plan we can action directly, however many normally require liaison with your current web developer in order to deconflict and ensure the items are mitigated.
This all sounds expensive, what should I do to cover the basics?
In terms of overall security posture within your company, we highly recommend reading through the guides provided by the Australian Cyber Security Centre (ACSC):
https://www.cyber.gov.au/protect-yourself
In terms of your website, the key measures to consider are:
- Do you have regular backups which you store off-site from your hosting? If so, have you verified the contents of the backups recently?
- Do you regularly update your website software, including additional components such as themes, plugins and modules?
- Have you enforced strong, unique passwords for your website?
- Do you regularly review what logins exist to your website (eg developers)?
- Have you enabled Multi-Factor Authentication (MFA) for your website?
If you follow the basics above as a first step, this will greatly mitigate most of the issues you may experience with compromised websites. Conetix does offer solutions to suit some of the requirements above and can assist where required to meet further security requirements.