Cybersecurity can no longer be ignored by organizations. Security breaches result in business-threatening downtime, a damaged brand reputation, customer churn, fines, and financial loss. And with more cyber-attacks in the first half of 2020 than in all of 2019, there’s never been a more important time to safeguard your website security.

Despite the growing risk, many organizations are falling behind when it comes to protecting themselves, their websites, and their customers. Here are some of the most common mistakes businesses are making when it comes to their website security.

1. Low cybersecurity awareness among employees

Human error is the most common cause of cybersecurity breaches. Whether clicking on an unsolicited link or failing to safeguard passwords, your employees are the most frequent enablers of cyber-attacks. But it doesn’t have to be this way. Data from Cyber insurance provider CFC Underwriting shows that 38% of its claims could have been avoided if more robust employee cybersecurity education and training processes were in place.

It’s reassuring to hear that businesses can repel breaches by increasing web security awareness and creating a robust digital safety culture within their organization. Yet despite the clear link between low cybersecurity awareness and successful attacks, many employers are failing to act. A 2019 study uncovered that just 20% of UK businesses have put staff through cybersecurity training in the last 12 months.

Solution: Your organization's security is only as strong as the weakest link. Training your employees in basic cybersecurity hygiene is the key to reducing security-related headaches – and one of the cheapest and most effective ways to protect your organization.

One of the most common reasons given for not training staff in cybersecurity is ‘not being sure where to start’. So, where should you begin? Start with the low-hanging fruit.

  • Immediately revoke access rights from departing employees to prevent them from retaining access to your systems – and clear any company data from ex-employees’ personal devices.
  • Out-of-date software opens the door to cybercriminals, so install software patches and upgrades in a timely manner.
  • 94% of malware is delivered into networks via email, meaning malicious links and attachments are a huge problem for organizations. And email spam filtering is not enough to tackle it. Proactively address lax email security through training that shows employees how to recognize, avoid, and flag dodgy emails. A phishing benchmarking report from KnowBe4 found that just one year of phishing tests and training saw an 87% improvement rate.
  • Badly-guarded usernames and passwords are another common security threat, with 61% of companies having over 500 accounts with non-expiring passwords. Give guidance on creating strong login credentials and how to effectively protect them or use a password manager that securely stores and creates passwords for you.
  • Letting employees use their own devices at work, or ‘Bring Your Own Device’ (BYOD), opens your business up to additional threats. Role-based access, two-factor authentication, and strong employee passwords can help reduce the risk.
  • Data on lost and stolen devices provides another opportunity for cybercriminals. Train employees on how to use company equipment out of the office and devise a process for reporting misplaced devices.
  • Provide clear guidance on social media usage at work. One in five organizations have been infected with malware distributed via social media.
  • Make sure employees always install patches and software upgrades on their devices – they were created for a reason.
  • Educate your employees on the importance of cybersecurity in their dealings with third-party software and IT providers.

Adhering to these simple measures will stop many common cyber threats in their tracks.

2. Not having a corporate cybersecurity policy

Research from the UK’s Department for Digital, Culture, Media, and Sport found that while nearly three-quarters of organizations say cybersecurity is a high priority, the talk isn’t translating into action. Only 27% have formal cybersecurity policies and procedures in place. Without a cybersecurity policy, you could be leaving yourself open to attacks.

An effective cybersecurity policy lays out rules and responsibilities when it comes to protecting IT systems and company data. It goes hand-in-hand with raising security awareness among your employees.

McAfee defines a cybersecurity policy as a document that “Explains the rules for how employees, consultants, partners, board members, and other end-users access online applications and internet resources, send data over networks, and otherwise practice responsible security.”

Cybersecurity policies can also enhance a business’s public image and credibility. Customers, partners, shareholders, consultants, and employees need to know that your business can protect their data. A corporate cybersecurity policy is a great way to show them that you take security seriously.

Solution: Develop a formal document that clearly states your company’s security policies, providing clear guidance to employees on what they can and cannot do with the company’s IT systems, networks, and devices.

A good corporate cybersecurity policy outlines company-wide standards for:

  • Social media usage
  • Internet access restrictions
  • Password requirements (storing, updating, and generating)
  • Remote access
  • Digital signatures
  • Handling sensitive data
  • Wireless communication
  • Email security measures
  • Using third-party applications
  • Dealing with a cybersecurity threat or incident

As the nature of cybersecurity threats changes rapidly, it’s important that you keep your cybersecurity policy up-to-date. Plan in time to review and develop your policy on a regular basis.

3. Failing to hire skilled cybersecurity personnel

While human error is responsible for many cyber-attacks, it’s only one side of the coin. Technical vulnerabilities are also a huge cyber risk. That’s where the requirement for skilled cybersecurity personnel come in. Yet, according to a Marlin Hawk survey, two-thirds of businesses say they are struggling to recruit senior security talent and 62% worry that it will become even harder to recruit over the next five years.

If businesses are lucky enough to get their hands on a cybersecurity professional, that person is likely to spend most of their time putting out fires. Without adequate time or resources, cybersecurity professionals may struggle to devise and implement measures that would truly benefit a business’s website security long-term.

With the global demand for cybersecurity skills continuing to outstrip supply, and already overstretched IT dealing with more complex cyber threats than ever before, there are simply not enough resources available for many businesses to effectively defend themselves against attacks.

Solution:The answer is automation. Incorporating automation into cybersecurity processes can plug the skills gap by helping businesses continuously monitor for threats and expand their cyber protection as they grow, even with limited personnel and resources.

Some web security monitoring tools, like Siteimprove Web Security, are designed not only to identify website vulnerabilities, but also to suggest proactive and corrective actions. Some of these tasks, like tracking website certificate expiry dates, can easily be managed by website managers, freeing up time for cybersecurity professionals to focus on more sophisticated security risks.

According to Ron Green, CSO at Mastercard, automation technologies are a good aid for cybersecurity professionals. “Machine learning and automation are going to be really helpful to current and future CISOs,” he says. “Businesses are still going to need smart humans on security, but already the humans that are in our security operations centers are being overwhelmed with things they have to monitor, and you can’t simply keep putting in more people because there aren’t enough people already.”

4. Treating website security as an IT issue, not a business issue

Data from a EY Global Board Risk Survey shows that nearly half (48%) of boards believe that cyber-attacks and data breaches will more than moderately impact their business in the next 12 months. Yet they still overwhelmingly perceive website security as just a compliance exercise, with only a tiny fraction - 7% - describing it as an innovation enabler.

Organizations who believe cybersecurity is solely IT’s responsibility are missing out on the strategic benefits of prioritizing website security. These benefits include earning customer trust, securing intellectual property, and protecting their brand. By underestimating the scope and depth of the cybersecurity threat, they’re endangering themselves.

Here’s why a proactive approach to cybercrime is business-critical:

  • The average cost of a data breach now stands at $3.86 million. Besides the tangible financial loss, affected businesses also experience increased customer turnover, loss of profitability, diminished goodwill, and a tarnished reputation.
  • For most businesses, their intellectual property (IP) is their most valuable asset. IP includes patents, designs, trade secrets, confidential data, and employee knowledge. Now, imagine those crown jewels in unknown hands. In the US alone, IP theft is costing companies up to $600 billion every year.
  • Most consumers (87%) say they will take their business elsewhere if they don’t trust a company to handle their data responsibly.
  • Costly legal fees and litigation. For example, General Data Protection Regulation (GDPR) legislation can now fine businesses up to 4% of their annual turnover. GDPR fines totaled $63 million in the law’s first year alone.
  • Redirecting company resources to tackle security breaches can lead to reduced operating efficiencies.
  • Time and resources must be dedicated to forming special boards and committees to investigate breaches.
  • And don’t forget the public relations cost of rebuilding consumer, shareholder, and public trust in the aftermath of a well-publicized breach.

Does that sound like just a technical issue? No. It’s a business issue – and a pressing one.

The biggest impediment to prioritizing website security as a business issue? A lack of top-level support. Despite headline after headline detailing disastrous data breaches, just 5% of C-suite executives consider website security to be their most important corporate initiative. This ties in with British data that shows that less than one in three businesses have a board member with cybersecurity responsibilities.

A highly secure website benefits your business

Fortunately, there’s evidence to show that the gap is beginning to close, with 29% of businesses now recognizing that web security has a place at the boardroom table. For organizations who do get it right, good cyberhealth can prove be a crucial market differentiator. In fact, 73% of leading organizations surveyed by AT&T Cybersecurity agreed that good cybersecurity is a contributor to their overall business success.

Solution: Give website security a seat at the top table. Highly effective security requires committed buy-in from senior leadership. To make this a reality, employ a designated Chief Information Security Officer (CISO). With just 4 in 10 organizations having a head of cybersecurity who sits at the executive management level, this can give your business a real competitive edge. Task them with educating senior leadership on the risks and ROI of cybersecurity and getting their support a security-centric business culture.

Increasingly, boards and senior managers are being held directly accountable for security breaches that happen under their watch. Equifax chairman and chief executive Richard Smith stepped down following a 2017 hack that exposed the sensitive information of 145 million customers. With that in mind, there’s never been a better time to ask for the resources you need to protect your website

5. Putting website security audits on the backburner

The best way for organizations to protect themselves is to be proactive, not reactive. Regular security audits are essential for helping businesses identify security vulnerabilities, determine the level of risk, and take preventive action. However, being resource-heavy and time-consuming, audits are often done only when absolutely necessary.

For organizations without security professionals, security audits can be particularly challenging. Manual auditing requires technical expertise that many web managers don’t possess.

The result? At best, wasted expenditure as organizations pursue a security strategy based on guesswork rather than tackling vulnerabilities based on data and threat prioritization. At worst, a website riddled with loopholes and vulnerabilities.

Solution: Invest in a tool that runs automatic scans for essential website vulnerabilities. One-off checks are not enough. And of course, you can’t just bury your head in the sand. The nature of security is dynamic, meaning continuously scanning your site for potential security threats is an absolute must.

There are some ways to take the heavy lifting out of website security auditing.  

  • Let technology manage audits for you with regular, automated security audits.
  • Combining automated security audits with manual testing is the most effective way to analyze a site’s security status. Tools like Siteimprove Web Security act as a collaborative platform through which web and IT teams can centrally manage security threats.

6. Thinking size doesn’t matter

Nintendo. Yahoo!. Zoom. What do they all have in common? They’re all big enterprises who’ve experienced embarrassing public security breaches. As the media almost exclusively focuses on household names, many small and medium-sized businesses are lulled into a dangerous misconception that cyber-attacks don’t – and won’t – happen to them. Combined with market forces putting the option of full-time, in-house security specialists out of reach, the truth is that they often make easy pickings for cybercriminals. In fact, nearly half of cyber-attacks target small businesses.

Even more concerningly, a 2020 research study revealed that 43% of small businesses in the US and the UK don’t have any type of cybersecurity defence plan in place.  

And that approach won’t fly with the law. In the US, for example, even small firms who aren’t subject to federal requirements must meet minimum standards of IT security. They can also be prosecuted for cyber-attacks that result in loss of consumer data if they are deemed negligent. Some states, including California and New York, have even introduced information security requirements for businesses.

Paul Lipman, CEO of BullGuard, says, “Small businesses are not immune to cyber-attacks and data breaches, and are often targeted specifically because they often fail to prioritize security. Caught between inadequate consumer solutions and overly complex enterprise software, many small business owners may be inclined to skip cybersecurity. It only takes one attack, however, to bring a business to its knees.”

Solution: A cyber-attack on a smaller business can be devastating. Acknowledging that attackers might come after you is the first step to developing a defense.

To address the challenges of limited resources and recruitment problems, specialist web security solutions, like Siteimprove Web Security, have been developed with the needs of smaller businesses in mind. They are designed to help small teams understand and improve their web security without wading through the jargon and complexity of enterprise-level security software.

Boost your cyber health with Siteimprove Web Security

One thing that all these mistakes have in common is that they can be mitigated by a proactive, automated, and joined-up approach to website security. The best way to protect your business against cyber-attacks is to integrate website security into every part of your digital strategy.

By following web security best practices, providing cyber awareness training to employees, and investing in defense technologies from reputable vendors you can shield your business from the growing threat of cybercrime.

We want to help your keep your business, website, and customers safe from cybercriminals. That’s why we’ve launched Siteimprove Web Security. Web Security helps bridge the gap between IT and the rest of your organization by putting everyone onto the same page. It helps you accomplish that with a clear overview of your website’s security vulnerabilities (Web Application, Network, and Server), and prioritized, actionable recommendations for fixing them.

Learn how Siteimprove Web Security’s features keep your website safe in our blog.