Website security is a serious matter. That’s not good news for most web designers. What we need to account for is how we build, the hosting company we use, and the software we trust.
And while there is plenty of good practice to follow, securing a website is a big challenge. Restricting automated attacks on content management systems (CMS) restrains clients and continuously updates software. We can reduce the risks, but we cannot completely mitigate them.
For years, security processes were primarily between designer, host, and client. But more than ever, other third parties are taking an active interest. And web designers are getting caught in the middle.
If this doesn’t affect you yet, it may just be a matter of time. So freelancers and agencies need to pay attention to this trend.
We look at what’s happening and how web designers can prepare.
Who is involved?
Granted, third – party interest in network security is not entirely new. Ecommerce sites have had to deal with PCI compliance for a long time. And government regulations focused on areas such as user privacy – which could also be considered a security concern.
However, there seems to be increased input from other sources – especially the insurance industry. They are becoming very committed to web security as far as their clients are concerned.
Organizations that need insurance, such as businesses and nonprofits, are unlikely to have a website. Just as they take physical fitness into consideration, insurance companies are starting to look at websites in the same way.
For example, let ‘s consider a typical brick and mortar retail store. Before providing insurance to a retailer, an insurer may consider:
- The structural integrity of the building;
- the types of merchandise being sold;
- Any anti-theft security measures implemented by the retailer;
- number of employees;
- annual income;
We are seeing similar concerns being extended to websites.
What Aspects Of Website Security Are They Looking At?
Getting a website requires constant effort and covers a number of areas. Some factors, such as web hosting and SSL certificates, are fairly universal. But others may depend on how the website was built.
This means that a static HTML site will have different security requirements from one built with WordPress. And then there is the integration of third-party APIs, data collection and financial transactions. Each presents a unique challenge.
However, there is no guarantee that an insurer will take a realistic view of these nuances. They may use an all-date strategy above, even if specific features are not related to the client’s Web site.
Industry veneer (and colleague) Wayne Kessler opines, “My main concern is the creation of unnecessary work and costs due to ‘standards’ specified by a contractor (ie an insurance company or security adviser) that are too risky. The job of the cyber insurer is to sell insurance, preferably no demand. ”
He continues, “Therefore, they can lock websites as tightly as possible without due regard for performance or cost consequences. It is not always possible to limit login access to a small IP range. SFTP is still required for sites. Clients may need to be able to send files back and forth to their designers. Workflow, site management, user functionality – these cannot be ignored when talking about security without the potential to significantly reduce the value of the website. ”
Advice for Web Designers
As always, web designers are interactions between our clients and third parties. In this case, insurers will give clients a laundry list of website security considerations. From there, we have a duty to make sense of them, to implement what is possible, and to communicate effectively.
There are a number of potential roadblocks. The main thing is that you may not have control over every situation. For example, some security measures may require the cooperation of a web host or a plugin developer. Whether or not they comply is entirely up to them.
Another consideration is the potential cost. The investment required to implement certain items may go beyond what your client is willing or able to pay.
Kessler says that web designers have to stay in the loop during the process, noting that “security standards seem to be expanding rapidly with the growth of these industries, but that does not mean that the standards should apply. this on one Web site only. If you do not make financial transactions on your website, or do not store user / customer data on your website, there are suggestions for these that should not apply. Be vigilant about ‘overriding’ security protection requirements. “
It is also important to recognize that many hands play a role in the security of the website. According to Kessler, “There is a gap in data protection in every story we read about identity theft. Web designers do not want to be a known gap. Likewise, you do not want to manage a site that has a virus, is generating spam, or is locked by isolated artists. There are options to mitigate these risks. Web designers, and website owners, should take those choices. ”
The key is what you can control and make sure your clients understand what is going on.
Dealing with the Increasing Complexity of Web Security
As if network security was not already a complex issue, the introduction of insurers and other third parties only adds to the stress. For web designers, that seems to be putting another burden on our shoulders.
Still, this is part of our ever – changing job description. As websites are built and maintained changing, we have a duty to stay on top of best practices. In a way, this development is a natural extension of that evolution.
Fortunately, the skills we have acquired in communicating with clients and adapting to new technologies can serve us well. These experiences have prepared us for this new challenge.