Why Third Parties Are Taking an Interest in Your Client’s Website Security
Website security is serious business. That’s not news to most web designers. It’s something we have to account for in how we build, the hosting company we use, and the software we trust.
And while there are plenty of best practices to follow, securing a website is a major challenge. Fending off automated attacks against content management systems (CMS), training clients, and continuously updating software take their toll. We can lessen the risks, but can’t fully mitigate them.
For years, security processes were primarily between a designer, host, and client. But increasingly, other third parties are taking an active interest. And web designers are getting caught in the middle.
If this hasn’t impacted you yet, it may be just a matter of time. Thus, freelancers and agencies need to take notice of this trend.
Let’s take a look at what’s happening and how web designers can be prepared.
Who’s Involved?
Granted, third-party interest in web security isn’t completely new. eCommerce sites have long had to deal with PCI compliance. And government regulations have aimed at areas such as user privacy – which could also be considered a security concern.
However, there seems to be increased input from other sources – particularly the insurance industry. They’re becoming keen on web security as it relates to their clients.
Organizations that require insurance, such as businesses and non-profits, are very likely to have a website as well. Just as they take a physical location’s well-being into account, insurance companies are starting to look at websites in the same way.
For example, let’s think about a typical brick-and-mortar retail store. Before providing insurance to a retailer, an insurer might consider:
- The structural integrity of the building;
- The types of merchandise being sold;
- Any anti-theft security measures the retailer has put in place;
- The number of employees;
- Yearly revenue;
We’re now seeing similar concerns being extended to websites.
What Aspects of Website Security Are They Looking At?
Securing a website requires constant effort and encompasses several areas. Some factors, such as web hosting and SSL certificates, are fairly universal. But others may depend on how the website was built.
That means a static HTML site will have different security needs from one built with WordPress. And then there’s integrating third-party APIs, data collection, and financial transactions. Each presents a unique challenge.
Yet, there’s no guarantee an insurer is going to take a realistic view of these nuances. They may well employ an all-of-the-above strategy, even if specific elements don’t apply to a client’s website.
Industry veteran (and a colleague of mine) Wayne Kessler opines, “My biggest concern is the creation of unnecessary work and cost due to contractor (which is what an insurance company or a security consultant is) specified ‘standards’ that are oversized to risk. A cyber insurer’s job is to sell insurance that preferably won’t have any claims on it.”
He continues, “So, they can want websites locked as tightly as possible without due consideration of the ramifications of functionality or cost. It is not always possible to limit login access to a small IP range. SFTP is still needed for sites. A client might need to be able to send files back and forth to their designer. Workflow, site management, user functionality – these cannot be ignored when talking about security without the possibility of greatly reducing the value of the website.”
Advice for Web Designers
As is often the case, web designers are liaisons between our clients and a third party. In this case, insurers will hand clients a laundry list of website security considerations. From there, it’s up to us to make sense of them, implement what’s feasible, and effectively communicate.
There are a few potential roadblocks. The biggest is that you may not have control over every situation. For instance, some security measures may require the cooperation of a web host or plugin developer. Whether or not they comply is entirely up to them.
The potential cost is another consideration. The investment required to implement certain items may go beyond what your client is willing or able to pay.
Kessler says that web designers need to stay in the loop during the process, noting that “security standards seem to be expanding quickly with the growth of these industries, but that doesn’t mean these standards should apply to just any website. If you don’t take financial transactions on your website, or if you don’t keep user/customer data on your website, there are recommendations for these that should not apply. Beware of ‘oversizing’ the needs for security protection.”
It’s also important to recognize that many hands play a role in website security. According to Kessler, “Every story we read about identity theft comes from a gap in data protection. Web designers don’t want to be an identified gap. Similarly, you don’t want to manage a site that has a virus, is generating spam, or is locked up by rip-off artists. There are options to mitigate those risks. Web designers, and website owners, should take those options.”
The key is to control what you can and make sure your clients have an understanding of what’s involved.
Dealing with the Increasing Complexity of Web Security
As if web security wasn’t already a complex subject, the introduction of insurers and other third parties only adds to the stress. For web designers, it seems like yet another burden placed on our shoulders.
Still, this is part of our ever-evolving job description. As building and maintaining websites continue to change, it’s up to us to stay on top of best practices. In a sense, this development is a natural extension of that evolution.
Thankfully, the skills we’ve picked up in communicating with clients and adapting to new technologies can serve us well. Those experiences have prepared us to take this new challenge head-on.