In today’s febrile online world of international cybercrime and espionage, website security testing needs to be central to every brand’s operations. As the amount of sensitive data held by companies steadily increases and the levels and sophistication of cyberattacks continue to mount, huge financial penalties and brand damage await those who fail to meet the challenge.
The true cost of website security lapses
According to IBM the average cost of a data breach is now estimated at $4 million. The maximum fine for failure to comply with the GDPR is up to €20 million, or 4% of annual global turnover – whichever amount is greater.
BA’s recent fine of £183 million following a major website hack in 2018 and Mumsnet’s latest high profile site failure, where confidential customer details were exposed to other website users, remind us that security lapses are costing brands of all kinds, cash, resource and reputation every year.
The latest IBM report suggests that many brands' preparation is insufficient to react when the worst happens, with recovery planning slow and inadequate. But, we would argue continued vigilance in the shape of ongoing and systematic security testing is also crucial to help prevent these lapses happening in the first place.
In a digital landscape characterised by continual delivery and software updates, ensuring your website isn’t at risk of leaking data, or otherwise, an ‘open door’ for cyber-criminals should be a constant priority.
Types of security testing
Security testing helps ensure your website is free from any vulnerabilities, threats and risks that could potentially cause catastrophic losses for your company.
But what kinds of security tests can be performed on your systems? What do they test for and how can they be harnessed to protect and secure your brand from lapses, hackers and cybercrime.
Types of security testing include:
Security scanning: This is the generic name for a variety of checks that can be made across your servers, networks and websites. Both manual and automated scanning can be performed on a one-off basis or as a regular series of tests. Weaknesses and risks are identified and solutions for reducing these risks can be suggested as a result.
Vulnerability scanning: Automated tools can scan web applications to look for known security vulnerabilities including SQL injection, Path Traversal and insecure server configurations. These scans typically inventorise errors, rather than test or explore the extent of the risk they pose. But scans of this kind can inadvertently cause computer crashes if an operating system views the vulnerability scan itself as invasive. There are a range of scanning solutions on the market including expensive, enterprise-level products and free open-source tools.
Penetration testing: In penetration testing, the scope and parameters of a security test is defined first and then executed by human testers using a range of tools. These tests involve implementing any and all of the known malicious penetration attacks on an application. The penetration tester fabricates attacks and environment from an attacker’s perspective, with the key objective of identifying security weakness across the entire application and its source code, database and back-end network. It also helps businesses to prioritise the identified vulnerabilities and threats, as well as the possible ways to mitigate them.
Risk assessment: Security experts will assess and categorise the risks posed by your websites, including:
- The likelihood of a threat occurring
- The impact on your business if the threat occurred;
- The adequacy of your existing countermeasures;
- A proposal for proportionate measures to reduce the risk.
Security auditing: this is an internal inspection of applications and operating systems for security flaws. An audit can also be done via line by line inspection of code.
Ethical hacking: testers simulate attacks by malicious hackers and then analyse and report on the vulnerabilities exposed by their attempted attack. Ethical hackers will do whatever it takes to bypass system security and search for any weak points in your web architecture. Ethical hacking is an excellent way to uncover real-world vulnerabilities as they may present themselves to serious and determined cybercriminals.
Cybersecurity Posture Assessment: This is a formal assessment of an organisation’s maturity in cybersecurity competencies. It typically combines security scanning, ethical hacking and risk assessments to show the overall strength of the digital security posture of an organisation and make recommendations for specific and holistic improvements.
All website security testing and the measures you implement on the basis of its results should be proportionate to the risk that failure could pose to your customers’ data and your business as a whole.
But, as websites and apps are constantly being updated and new cyber threats are emerging, the security and resilience levels of your applications are constantly subject to change.
With record fines being imposed by regulators for security lapses, and the deep sensitivity of customers to data breach scares, brands should be incorporating ongoing security checks into their website testing regimes as a matter of course.