If your organization has a website, then you have a significant opportunity to access your customers, constituents, users, etc.  You also have a significant opportunity for security problems.  The subject of security often seems overly complex and insurmountable for functional users and technical experts alike.  But in the end, there are a number of simple best practices that you can follow that will dramatically reduce your chances of having an issue, and can also reduce the severity of any issue you do have. In over twenty-five years of dealing with web development technology, I've seen and handled just about every type of issue.  And I'd like to think I prevented quite a bit more!  So let's get started. Security issues should be prevented, not fixed important to prevent security issues instead of fixing them after they happen. Fixing things can be tough, time-consuming, and even cause collateral damage to your organization and customers. On the other hand, preventing issues is often easy and doesn't take much time. It's great news that preventing security issues doesn't require a lot of technical expertise. However, if you're already busy and have a lot on your plate, it can be overwhelming to know where to start. The first step is to assign someone in your organization to be responsible for website security. If you're reading this, it might be you! Don't worry, you don't have to understand everything about every security problem in the world. Your job is to keep things organized and know when to seek expert help. Main risks that cause website vulnerability Risk #1: Passwords One of the most common security risks we see is related to passwords. Users often save passwords in clear text on their PCs, share them with others, or log in from unsecured devices. This can lead to a loss of password control and make your website vulnerable to hacking. To prevent this, it's important to educate your users on best practices for password management. Remind them to update their passwords regularly and not to store or email them. This simple step can go a long way in reducing the risk of a security breach. It's also a good idea to appoint one individual in your organization to be responsible for user administration. This person doesn't need to spend a lot of time on this task, but they should run through a security checklist once a quarter or even monthly. They can log in to your CMS site manager and check if all users are still active and with the company. If not, deactivate those users. They can also check if any users have access rights they don't need and reduce access rights as appropriate. Finally, they can ensure that all users have updated their passwords recently. Remember, preventing security risks doesn't have to be complicated. Educate your users and run through a security checklist regularly. If you have any questions or concerns, don't hesitate to ask! Risk #2: Plug-Ins Another common security risk to be aware of is related to plug-ins. This can be especially concerning if you're using popular Open Source CMS systems. While these systems offer a wide variety of free plug-ins that can add functionality to your website, it also means that there is potential for nefarious plug-ins to be installed. This can open the door to more security risks and requires ongoing attention. It's important to be mindful of the plug-ins you install and to only use those that come from reputable sources. By doing so, you can reduce the risk of a security breach and keep your website safe for your users. Things to help mitigate the risks:

1. Make sure to do a web search of each plugin your site uses, including the theme.
   • If a serious vulnerability exists, you should be able to find articles or posts on technical forums regarding the vulnerability.
   • If you find that you have some suspect code already installed, then it may be time to call in an expert just to verify your security has not already been compromised.  The developer of your original website should be contacted.
   • If that is not an option, then the next best thing is to install the latest version of the plugin that has been security patched.  If you cannot find any new patch that specifically addresses the known exposure, then it’s often best to remove this plugin from the site entirely.
   • To avoid this situation in the future, before you implement a new plug-in, do a web search to verify no serious vulnerabilities exist that have not been addressed in a patch.
2. Make sure to plan to upgrade your CMS version on a regular basis.
   • Once again, this is probably a place to call in your original website developer or a skilled web developer to do.

Other Risks: Your users may be exposed to common risks at the desktop PC level, such as email phishing scams and website scams. While these risks are outside the scope of this post, it's important to educate your users on how to protect themselves. A simple rule of thumb is to never click on any link or attachment in an email unless it's from a trusted source. Additionally, they should avoid web surfing to any unknown or potentially malicious websites. By following these practices, your users can reduce the risk of exposing themselves and your organization to security breaches. Non-risks: In general, if you're hosting your website with a reputable provider, such as a trusted web development partner or a large hosting organization, your risks on the server side are usually not significant. However, it's important to keep in mind that these large hosting providers are not responsible for the security of your individual website. While they will keep their infrastructure running securely, they are not monitoring your website CMS system for the most common risks (such as those mentioned in #1 and #2 above). Therefore, it's still your responsibility, or that of your developer if you have an ongoing maintenance agreement with them, to ensure that your website is secure. In conclusion, avoiding security risks doesn't have to be overly technical or time-consuming. It's simply a matter of making sure that someone is taking the lead on it within your organization. By doing so, you can keep your website safe and secure for your users.