October 18, 2018
Director of Cybersecurity
Based on a study of over 40,000 WordPress websites in the Alexa top 1 million list, more than 70% of installations are vulnerable to hacker attacks. If those websites that represent some of the highest traffic WordPress installations are vulnerable, how tough do you think the security is for medium to large sized company sites? The answer of course is not very.
Websites are not part of the cybersecurity strategy for many medium to large companies. So the website probably doesn’t get updated very often, if ever. The only time a site gets any kind of attention is usually during a major overhaul like an upgrade or redesign.
The reason for this is twofold, first is because your cybersecurity team doesn’t understand website technology. It is prevalent among typical medium to large sized companies to outsource their IT work under a managed service provider (MSP) contract. This is usually where the cybersecurity budget is spent: on anti-virus, network monitoring and maybe employee training. Those systems are not on the same platform as the website, they’re not on the same server or even in the same state! The website is hosted in a shared server, in the cloud or at a colocation facility. And the technology is open source, constantly changing and definitely NOT Microsoft. So IT/MSP providers tend to ignore the website and concentrate on the technology they know best.
The second reason is because websites are usually under the purview of the marketing departments not IT. About 20 years ago when every company was starting to develop it’s second or third generation website, the development of sites grew past the ability of IT managers’ skill sets. They could no longer complete the complicated programming necessary to keep pace with the abilities of the growing group of outsourced developers. So companies outsourced development through the marketing departments to advertising agencies, design firms, marketing firms and website development shops. And those outsourced development teams gravitated toward WordPress for development.
Once the site was developed the site was dumped into a hosting area and then left to run. It was typical for the developers to provide no ongoing support or assistance for the websites they developed. Agencies went off to build other sites for other companies. Marketing departments not used to managing technology never thought to ask questions about security during development, don’t know anything about software cycles and have no training or tools to monitor for cybersecurity threats.
As a result the website, a key piece of a company’s technology goes without any critical cybersecurity oversight. The IT departments don’t manage it and the Marketing departments don’t know how to keep the site safe.
Mark Bursic is an expert in security, technology and politics. His firm Political Technology helped shape the landscape of state and federal politics by playing a part in the election of hundreds of state representatives, senators and governors as well as US congressmen, senators and presidential hopefuls at the dawn of the age when politics began moving online. He’s currently founder and director of cybersecurity for the Pittsburgh based startup Critical Syntax. CS helps companies and organizations with cybersecurity strategies for WordPress websites. https://criticalsyntax.com