Working with your vendor to manage cybersecurity

For most website owners (especially those without a dedicated IT team in-house), their relationship with their web vendor is crucial to managing cybersecurity outcomes.

Proactively managing your site's security with the help of your vendor is key to significantly reducing the chance of an incident, and a costly recovery (and a stink time!).

Here’s some things to think about when working with your vendor on cybersecurity, much of which we’ve learned along the way.

    Published:
    Oct 22, 2024
    Written by:
    Tim Grubb

    Define “maintenance”

    Having a maintenance agreement doesn’t necessarily mean your site is being maintained to a safe standard. It's important to understand what your maintenance budget is actually paying for, and what happens if maintenance requirements exceed this.

    For example, our standard maintenance agreement is that clients pay for a set number of hours that are specifically for our team to proactively maintain their web platform, with the goal that all software is up-to-date all the time. If more work is needed to achieve that goal and the bucket of hours is gone, we talk to clients before doing more work. We tailor the hours and cadence to the clients' specific needs.

    There are a number of ways this kind of maintenance work can be managed from a commercial point of view. The main thing is to be on the same page with your vendor about what maintenance is actually being performed on your site.

    Who’s responsible for what

    If no one is owning a risk, then no one is responsible. A cybersecurity checklist or assessment tool is an easy way to identify relevant risks and understand who is owning what. It’s easy to assume it all falls to your vendor, or someone else in the business, but things fall through the cracks.

    For example, most web security incidents are due to human factors like poor passwords, bypassing MFA or getting tricked by a dodgy link in an email. This risk will almost always sit with site owners rather than a vendor.

    Security assessment tool: security practices, policies and processes

    Lock down access

    In the old days, the main security concern was who had access to your website, so regular audits of site editors and admins was the order of the day. Now it's also important to tighten up how people access your site. Put simply, passwords are no longer sufficient to protect access to key platforms and services, because they can so easily be compromised. If you don’t have two-factor or multi-factor authentication on all access to your web services (like CRMs and CMSs), ask your vendor to help to set this up.

    If you do one thing this cybersecruity month, make it this.

    Read a guide to two-factor authentication on the Own Your Online website

    Focus on how private data is managed

    Some security incidents can be relatively low-impact, but not if personal and/or financial details are involved. You could be legally required to report a data breach and it’s a place you or your website audiences/community just don’t want to be.

    So while you can let a lot of the technical aspects of how your website works wash over you, it's worth spending some time to understand how privacy and security works. A lot of solutions that were fit for purpose when a site was built are no longer so, and this is a conversation to have.

    Things to talk about include:

    • Do we actually need to collect this data? A lot of sites used to collect information just because they could, but this can be worth another look. Less can be more!
    • What data is kept and is it stored appropriately? The key thing to look for is the weakest point in a system. Sure, the core website site might be secure, but data might pass through a service, or end up stored somewhere that's not fully secure.
    • Ultimately it is worth undertaking a Privacy Impact Assessment if you have any concerns about the management of private data through or on your site.
    Read the Privacy Impact Assessment Toolkit on the Office of the Privacy Commissioner's website

    What happens if there is an incident?

    If there's a cybersecurity incident on your site, it's important to have some understanding of what level of support your vendor will provide. Key questions are:

    • How often is the site backed up and how quickly can it be “rolled back” (reverted to a previous version)?
    • What are your vendors’ obligations to support investigations and/or mitigating the impacts of security incidents?
    • What cyber insurance does your vendor have and what does it cover?

    Conclusion

    Cybersecurity can feel complex, but by getting a few things in place it can be pretty managable and save a lot of potential headaches.

    If you're unsure if any of the points we've covered apply to your wesbite, we reckon a conversation with your vendor is great place to start.

    If you want to unpack this a bit more with us, or just chat about your website’s security we are of course here to help – get in touch.

    Get in touch

    Further info and general guidance

    There's lots of general cybersecurity guidance, and every organisation's level of risk varies, but some useful links to explore include: