Photo by MILKOVÍ / Unsplash

Some conversations are easy; some are difficult. Some are harmonious and some are laborious. But when it comes to website security, the conversation is confusing.

Every organisation agrees, in theory, that their websites need to be secure. But in practice, there is resistance to investing enough time and budget. Reasons for neglecting security include misconceptions surrounding Web Application security.

Below I’ve outlined some of the most common myths and misconceptions that can often put your website at serious security risks.

My website is not the target of an attack because it is small and I run a small business.

An average small business website is attacked 44 times per day. In addition, a low profile website is a nice playground for hackers to try out new tools and techniques. Hackers often use automated tools to find various vulnerable websites and don't discriminate when it comes to the size of the target. Any web application, even if it is not itself a target, may be of interest to attackers. Web applications with lax security are easy pickings for hackers and can be subject to a mass or targeted cyber attack.

The good news is that there’s an increasing number of security services to help protect websites from those automated scripts. Plus, these services are also affordable. For example, Cloudflare offers a free and affordable services to mitigate those types of attacks.

We have not been attacked in years so, there’s nothing to worry about

Just because you can’t see an attack, it doesn't mean it isn’t happening.

According to one of the studies, at any given moment, 18.7 million sites around the world are infected by some form of malware. Automated web attacks that fly under the radar are damaging businesses at a large scale. Some bots are dangerously adept at operating under the guise of a legitimate user.

Even if your site hasn't been attacked, there are easy-to-use, non-evasive security services like Cloudflare that offer protection and visibility into a website’s traffic, thus providing peace of mind for your business.

Security has no ROI. We’d rather invest toward new revenue opportunities

Regardless of the industry, company size, product or service, cybersecurity is crucial in today’s business world. The costs of dealing with various repercussions of a data breach (like loss of customer trust, loss of brand reputation, compliance fines etc) are much higher than the cost of making investments to secure the website.

The digital economy fuels business opportunities for many organisations by connecting people, processes, and data. Any organisation should avoid attacks that might disrupt their business and erode customer confidence.

Luckily, there are several digitally-focused cybersecurity services like Cloudflare that can neutralize the advantage in time and intelligence that hackers develop. Such services improve operational responsiveness and risk mitigation, thus leading to greater competitive advantage.

Website penetration testing guarantees the necessary security protection

Penetration testing is and should be an important part of web application security, but it should never be the only means of testing security. With a plethora of new technologies comprising the application stack, security gets more complex by the day. While traditional penetration testing would only cover the outlying areas of the web application, it would not scale to cover each and every layer of the application stack.

Web Application security involves securing the complete application stack, right from Layer 1 to Layer 7 (OSI model). Modern application security also includes the inherent security of the entire production system – including the technology, tools and practices used to deliver it, as well as development and production environments and culture of the entire DevOps stack.

Many modern security services, like Cloudflare, allow organisations to address the need for security at all layers of the application stack. This, while also ensuring that the DevOps stack is secured at all layers down to the core infrastructure being used in the environment.

I have thoroughly tested my website and have fixed most of the known bugs. My site is completely secured now

Security is also about constant monitoring and testing the complete stack of your application.

In the latest White Hat study, the organisations that conducted security testing had, on average, as many as 10 vulnerabilities and only 50% of them got fixed. Modern websites are constantly changing. Every new line of code has the potential to introduce a new security issue.

Good security practices include having ‘visibility’ and necessary ‘verifications’ of the traffic patterns and the security posture of your website. Many modern Web monitoring tools, like Google Alerts, provide affordable, easy to use visibility and verification strategies.

The ability to measure web application security is critical for any business having a web facing asset. Attack metrics like ill reputed data (IP, tracking IDs), attacks by countries and IPs, most attacked URLs, etc. need to be measured. Such data provide context, awareness and actionable response about current and emerging threats.

Modern security services like Cloudflare in combination with web monitoring tools provide the necessary visibility and verify that the right security measure for your site are in place .

Website security is the sole responsibility of the security team.

Safety works when everyone works together.

In an organisation, security is everyone’s responsibility . The best companies in the world avoid a silo-based corporate structure, making them less vulnerable to loss of data and disruption of services. Instead, they focus on developing systems that combine technology, processes, safeguards, management (people), and systems into a single integrated threat protection framework.

The best practise is always for the various stakeholders (Dev teams, Security, IT teams, Management) to communicate effectively to better understand their respective roles and how they, in fact, rely on each other to safeguard business operations.

Cloud computing brings benefits like lower fixed costs, flexibility, automatic software updates, increased collaboration, and the freedom to work from any geographical location.

While many organisations see these benefits and are moving their assets to the cloud (at least partly), cloud architecture also brings with it new security challenges. With the advent of cloud-based platforms, the attack surface area has increased.

There have been several cases in the recent past where a misconfiguration of the services in the cloud has led to data breaches. While many well-known cloud providers (like AWS, GCP, Azure) provide tools and services for security, the correct configuration of the tools and the responsibility of the security of the application still remain with the organisation utilising such tools.

Many of the security focussed organisations that utilise cloud services for their web facing assets add an additional layer of security services at the edge of their cloud network. Few of the modern security services that are cloud agnostic, can sit on the network edge of the cloud and provide an extra layer of security.

Do these statements ring a bell? If so, maybe you need to update the way your organisation approaches these points? With this new way of thinking in place, you are set to move forward. Cloudflare’s security services can assist you and your organisation in enhancing your approach to security.

Cloudflare’s security services provide easy to configure resilience and the right level of protection for an organisation's web assets. This allow companies to focus on building new business opportunities and services while spending minimal effort on the security of their web assets.