Who built your website?
Many entrepreneurs hire an acquaintance, student, entrepreneur friend, or web developer to build the company website. That may be a practical and often inexpensive solution. But all too often, digital security is not given enough attention, or even overlooked.
How is my website developed?
Ask your supplier whether the development is based on the 'secure by design' principle. This means that the used software was designed securely. However, there is no such thing as 100% security. Developers are human and can make mistakes, no matter how securely they work. Applications can contain vulnerabilities, and that is what cybercriminals are looking for. Once found, they will misuse it and possibly try to exploit it. So, ask the developer if the provided application has been tested by an independent third party and ask for the results. The builder of the website will have to use well-known web application security standards such as Web Standards and Specifications from OWASP and the ICT Security Guidelines for Web Applications from the NCSC.
Tips for determining security
What can you do as an entrepreneur, if your company website was developed some time ago, and you are not sure whether it is secure? You do not need in-depth IT knowledge to answer that question. Use the questions below, and discuss them with the parties that are (or have been) involved in the realisation of your company website. This will give you a good idea of how secure your website is.
1. How does my website rank on internet.nl?
On the website internet.nl you can check whether your website and email address meet the latest internet standards free of charge. Although this check is not a security test, it does provide very useful information that you can discuss with your supplier or system administrator. Internet.nl has also set up a 'hall of fame' for hosting companies (in Dutch) that score highest when it comes to applying modern internet and email standards.
2. Does my website use a secure connection?
You can easily check whether your website uses a secure connection. Go to your (company) website and check if your url in the address bar at the top of the browser starts with https://. The letter 's' stands for 'secure'. You will also see a lock in a green bar in the address bar or at the bottom of the browser screen. If you click on the lock, you can see if you are actually connected to the correct website. If this is not the case, the website uses an unsecured (http) connection.
Note: If you use Google Chrome version 76 and higher, www. and https:// are no longer shown, but the lock is. When you do visit an http:// page, the address bar will indicate that the connection to the website is not secure.
3. Is a security certificate installed?
If your website uses an unsecured (http) connection, that means no or an unsafe security certificate is installed. With such a certificate you ensure that the communication between the browser and server is encrypted. You can request a security certificate for your company website independently through your hosting provider or a certificate supplier. This party can tell you what types of certificates there are and how much they cost. A certificate does not always have to cost money. There are also free variants available, such as Let's Encrypt. A free Let's Encrypt certificate has a short validity, which means that it you need to replace it often. Also, the validation to the owner of a website is limited. For example, paid certificates can also manually validate the organisation and not just the owner of the domain. The issued certificates are often valid for several years.
4. Does my website use the most recent security updates? If not, why not?
For a secure website, it is very important that the code of the website is updated to reduce security risks. These important security updates are released on a regular basis. They contain security solutions for all parts of your website, but also, for example, for the content management system (CMS) in the background and the plugins. To maintain security, it is important that these security updates are implemented on your website. If the supplier chooses not to update, it is always good to know why. It can be difficult for you as an entrepreneur to check whether everything is up-to-date, but you can make specific agreements for this. For example, ask your supplier when the latest security updates have been implemented or ask if you can be kept informed about this. Do not forget to inquire if there are any outdated plugins on the website, as these are often easy entrances for cybercriminals.
5. How is access to my content management system protected?
Many company websites are delivered with an underlying content management system (CMS) to provide content on the website. Ask your supplier how access to the CMS is arranged and what security measures have been taken to protect the CMS. To ask your supplier the right questions , it is recommended that you go through these steps (in Dutch) yourself, or with the supplier.
6. When was my website last tested for security risks by a third party?
Your website may have been online for years, but do not forget to have it examined periodically - at least once a year - by an independent, external party. Ideally, you should determine the size and depth (the scope) together with the security company experts. What you should pay attention to when looking for a suitable security company is described here (in Dutch).
One of the best-known types of security test is a penetration test, also known as a pen test. Vulnerabilities in your system are used as an attack technique to break into the systems. There are plenty of companies in the market that can test security. When determining the scope of the test, do not forget to include any web services and APIs that your company (consciously or unconsciously) offers, before you put them online.