Learn

How to manage security risks for your CMS

CMS security risks and best practices

Learn how to approach multi-layered security to protect from external and internal threats.

Digital security is an enterprise-level concern for every organization and it ranges across a wide variety of business areas and practices. Picking out the threats faced by content management systems in our latest webinar, David Habib, Chief Information Officer at Brightspot, offers a inside tour of the risks at play and some of the best ways to prevent them causing havoc with your CMS.

If there’s data you’re trying to protect, you’re trying to protect it for a reason. That means there’s probably someone else who wants to take it from you.
image of Brightspot Chief Information Officer David Habib
David Habib, Chief Information Officer, Brightspot

To start, David highlights a few things that set CMS security risks apart from those faced by other enterprise solutions.

"The thing about your CMS is that it's right at the heart of the relationship you have with your reader or your viewer, whether that’s an intranet talking to your employees or a website where you're publishing news articles," he says. "It represents your brand. It's the medium that you’re using to communicate with your audience."

But where does CMS security fit here? Well, the point is that if your CMS is compromised, it's not just a service or data issue, it's also your brand and reputation that gets hit.

He explains: "If I compromise a CMS, I have the opportunity to involve your brand or company in my scheme. If I send out a phishing email that's pretending to be from you, and I can link to a page that’s on your website, I get the halo of your brand. I can take advantage of your success and make my scam a lot more believable."

3 main types of security breach

Defacement
This is when someone changes how something looks. It could be a very large, obvious change where a webpage, for example, is swapped for a single image. It might be a lot more subtle and someone could introduce a new page on your site they can link to and use it to take advantage of your brand halo.
Denial of service
This attack prevents you from providing your usual service. Instead of being able to use your CMS in the normal way to post new stories or updates, it’s disabled, freezing your ability to update content.
Exfiltration
This is the unauthorized transfer of data out of your system. If there’s data you think is worth protecting, then it’s likely others will see the value of taking it for themselves.

Backdoor break-in

It's easy to imagine that the darkest and deadliest threats come from hackers trying to penetrate your systems using sophisticated software and hyper-smart algorithms.

There’s no doubt that individuals, organizations and nation states are running these operations, and defenses need to be in place. But David is quick to point out that these head-on attacks tend to attract the majority of interest and investment when it comes to digital security, and so defenses are often already set up to meet them.

Instead, he’s keen to emphasize the scale of the threat posed by those on the inside, by those coming in, as it were, through the back door.

He says: "The biggest threat that we're facing with CMS security is actually the backdoor—the authorized user. So, the account that's been created so that I can go in and do my job. That's the door we need to worry about defending. We want to make sure that we're not letting people take advantage of the authorized use of our CMS, or to ride on top of that authorized use."

He cites the example of an employee who has left the business, but whose CMS credentials have not been closed down or turned off and still provide access to the system. This situation might also apply to a contractor who is no longer working in the organization or even an employee who has moved into a different role and has no need for their previous access to the CMS.

If these doors are left ajar, they present an opportunity for the nefarious operator to enter almost unnoticed.

Other weaknesses may arise out of clunky or impractical security processes which encourage busy teams to create workarounds. In bypassing security process, they expose gaps in the fencing through which others can follow.

CMS security padlock graphic

Security in practice

Where employees have developed workarounds, the answer is not necessarily to be tougher on them, but to rethink your security processes so they are more user-friendly. If you can make compliance more convenient and less of a chore, then it’s easier to keep people on board.

It’s also important to have consistency and David adds: "The first thing to do is make sure the best practices and policies that your company has put in place are flowing all the way into your CMS."

"So, your IT team, your security team, your risk and compliance team," he notes, "They’ve all got best practices and policies and you want to make sure that you’re working to get your CMS compliant with those things.”

Steps to take in the face of a security incident

Key takeaway: make sure you’re sticking with your security hygiene.
check circle icon
Maintain the human firewall
Keep everyone trained and watching out for phishing and social engineering, still a major source of compromised security
check circle icon
Ensure that the right people have the right access
Least-privilege, rapid off-boarding, and regular account reviews will reduce the surface area
check circle icon
Review your reporting and response plans
Does everyone know how to report something suspicious? Are the right people monitoring those reports/ Are the roles and responsibilities clear?
check circle icon
Take advantage of your connections
Work with your CMS partner to review your approach and discuss best practices

It’s also easy in the digital environment to forget about the importance of people, but employees are an organization's best security asset.

David says: “Your best asset from a risk and security aspect is your employees and so you want to make sure you are keeping them trained and aware of what the threats are. We spend a lot of time talking about this with our employees and our customers.”

In addition to making security a high-profile and highly visible topic, David advocates the need for constant and ongoing training so people know how and where to report something that's not right. And these reports have to be taken seriously and the subsequent action monitored.

In the event something serious is uncovered, who is in charge of leading the response? Have responsibilities been clearly defined and apportioned? It’s a lot easier to do this now than in the middle of a crisis and it’s something that’s often overlooked.

Wrapping up his thoughts, David says: "When you’re talking about your security strategy around your CMS, or around any one or your enterprise systems, you want to get defense in depth and to make sure that you have different layers and that you’re looking at the different ways in which these risks can present themselves.

“You have to remain diligent and vigilant around the practices and people who use the system, the systems that protect the system and then the processes that are in place to react of something goes wrong.”

To get David’s insights in full, watch the webinar.

Start building in a free trial environment, see a demo, or talk to an expert—select one of these paths and start however you would like to!

Share

Related resources

When you’re in the market for a new content management system, you can keep your publishers, developers and marketing teams happy by reading this first.
We explore the differences between a DXP -- digital experience platform -- and CMS. The idea of DXP has emerged in the web content management space as a way to encapsulate the many tools, channels and services required to deliver the end-user experience, of which your traditional CMS is a core component to drive digital identity and engagement.
A mobile CMS is critical to organizations that need accommodate content contributors, like news reporters and photojournalists, who aren't always at a desk or near a laptop. Brightspot takes this one step further with its "Email to CMS" feature, which allows contributors to file content to the CMS directly from an email client on their smartphone like Gmail or Outlook.
Over the past few years, technology has evolved to become more intuitive, streamlined and flexible to support ever-changing business needs. Today, content management solutions are growing alongside these shifts in consumer and user behavior to support digital-first content businesses in transforming for the future.