Learn how to approach multi-layered security to protect from external and internal threats.
Digital security is an enterprise-level concern for every organization and it ranges across a wide variety of business areas and practices. Picking out the threats faced by content management systems in our latest webinar, David Habib, Chief Information Officer at Brightspot, offers a inside tour of the risks at play and some of the best ways to prevent them causing havoc with your CMS.
If there’s data you’re trying to protect, you’re trying to protect it for a reason. That means there’s probably someone else who wants to take it from you.
To start, David highlights a few things that set CMS security risks apart from those faced by other enterprise solutions.
"The thing about your CMS is that it's right at the heart of the relationship you have with your reader or your viewer, whether that’s an intranet talking to your employees or a website where you're publishing news articles," he says. "It represents your brand. It's the medium that you’re using to communicate with your audience."
But where does CMS security fit here? Well, the point is that if your CMS is compromised, it's not just a service or data issue, it's also your brand and reputation that gets hit.
He explains: "If I compromise a CMS, I have the opportunity to involve your brand or company in my scheme. If I send out a phishing email that's pretending to be from you, and I can link to a page that’s on your website, I get the halo of your brand. I can take advantage of your success and make my scam a lot more believable."
3 main types of security breach
It's easy to imagine that the darkest and deadliest threats come from hackers trying to penetrate your systems using sophisticated software and hyper-smart algorithms.
There’s no doubt that individuals, organizations and nation states are running these operations, and defenses need to be in place. But David is quick to point out that these head-on attacks tend to attract the majority of interest and investment when it comes to digital security, and so defenses are often already set up to meet them.
Instead, he’s keen to emphasize the scale of the threat posed by those on the inside, by those coming in, as it were, through the back door.
He says: "The biggest threat that we're facing with CMS security is actually the backdoor—the authorized user. So, the account that's been created so that I can go in and do my job. That's the door we need to worry about defending. We want to make sure that we're not letting people take advantage of the authorized use of our CMS, or to ride on top of that authorized use."
He cites the example of an employee who has left the business, but whose CMS credentials have not been closed down or turned off and still provide access to the system. This situation might also apply to a contractor who is no longer working in the organization or even an employee who has moved into a different role and has no need for their previous access to the CMS.
If these doors are left ajar, they present an opportunity for the nefarious operator to enter almost unnoticed.
Other weaknesses may arise out of clunky or impractical security processes which encourage busy teams to create workarounds. In bypassing security process, they expose gaps in the fencing through which others can follow.
Security in practice
Where employees have developed workarounds, the answer is not necessarily to be tougher on them, but to rethink your security processes so they are more user-friendly. If you can make compliance more convenient and less of a chore, then it’s easier to keep people on board.
It’s also important to have consistency and David adds: "The first thing to do is make sure the best practices and policies that your company has put in place are flowing all the way into your CMS."
"So, your IT team, your security team, your risk and compliance team," he notes, "They’ve all got best practices and policies and you want to make sure that you’re working to get your CMS compliant with those things.”
Steps to take in the face of a security incident
It’s also easy in the digital environment to forget about the importance of people, but employees are an organization's best security asset.
David says: “Your best asset from a risk and security aspect is your employees and so you want to make sure you are keeping them trained and aware of what the threats are. We spend a lot of time talking about this with our employees and our customers.”
In addition to making security a high-profile and highly visible topic, David advocates the need for constant and ongoing training so people know how and where to report something that's not right. And these reports have to be taken seriously and the subsequent action monitored.
In the event something serious is uncovered, who is in charge of leading the response? Have responsibilities been clearly defined and apportioned? It’s a lot easier to do this now than in the middle of a crisis and it’s something that’s often overlooked.
Wrapping up his thoughts, David says: "When you’re talking about your security strategy around your CMS, or around any one or your enterprise systems, you want to get defense in depth and to make sure that you have different layers and that you’re looking at the different ways in which these risks can present themselves.
“You have to remain diligent and vigilant around the practices and people who use the system, the systems that protect the system and then the processes that are in place to react of something goes wrong.”
To get David’s insights in full, watch the webinar.