Protecting Your Corporate Website as an Enterprise Risk Management StrategyPublished September 12, 2017 by Karen Walsh • 6 min read
Organizations often view their websites as simple business cards that give customers infoffrmation, but protecting your corporate website as an enterprise risk management strategy can keep your data, customers, and reputation safe. Whether an organization is large or small, the client-facing website offers hackers easily exploitable vulnerabilities for ransomware or malware infections.
Why would a hacker want to exploit a corporate website?
Now, you’re probably thinking, “I just post free knitting patterns, so why would a hacker care about my website?” This is a great example of the value hackers find in innocuous corporate websites. A few months ago, a knitting blogger warned her audience about malware infestations arising out of free pattern downloads.
Of all the websites in the world, one would think free knitting patterns would be the most harmless. However, these websites are at risk precisely because they are least likely to seem dangerous.
Malicious attackers understand that these websites may have unsophisticated owners. They also recognize that they are less likely to trigger warnings from Google, Bing, Norton, McAfee, and others who look for irregularities on the websites to determine attacks.
What are corporate website vulnerabilities?
Security vulnerabilities are weaknesses that allow an attacker to reduce your system’s safety. A vulnerability may exist when the system has a flaw that the attacker is capable of accessing and exploiting.
Most corporate websites have similar vulnerabilities. Understanding what they are is the first step in protecting yourself against them.
Though non-tech people may imagine syringes filled with squirrels, SQL injections are not very interesting. The most exploited web application security vulnerability, SQL injections occur when attackers try to access or corrupt databases using exposed application elements, such as form fields or URLs.. Upon accessing the databases, the attackers can copy, change, or interact with most information in the back-end database.
Cross Site Scripting (XSS)
Broken Authentication & Session Management
Any login requirement is a potential vulnerability. Whether the purpose is to allow commenting on the website or create a persona that helps organize data, your organization is at risk.
Sometimes, malicious attacks keep logins from timing out, placing a user at risk when on a shared computer. Sometimes these are related to what is called “session fixation.” These attacks take the data—hidden in the URL or as a cookie— that allows the web server to recognize a visitor, and then creates new sessions from that data.
These are the Little Red Riding Hood hacks. They dress up as grandma to hide that they’re really the Big Bad Wolf trying to eat your reputation.
Insecure Direct Object References
These are not grammatical phrases with low self-esteem. Rather, a direct object reference occurs when a URL or request links to other files, keys, or URLs. Think about a user wanting to download or export a PDF file. The name of the file may be part of the URL from the website. If an attacker changes the information in the URL, then the user downloads an invalid, and potentially malicious, file. This file creates an access point into the user’s personal data.
This hackortunity arises out of a lack of security sophistication. When organizations don’t personalize the applications, web servers, database servers, or platforms, the default installation settings can be exploited.
These kinds of vulnerabilities can be prevented by changing default passwords, disabling unused or unneeded accounts and functionality, and applying software patches in a timely manner.
Cross Site Request Forgery (XSRF)
In the information security world, this can also be referred to as Sea Surf or Session Riding, though XSRFs should really be called Loki since they’re the tricksters of vulnerability exploits. To hack your users, the malicious actor studies the code in your applications and looks for ways to redirect traffic or manipulate user actions without their consent.
Once they identify a weakness in your code, such as images or other web page elements that are loaded from a non-secure location, the attackers move to exploit it. They may insert code into an image request that secretly passes information to another site (especially user credentials), or executes another action such as a purchase with the credentials a user entered onto the legitimate website.
For users who have their login information saved on a computer, this link will not only automatically log them into the site but also initiate an action. In some cases, this can be a transfer of money or other personal data.
Why protecting your corporate website as an enterprise risk management strategy matters
True ERM requires a holistic approach starting with what drives performance. Organizations not only need to focus on their internal controls to protect their internal data systems, but also need to consider protecting visitors to their website. Corporate websites add value to your organization, so a successful business will have a client-facing website.
Many businesses may think that these websites are simply an electronic business card and don’t affect client satisfaction. However, if hackers compromise your website, you risk significant reputational damage.
Building a successful brand requires building customer trust. Customers today are notoriously cynical when it comes to corporate America but equally loyal when they believe in a brand. This customer loyalty arises out of quality and trust. Your demographic follows your website and social media presence to learn about you. If you have a corporate blog, you will have traffic from both regular followers and one time visitors.
A single exploit of your corporate website, then, can harm clients and potential customers. This leads to a loss of revenue. In the digital age, a malicious attack perpetrated through a corporate website can trash online reviews and devastate the company.
This means that organizations need to realize the value of protecting their corporate websites as an enterprise risk management strategy.
How do you incorporate protecting your corporate website as an enterprise risk management strategy?
Once your organization has labeled its corporate website as a performance driver, you need to determine your tolerance for the risk it poses and provide steps to mitigate risks down to an acceptable level.
Many organizations underestimate the damage that a corporate website hack can have on company performance. According to Google, the number of hacked websites increased by 32% in 2016 and will likely continue to increase. This means not only that corporate websites will continue to pose a risk, but also that the risk will continue to increase. The increased potential for exploitation may make corporate website security a critical risk within your ERM strategy, which should lower your tolerance for risk and motivate increased security measures.
Once you have identified the risk, you need to think about ways to mitigate it. Protecting your corporate website involves ensuring up-to-date software. Monitoring software updates is the leading protection against malicious attacks, so this should be your first step.
Other mitigation processes are available. Parameterized queries, for example, create a placeholder in your query. Parameterized queries are abstractions. Think about an Excel spreadsheet. If you’re putting a formula in the cells, that’s an abstraction. When other people fill in the data that allows the formula to compute, you get a real answer. A parameterized query works similarly. This means that if a malicious attacker wants to gain entry to your database, they need to be able to find the right parameter as opposed to just gaining information about a single person in the organization.
Content Security Policy
Creating a content security policy (CSP) means configuring a web page’s values so that you can control the resources your user agent is allowed to load. It requires code in the HTTP header of a web page. One common CSP is having your server specify that data transfers come only from HTTPS websites, thereby adding a level of security to your software, and thus your hardware.
In the information security world, you can never hear the phrase “strong password” enough. Particularly when looking at client-facing aspects of your business, you want to ensure that the passwords keep out intruders. If your corporate blog content providers don’t have strong passwords, that creates a possible breach into your corporate website.
The clarion call for HTTPS seems ubiquitous these days. However, while users are encouraged to seek out only HTTPS versions of websites, they protect your business side of the house just as much.
In short, an HTTPS creates a private handshake between your website and the user to make sure that no one else can gain entry during that person’s session. Codes are encrypted before they are exchanged, keeping everyone more safe from hackers than a traditional HTTP.
How automation can track your corporate website protection and strengthen your ERM strategy
Once you have reviewed and mitigated your risks, you need to monitor your controls continuously. With the variety and complexity of information security requirements, the static corporate website seems like a lesser concern. This means that your corporate blog or website offers a weakness that malicious attackers can exploit.
An automated GRC platform allows you to control and track the needed reviews. ZenGRC, for example, offers the ability to set a “To Do,” assign the task, and then track whether the task has been completed by the appropriate person. By delegating these responsibilities and easily reviewing their completion status, you engage more fully in your monitoring.
Automation provides a visibility that allows you to drill deeper into the compliance well while detecting whether you’ve hit water or oil. With ZenGRC, you avoid the time and effort it takes to coordinate schedules and items across spreadsheets, and instead benefit from a one stop spot to see everything and manage smaller details more efficiently.
For more information about whether it’s time for you to automate your compliance, review our infographic “A Compliance Tool Roadmap.”