Home / Our thinking / Insights / Cybersecurity: Is your CMS a risk to your business?
Cybersecurity: Is your CMS a risk to your business?
Table of contents
Your Content Management System (CMS) is a key component and public face of your business. But software applications and websites are key entry points for cybercriminals. Defending your CMS ecosystem from cyberattacks is vital to keeping your business safe.
Cybercrime stats are the stuff of nightmares
It's estimated that a business falls victim to a ransomware attack every 14 seconds and the global annual cost of cybercrime is $6 trillion per year. By 2025, the annual cost worldwide could reach $10.5 trillion. From the smallest business to the largest tech giants, every size and type of company has suffered breaches. And it's not just financial costs. Brand damage and lost trust may never be restored - particularly if customers are put at risk. Read on to learn why your CMS could be your weakest link and three steps to take now to strengthen your defences.
Complexity is security's nemesis
Software development has changed beyond recognition over the last few decades. The rise of open-source software (OSS), distributed systems and hybrid cloud architectures combine to create complex, multi-layered ecosystems within every business. Protecting these ecosystems against cyberthreats is challenging. Security needs to be built in at every level and constantly updated to match the threat landscape.
Challenges of OSS
OSS comprises a large part of most modern software. It brings cost-savings, innovation, flexibility. And risk. OSS developers range from unpaid enthusiasts to teams in high-tech conglomerates. Some follow security best practices, others don't. Developers move on, leaving products unsupported. The lines of responsibility for managing and maintaining code (including security updates) are often blurred.
It's not just OSS
Any part of a supply chain can introduce risk, as demonstrated by the SolarWinds Orion attack. Bespoke developments too are vulnerable if developers don't adhere to best practices. Software reuse is a common practice, but code often becomes deeply embedded within applications, making maintenance hard. Software documentation may be incomplete or out-of-date.
The CMS risks
Many companies use an open-source CMS, such as Drupal, Joomla, WordPress or Umbraco. And most enhance their CMS with plugins, 3 rd party products, bespoke extensions and integrations to other business critical systems - expanding their attack surface. Customer-facing portals present additional security risks around identity-related attacks - another aspect to consider if the portals are created using the CMS. Cybercriminals focus their efforts on websites using components with known vulnerabilities. Zero-day attacks get publicity, but many websites are breached through years-old flaws that businesses failed to patch. Businesses struggle to keep their CMS ecosystems up-to-date. Updates require analysis, regression testing, changes to other systems. And do you even know if you're using a particular version of an obscure open-source library that needs patching? A CMS often has many users, including content creators, managers, developers, IT support. A lack of suitable identity, authentication and access controls can open the door to hackers.
What can be done?
Every business has unique cybersecurity requirements, driven by factors such as its size, digital transformation journey, legacy systems, and data stored. A cybersecurity programme can cover a range of strategies, from zero trust and AI to penetration testing and user training. Wherever you are with your programme, here are three actions you can take now to shore up your CMS defences.
1. Understand your ecosystem
What you don't know can hurt you. Analyse your CMS ecosystem to create a list of its components and dependencies. Automated tools can help develop a comprehensive Software Bill of Materials (SBOM). With this foundation, analyse risks and prioritise mitigations. Do you have components from untrusted suppliers or that can't be fully evaluated? Can you remove or replace them? Check for outstanding security updates and plan implementation depending on the severity of the vulnerabilities they're fixing.
2. Check your backups
If your systems are paralysed by a ransomware attack, can you rely on your backups to restore business-critical data? In many cases, the discovery of a missing component or backup failure is only made when it's too late. With the complexity of modern systems and hybrid cloud architectures, it's critical to assess where data is stored, what must be backed up and how frequently. Test your CMS backups to check integrity and completeness - and ensure you can recover your data when and where you need it.
3. Review users
Could a lack of CMS access and identity controls be an open door to hackers? A zero-trust approach may be a long-term goal, but there are steps you can take now:- Remove access from any users who have left or no longer need it
- Check that users have only the privileges they need for their role
- Ensure that minimum administrator privileges are assigned and only where necessary
- Implement multi-factor authentication
