It's estimated that a business falls victim to a ransomware attack every 14 seconds and the global annual cost of cybercrime is $6 trillion per year. By 2025, the annual cost worldwide could reach $10.5 trillion. From the smallest business to the largest tech giants, every size and type of company has suffered breaches. And it's not just financial costs. Brand damage and lost trust may never be restored - particularly if customers are put at risk. Read on to learn why your CMS could be your weakest link and three steps to take now to strengthen your defences.
Software development has changed beyond recognition over the last few decades. The rise of open-source software (OSS), distributed systems and hybrid cloud architectures combine to create complex, multi-layered ecosystems within every business. Protecting these ecosystems against cyberthreats is challenging. Security needs to be built in at every level and constantly updated to match the threat landscape.
OSS comprises a large part of most modern software. It brings cost-savings, innovation, flexibility. And risk. OSS developers range from unpaid enthusiasts to teams in high-tech conglomerates. Some follow security best practices, others don't. Developers move on, leaving products unsupported. The lines of responsibility for managing and maintaining code (including security updates) are often blurred.
Any part of a supply chain can introduce risk, as demonstrated by the SolarWinds Orion attack. Bespoke developments too are vulnerable if developers don't adhere to best practices. Software reuse is a common practice, but code often becomes deeply embedded within applications, making maintenance hard. Software documentation may be incomplete or out-of-date.
Many companies use an open-source CMS, such as Drupal, Joomla, WordPress or Umbraco. And most enhance their CMS with plugins, 3 rd party products, bespoke extensions and integrations to other business critical systems - expanding their attack surface. Customer-facing portals present additional security risks around identity-related attacks - another aspect to consider if the portals are created using the CMS. Cybercriminals focus their efforts on websites using components with known vulnerabilities. Zero-day attacks get publicity, but many websites are breached through years-old flaws that businesses failed to patch. Businesses struggle to keep their CMS ecosystems up-to-date. Updates require analysis, regression testing, changes to other systems. And do you even know if you're using a particular version of an obscure open-source library that needs patching? A CMS often has many users, including content creators, managers, developers, IT support. A lack of suitable identity, authentication and access controls can open the door to hackers.
Every business has unique cybersecurity requirements, driven by factors such as its size, digital transformation journey, legacy systems, and data stored. A cybersecurity programme can cover a range of strategies, from zero trust and AI to penetration testing and user training. Wherever you are with your programme, here are three actions you can take now to shore up your CMS defences.
What you don't know can hurt you. Analyse your CMS ecosystem to create a list of its components and dependencies. Automated tools can help develop a comprehensive Software Bill of Materials (SBOM). With this foundation, analyse risks and prioritise mitigations. Do you have components from untrusted suppliers or that can't be fully evaluated? Can you remove or replace them? Check for outstanding security updates and plan implementation depending on the severity of the vulnerabilities they're fixing.
If your systems are paralysed by a ransomware attack, can you rely on your backups to restore business-critical data? In many cases, the discovery of a missing component or backup failure is only made when it's too late. With the complexity of modern systems and hybrid cloud architectures, it's critical to assess where data is stored, what must be backed up and how frequently. Test your CMS backups to check integrity and completeness - and ensure you can recover your data when and where you need it.