The following are what we would recommend to all customers. Depending on the value and type of data you collect, you may choose to adjust the recommended times to suit.

1. Get a pen test – yearly A penetration test (pen test) is carried out by an independent third party who is skilled in finding weaknesses and vulnerabilities in the code and server configuration. We always recommend an independent agency on completion of a website / app build and you should also consider an annual review or one if there have been significant code changes. We partner with PenTest companies and can help arrange this for you.

2. Review CMS admin access – quarterly A review of who has admin access to your CMS or other back office system. Do they still need access? Do they need Admin access or could they be downgraded to a User level?

3. Audit all users – every 6 months A spring clean (or even a quarterly clean) of all users who have access to your CMS or back office system should be carried out. Do they still require access? Are their details up to date? When did they last login? All important questions to ask. If you have a Leaver Policy, you may want to add removing them from your systems as a checklist item to complete upon their departure.

4. Use 2 Factor Auth Simply put, 2 Factor Auth (2FA) requires a random, constantly changing code, to be hosted on an app on your phone. Once you have entered your email and password details, you will need to go on to your 2FA app to generate a unique code to enter in order to gain access. Whilst you’re here, if you have 2FA, have you checked to make sure old devices have been removed?

5. Use a password manager We’ve all been guilty of using the same password more than once, or using a fairly obvious increment like ‘Sunsh1ne’, ‘Sunsh2ne’, etc, etc. There really is no need to use passwords like these anymore, when you can use a password manager to securely store your passwords and auto-fill them on your websites. We use 1Password which works really well for our needs, but there are many other services out there.

6. Have a minimum password standard The more complicated the password, the longer it takes to hack. A combination of upper and lower case, special characters, numbers and punctuation make for a stronger password. And if you’re using a password manager (see no. 5) you won’t need to worry about remembering them.

7. Check if you’ve been Pwned Have I Been Pwned allows you to search across multiple data breaches to see if your email address or phone number has been compromised. Again, this isn’t such a big problem if you’ve used different passwords for all your accounts. If you have been guilty of reusing passwords, a regular check on this site to see which may have been compromised is worth five minutes of your time.

8. Carry out general updates Here’s one for us to do (and we often do it without you knowing). Keep all your software, packages and plugins up to date with the latest security updates and patches. A lot of times these will happen in the background, sometimes they require more thorough implementation and significant testing.

Almost daily, we hear about more data breaches, even from some of the world’s biggest – and you would have thought, most secure – companies. So there’s never been a better, and perhaps more urgent, time in which to take responsibility for and tighten up your security options. We can’t stress enough the importance of reviewing the points above in relation to your websites, to see how you stack up. You could prevent a whole lot of heartache. 

If you have any questions or need any help, just get in touch. We’d love to talk through and alleviate your concerns.