I need a holiday, where do I look? Your travel website? But is that website secure?

Websites are important for all businesses, but for the leisure and tourism sector being able to show photos of far-off places and boutique hotels is essential.

Photo of an aerial view of a beach

So, what would happen if your website couldn’t be updated?

Or if your payment system stole your customers financial details?

Or if your booking system was compromised and that once in a lifetime trip was transferred into someone else’s name.


Reputational damage and financial issues.


What should I be aware of?

Passwords

Weak, reused, default passwords all could help an attacker get access to your web hosting or platform.

Within your web hosting they could redirect your webpage to another site, maybe pornography or use it to create a phishing site which collects your customer details.

Image showing something your know (password) and Something you have (biometrics)
Two Factor authorisations requires two things.

If they got into your content management system, such as Wix or Wordpress, then they could delete your site, introduce malware on your pages or block your access and blackmail you for its return.


Make sure your passwords are strong (unique and complex), use a password manager and enable 2FA.


Updates

Update button

Just like your devices, websites also need updating when new vulnerabilities are found, and patches released. Who is responsible for this with your website? You or your website company? Do you know?


If you are loading third party content (widgets/plugins) are you tracking them for updates or getting rid of them if they are no longer needed?


Users

Limit the number of people who have access to your website and social media.

Yes, you are on good terms with them now, but if you need to fire someone who has access to your site, could they post defamatory content or change the login details, so you don’t have access?


OWASP top 10

OWASP (Open Web Application Security Project) is a non-profit foundation that works to improve the security of software. They release the top ten most common vulnerabilities that are seen in websites. You can use this to see if your website is vulnerable to attack.


One of the affordable cyber services that the ECRC offers is a Web App Vulnerability assessment.


We use the OWASP top ten vulnerabilities to assess your web applications and then you get a plain language report about what results were found and if there are weakness guidance about how these can be addressed. We can work with your web developer or IT team to support them put mediation in place.


These are colour coded, so red means you need to take immediate action, orange are those you should look to improve and green means they haven’t found a vulnerability.

Table showing the top 10 in a report format

We say that these are affordable because they truly are.


The services are carried out by paid university students, trained, and mentored by a senior ethical hacker, to ensure that it is carried out to a high standard.


The cost is dependent on the structure and complexity of the application, but you can get a no obligation quote if you are interested in exploring this further.


Your IT company may offer this service, but just consider if you should be getting them to check their own homework. An independent view might be more appropriate.


Further guidance & support

The Eastern Cyber Resilience Centre is a not-for-profit membership organisation, run by policing, with the aim of increasing cyber resilience of SMEs within the East of England.

You can contact the Cyber Resilience Centre for guidance and support through our e-mail enquiries@ecrcentre.co.uk or use our online booking system to make an appointment with one of our team.

We also provide free guidance on our website and we would always encourage you to sign up for our free core membership. Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.


Policing led - business focussed

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.