Cyber security essentials for websites

Public and purpose-driven organisations are increasingly targeted by cyber criminals. The reasons are straightforward: these organisations hold valuable data, from donor information and student records to personnel files and payment details, and they often lack the security budgets of large commercial enterprises. Attackers see them as softer targets with high-value information.

The consequences of a successful attack are devastating and far-reaching. You might have to rebuild your entire technology infrastructure from scratch. You could face months of disruption to your core services. And you are legally liable for the personal data you hold, meaning a breach can bring regulatory scrutiny and reputational damage that takes years to recover from.

In October 2023, the British Library suffered what has been described as one of the worst cyber incidents in British history. A ransomware group infiltrated their network, encrypted their systems, and demanded around £596,000 worth of Bitcoin to restore access. When the Library refused to pay, their online catalogue, digital services, ticketing, reader registrations and phone systems were all knocked offline. It took months for even basic services to return. Their website was down for over a year, and even now, three years on, they are still working to restore full functionality. 

The ICO’s investigation concluded that the attack succeeded because of a lack of multi-factor authentication on an administrator account. The British Library had implemented MFA for some systems in 2020, but for reasons of cost and practicality, left their on-premise servers out of scope.  

Just over a year later, in December 2024, the National Museum of the Royal Navy was hit by a ransomware attack of its own. Overnight, the museum’s entire digital infrastructure, from ticketing systems to collections databases, was encrypted and rendered unusable. The museum’s collections management system didn’t return until March 2025, and some systems are still being rebuilt months later.

The museum had already begun strengthening its security following the British Library incident, but the improvements weren’t completed in time. It’s a painful reminder that these attacks don’t wait for you to be ready.

These aren’t isolated incidents. Museums, government bodies, universities and charities across the UK, and internationally, are being targeted with increasing frequency. Cyber-attacks on public institutions are no longer rare events. The cost of recovery, both financially and in terms of disruption to your mission, dwarfs the cost of prevention. It’s a question of when, not if, your site will be attacked, so it pays to be ready.  

Website security can feel overwhelmingly complex. You’ll typically hear a lot of terms like ‘attack vectors’ and ‘zero-day exploits’, that leave you with more questions than answers.  

We find it helps to break it down into three pillars: your people, your web application, and your hosting. Each pillar has its own set of risks and its own set of practical measures you can put in place. Get all three right, and you’ve built a strong foundation. Leave any one of them weak, and it doesn’t matter how strong the others are.

To paraphrase the IRA (not something we ever thought we’d say): They only have to be lucky once. You have to be lucky always, so never leave it up to luck.  

People are the weakest link in any security chain. Humans make mistakes, reuse passwords, click on phishing links, and share accounts when they shouldn’t.  

Attackers know this, and exploiting weaknesses in logins is one of the most common ways they get in. Here's what every organisation should have in place:

Multi-factor authentication on everything

MFA should be enforced on every account, without exception. That means your CMS, your hosting platform, your email, your project management tools, everything.  

This is probably the single most impactful thing you can do to improve your security posture, and a key lesson from the British Library’s attack. Don’t make the same mistake they did.   

Strong passwords and password managers

Every account should have a unique, strong password stored in a password manager. No exceptions, no sticky notes, no shared spreadsheets. Accounts should never be shared between team members. When someone leaves the organisation, their access should be revoked immediately. 

Single sign-on

Where possible, use single sign-on (SSO) to centralise your authentication. SSO means your team logs in once through a single, well-secured identity provider, which then grants access to all the systems they need. This reduces the number of separate logins that could be compromised, and makes it far easier to enforce strong security policies like MFA across the board. To use the jargon, it shrinks the number of possible ‘attack vectors’. It also means that when someone leaves, you can revoke their access to everything in one place. 

The principle of least privilege

Every person should only have the level of access they need to do their job, and no more. Content editors don’t need administrator privileges. If someone only publishes blog posts, they shouldn’t have access to site configuration. This principle, known as ‘least privilege’, limits the damage an attacker can do if they compromise any single account. The number of people with full administrator access should be kept to an absolute minimum, and every one of those individuals should be trained in security best practices.

This applies at every level and on every service, not just your CMS, but your hosting, your analytics, your email marketing platform, everything.  

Your website’s codebase is the second major area to secure. Even with perfect password hygiene and the most security-conscious team in the world, vulnerabilities in the software that powers your site can be exploited.  

If your website is managed by an external agency, this part of the equation will be up to them. Although you won’t need to action these points yourself, it helps to understand what your web agency should be doing to keep your site safe, so you can ask the right questions and make the right procurement decisions. Here’s some of the ways we ensure our clients sites are kept secure:  

Stay on top of security advisories 

Every piece of software has vulnerabilities. What matters is how quickly they’re discovered, reported, and patched. You need a process for monitoring the security advisories of every technology and software package your site uses, and for applying fixes promptly when they’re released.

We work extensively with Drupal, and this is an area where it excels. Drupal has a dedicated security team, who triage vulnerabilities privately and publish advisories on a regular schedule. Each advisory is scored by severity, and for moderate to highly critical issues, patches are made available immediately.

We monitor Drupal’s security releases closely and apply critical fixes to our partners’ sites as a matter of urgency. This kind of proactive monitoring should be a non-negotiable part of your website maintenance. 

Regular code analysis and penetration testing

Alongside monitoring for known vulnerabilities, you (or your agency) should run regular static analysis on your website’s source code to identify potential security weaknesses before they can be exploited. We also recommend penetration testing at the end of development or after major development cycles. Penetration testing works by simulating real attacks against your site, running through known exploits, attempting DDoS attacks, and probing for weaknesses across your setup. We use external tools like Detectify for this, ensuring an independent assessment of our partners’ sites.

Protect your forms and endpoints

Every web form on your site should have CAPTCHA validation to prevent bot submissions and spam, along with CSRF (cross-site request forgery) protection to stop malicious requests being made on behalf of legitimate users. It’s also critical to implement a content security policy on the front end of your site, ensuring that only content from trusted domains can be loaded. This should be locked down entirely on sensitive pages like login screens.

One area we’re increasingly concerned about is the security of bespoke API endpoints. CMS-provided endpoints typically have layers of permissions and authentication built in by the platform. But custom or bespoke endpoints need the same careful consideration, and too often they don’t get it.

This is becoming more prevalent with the rise of AI-assisted coding, where developers can generate functional code quickly but may not give sufficient thought to security. We’ve seen headless CMS setups where user data is easily accessible through poorly protected APIs. Every endpoint on your site needs authentication, appropriate permission levels, and careful thought about what data it exposes. 

A security community through open source

There’s a common misconception that proprietary software is inherently more secure because its code is hidden. In practice, the opposite is often true. Open-source platforms like Drupal have their code scrutinised by a global community of developers. Vulnerabilities are found faster because there are more eyes looking for them. And because the community has no commercial incentive to hide problems, issues are reported transparently and patches are developed collaboratively.

With Drupal, we only use community-built modules that are covered by the security advisory policy. This means they’ve been vetted by the community as meeting security standards. By the time an advisory is published, there’s already a fix in place. That combination of transparency, community oversight and rigorous process is a genuine security advantage. 

Your hosting infrastructure is as much of an attack vector as the website running on it. You’ve got to secure the right partners at every stage, because even the most carefully coded and well-managed website can be compromised through its hosting environment.

Choose a secure hosting provider

We use Upsun (formerly Platform.sh) as our standard hosting provider. They hold certifications across data security and cloud security, including PCI DSS Level 1 compliance and SOC 2 Type 2 certification, as well as compliance with GDPR.  

These give us confidence that both our partners’ data and the infrastructure on which applications run are secure, including the web servers and all supporting services.

Securing hosting is as much of a challenge as securing the software, so working with a provider that takes this seriously allows us to focus our energy on the web application layer, knowing that the underlying infrastructure is in safe hands.  

Customer environments on Upsun are deployed in read-only instances, segregated with encrypted tunnels and protected by TLS encryption. The production file system being read-only is particularly important, as it prevents attackers from placing and running malicious scripts on your live environment.

Every request should be served over HTTPS, and all data should be encrypted in transit. This is table stakes for any modern website, and your hosting provider should handle TLS certificates automatically.

When evaluating any hosting provider, ask for their cloud security accreditations. Ensure they handle regular backups that can be restored for rollbacks in case of compromise. Make sure all non-public routes on the file system are inaccessible from the web, as this prevents malicious actors from exploring your code and finding ways to exploit it.

Use a web application firewall

A web application firewall (WAF) acts as your first line of defence against malicious traffic. We use Cloudflare across most of our partners’ sites, and it plays a crucial role in our security setup. We deploy rulesets that block known exploits and malicious request patterns upstream, before they ever reach the server. We monitor and challenge suspicious request patterns to block bots that don’t identify themselves. And we can quickly implement bespoke rules for individual sites and adjust IP block lists without needing to redeploy.

For high-security sites, we also apply IP whitelists to the admin areas, restricting CMS access to known VPN addresses so that login attempts from unknown sources are blocked before they even reach the site. 

You don’t need to be a cyber security expert to hold your suppliers and your organisation to account. The right questions go a long way.

Ask your hosting provider for their cloud security accreditations and certifications. Are they SOC 2 compliant? PCI DSS certified? Is their infrastructure GDPR compliant? Do they provide regular automated backups with the ability to restore quickly?

Ask your web agency, how they monitor and respond to security advisories for the technologies your site uses. When was the last penetration test carried out? Do they run static code analysis? Are all community modules covered by the CMS’s security advisory policy?

For your own team, and everyone in your organisation who touches your digital estate, you’re going to want to ask the basics: Is MFA enabled on all accounts? Are admin permissions being kept to the absolute minimum? Is everyone using a password manager? Are accounts being shared?

These questions will be revealing. You don’t need to be an expert, you just need a firm grasp of the basics and be willing to query things that don’t seem right.

You’re only as strong as your weakest link, and that link might not be on your team. You can (and should) put in place strong rules and enforcement for things like MFA, but you also need to be educating at the same time.  

Make sure everyone is aware of your security policy. That might mean an all staff call and baking it into induction process. Help people understand why these measures exist, not just what the rules are. When people understand the consequences of a breach, they’re far more likely to follow security practices willingly rather than seeing them as inconvenient obstacles.

One of the best things you can do is work towards Cyber Essentials certification. Developed by the NCSC (National Cyber Security Centre), Cyber Essentials is a UK government-backed scheme that provides a clear set of baseline security controls. Going through the certification process gives you a structured checklist to assess your organisation against, and it’s an excellent framework for identifying gaps you might not have spotted.

There are two levels. Cyber Essentials is a self-assessed certification covering five technical controls: firewalls, secure settings, access controls, malware protection, and software updates. Cyber Essentials Plus adds independent technical testing for a higher level of assurance. We are Cyber Essentials Plus certified, which is a valuable signal to look for in your own suppliers. 

Cyber security can feel daunting, especially if you’re not a technical specialist. But the most important steps are often the simplest. Start with the basics: enforce MFA on all accounts, use a password manager, limit admin access to only those who need it, and make sure all software is kept up to date. These steps don’t need tech expertise. It just takes someone who is up for being proactive and curious.

Then look outward. Ask your hosting provider and web agency the right questions about how they handle security.

The NCSC’s website is an excellent free resource for organisations looking to improve their security posture, with guides tailored to different sizes and sectors. We’d recommend it as your first port of call for further reading.

If you’re concerned about the security of your current digital estate and think you need some help, we’d love to chat. Get in touch via [email protected] and let’s talk.