Why Security Updates Matter

18 May | by Freya Swenson

You may consider security updates to your website as a bugbear (excuse the pun), a budget taking activity, but it can save you a lot of hassle and huge costs in the long run.

Every website will need security updates at some time as code will always be worked on and improved making it better for those using the website in front, and behind in the CMS (content management system). In fact, consider it a good sign if you get regular updates as it can give you peace of mind that somewhere in the world someone is constantly finding ways to beat the hackers on your behalf.

The nasty hackers we’re referencing are Black-hat hackers and they aren’t nice people at all. Black-hat means they look for weaknesses and vulnerabilities to exploit people and get what they can, sometimes for money and sometimes for the sheer ‘fun’ of it. White-hat hackers on the other hand look for the same weaknesses and vulnerabilities, but as a way to make things better for others. When they find any issues, they tell others about it and find fixes (patches) to eliminate the weaknesses.

You can think of White-hat people as those random but kind strangers that point out to you that your label is sticking out of the top of your t-shirt- they don’t have to tell you but they do it to be nice and make your life nicer (as you don’t want to be showing people your label all day do you? Black-hat, however, are like schoolground bullies - they take joy from picking on people and pointing out their weaknesses. This is why SMEs especially need to be focused on security updates- because Blackhat hackers automatically assume SMEs won’t have the manpower behind them to stay up to date, but they can still exploit them in some way or another and have even developed bots that can scour the internet for them.

Still with me and my ‘interesting’ analogies? Great, because now I talk about what happens if you DON’T keep your website up to date.

Without scaremongering you, if you’ve got known vulnerabilities on your website, it’s like leaving your shop till open. People might walk by and take nothing, but a few may take some or all of the money and when that happens, it’s bad news. The type of things hackers can and will do are:

  • Public graffiti- changing your content to something offensive
  • Stealing data- names, addresses, bank card details, anything that gets put on the site by you or your clients
  • Phishing- taking the stolen data to gain even more access such as email accounts
  • DDoS- using your website and IT to further attack others (and make it look like it’s you being the Black-hat)
  • Interception- selling of the data they’ve stolen to others
  • Content Injection- adding URL links to your website to promote other websites (that you really wouldn’t want to mention)

Should any of this happen, you might annoy, or even worse lose, your clients or future clients, get your name in the news (for the wrong reasons), but worse of all, you might gain the attention of the ICO (Information Commissioner's Office).

The ICO can and have issued fines in the £100,000 region and they don’t just focus on big companies, they look at charities, governments and companies of all sizes. If the ICO deem you to have had a data security incident, they will hit you where it hurts - in your back pocket.

At Rixxo, we’ve heard a variety of reasons why people don't stay on top of their security updates and we understand where they come from, that’s why we take the pain away so you can stay doing what you do best and increasing your profits. Within your monthly support hours, we will notify you if there are any critical security updates, perform the updates and then notify you when these have happened. We find updates tend to take between 1-3 hours depending on the size and complexity of them.

To make things more cost effective for you, we break the updates down into two categories:

  • Critical- it’s a security concern and a known vulnerability
  • Non-critical- an update that should happen soon, but it’s not a high-security concern if it’s slightly delayed e.g. an update to a plugin or theme - say PayPal updating to use sslv3

Critical security updates tend to happen on average every other month (and need to be picked up ASAP) and non-critical ones every month. As with deployments, we will look to perform these updates on a Monday, Tuesday, Wednesday or Thursday morning as it means we’re on hand should something go wrong and it’s needed to be reverted. During 2017, Magento published 7 critical security updates and published 6 in 2016.

In rare occasions, we will need to revert an update as it may not play well with others and could ‘break’ a plugin. If that happens, we’ll liaise with you over this and find a fix and get the deployment back out ASAP.

If security updates are a concern of yours, speak to our team about how we can help you.