Website Compliance
The requirements for running a successful website, even a basic one are more complex than ever, and that’s without considering the legal and security requirements!
Layer the need to keep cyber criminals out of turning your website to their own ends, with the needs of legal and regulatory elements such as the UK-GDPR and you can quickly have a recipe for a headache.
Website security and compliance just got easier!
Shout Cyber provides business owners, web designers and marketing managers with peace of mind through our Website Compliance service. This simple and effective service provides you with:
- A discovery consultation to discuss the design and functionality of your website to tailor our approach.
- Tailored policies to fit your website, including a Privacy Notice, Terms of Use and Cookies Notice.
- A basic website security review checks your site security, providing you with clear recommendations and assistance to resolve issues identified.
- Review and implementation of a Cookie management solution for your website.
Regular, automated security scans
Shout Cyber now offers automated monthly vulnerability scanning services for your website, providing you with up-to-date information about the state of your website and any newly detected weaknesses so you can act fast before someone else does.
The Challenges:
Is your website secure, legally compliant, provides visitors with all the required information and give them control of Cookies? Let’s explore some of the challenging requirements faced when running a business website.
Legal Requirements
Ensuring your website is compliant with the necessary legal and regulatory requirements can be challenging, we outline the most common requirements below:
Data Protection Act 2018 (UK-GDPR)
Websites collecting personal data must comply with the UK-GDPR. This includes providing visitors to your website with information about the processing activities you undertake, the data subjects’ rights and other relevant information.
This information must be provided up-front before the personal information is captured and depending on your lawful basis, you may need to capture consent before processing their personal data.
Whilst it can be quite tempting to just copy and paste a privacy notice from another website, the overall effect is that the notice doesn’t reflect the activities of the website it’s been copied to, it may not contain all the requirements or information legally required, or worse still contain the details of the previous owner!
Even worse, many privacy notices are not written in a manner that is concise, transparent, intelligible, and easily accessible and doesn’t use clear and plain language. Making the notices hard to understand and can erode trust in a website.
Shout Cybers privacy notice has been designed to help visitors understand quickly how you will use their personal information, their rights and other relevant information in line with the UK-GDPR requirement and ICO’s recommendations. If you want a preview, check out our own privacy notice!
Privacy and Electronic Communications Regulations (PECR)
The PECR’s sit alongside the UK-GDPR and provide specific rights to individuals in relation to electronic communications, for example:
- Marketing calls, emails, texts etc
- Cookies (and similar technologies)
Cookies are used frequently in websites to help track user activity, and can often provide some essential functionality for websites to operate, whilst this is ok, any cookies used for non-essential activities must be managed carefully. The general basic rule for cookies are:
- tell people the cookies are there
- explain what the cookie is doing, and why
- obtain the person’s consent to store cookies on their device for any strictly non-essential cookies.
Shout Cyber helps ensure that your website is providing all the necessary information and is correctly configured to ensure cookies are being managed correctly.
Payment Card Industry – Data Security Standards (PCI-DSS)
The PCI-DSS Standards were developed to help increase security around card payments and reduce the risk of card fraud.
Websites accepting card payments are at risk from any number of potential threats from cyber criminals who would wish to redirect payments or steal information being entered into the payment pages. For these reasons, websites accepting payments must implement PCI-DSS controls and secure services to accept payments.
Keeping your website secure
Cyber Criminals look at websites for a number of different reasons and keeping your site protected against harm needs to look holistically at your website, it’s content and how it’s configured and managed. Some of the most common challenges include:
What does your website tell a cyber criminal?
Cyber Criminals love websites because often they can use them to identify potential targets or information for your business. For example, you may have left a personal email address or telephone number stored within a contact us page or footer, which could be used to send phishing emails to you.
Or you may have details such as a company team page, with links to Bio’s for staff members, which may be useful for identifying potential targets in the organisation to impersonate. For example, have you ever received an email from your CEO’s ‘home’ email address, asking if you can make an urgent payment? Well if you’re listed on the Meet the Team page as someone who may handle payments, chances are this is one of the ways you may have been identified as a target.
Updates and Vulnerabilities
Most common website platforms now use Content Management System (CMS), such as WordPress, Joomla or similar systems. These make websites easier to build and manage, but just like any software they need to be regularly maintained and updated to ensure the website remains secure as cyber criminals regularly discover and exploit vulnerabilities found in website systems.
To compound this issue further, many CMS systems use a range of integrations and add-ons to make websites run faster, embed certain features or just link to another embedded site. This adds another layer of updates to sites that need to be run regularly.
Failure to regularly update your website could mean attackers can exploit the unpatched weaknesses in your website. This could lead to a data breach for example ICO enforcement notice: Chartered Institute for Securities & Investment
Shout Cyber helps to ensure your site is fully up-to-date during our security check and we provide guidance to ensure your website is regularly updated.
Secure configuration
Whilst CMS like WordPress or Joomla make it easy to create websites, they’re not always set up to be secure from initial set-up, and commonly additional configuration is required to ensure your CMS and your website are not easily exploitable.
Also, it may not just be your CMS that needs securing, there may be settings that reside outside of your CMS that could cause security weaknesses, such as hosting, or domain management (your website address) that could cause you harm if not securely configured.
Cyber Criminals regularly scan new websites they come across to see if they have any known weaknesses or unchanged default or common user details, so ensuring you’ve got the basics covered is essential to put up a good defence.
Shout Cyber works with you and your web development team to ensure your site is configured securely by checking common security settings.
The solution
Securing your website and ensuring you’re compliant with necessary legal & other requirements doesn’t have to be a chore.
Our website compliance service works collaboratively with your business in 3-4 easy steps.
Initial Discovery Call
We conduct an initial call to discuss your business and website. This step allows us to identify all the requirements for your website notices and allows us to ask some basic questions to identify how your site is set up and managed, for example if you work with a website team or or website developer that we need to work with.
Tailored website documents creation
Once we have all the required information, we create your website documents or review your existing documents to ensure they are up to date. These are provided to you for review and we will work with you to answer any outstanding questions or details.
Once complete and signed off, these are provided to you or your website team or website developer to implement.
Website Security Check
We conduct basic security checks using a range of tools and methods depending on the website setup and hosting.
Once these are complete, we will provide you with details of the findings and provide you with recommendations and guidance on how to resolve any risks raised.
Depending on how your website is managed, this may involve working with your website team or website developer to put in place fixes.
(NEW) – Optional Ongoing Security Checking
Vulnerabilities and risks are continuously changing as cyber criminals identify new vulnerabilities. This means that websites that were secure one month, may not be secure the next.
That’s why Shout Cyber now offers regular security scans as an add-on service to our Website Compliance service, which will include a monthly scan of your website and alerts and guidance sent when a new risk is detected.
Choosing the right package is simple and based on the type of website you have.
Standard
Best for basic websites.
- Discovery Consultation
- Tailored website policies including Privacy notices, terms of use and cookies policy
- Basic website security check and guidance
e-Commerce
Best for e-commerce sites where payments are made.
- All Standard Features
- Enhanced review for e-commerce solutions
Add-on: Scans
NEW: Monthly website security scanning.
- Monthly scans for vulnerabilities and weaknesses
- Email alerts and guidance for risks identified.
- 10% discount on additional services.
Once you have chosen your package, register your interest with us through our contact us page and we will be in contact to confirm and arrange your discovery call.
*Please note, these scans are not conducted by a PCI-DSS verified scanner.
Are you a Website Designer or Developer?
If you’re a web designer and want to offer your customers tailored website policies and make sure the right security is in place from the get-go, contact us to find out more about partnerships and referral offers.