- We frequently update all our web hosting servers to use the latest software, which would include security and bug patch releases
- Serious security threats would be patched on the servers as soon as possible
- We have an industry leading firewall to protect the servers, in particular:
- DDoS Attacks
- Block vulnerable scripts in CMS
- Monitor suspicious activity (several password failures for example) and block IP addresses
- Closed all ports except from approved IP addresses
- No public facing control panels
- Secure password policy, at least 8 characters of random upercase and lowercase letters, numbers and symbols, including database passwords
- Virus and maliclious file scanner contnuously scanning the server for malicious files with immediate quarantine
- Connection to servers from our approved IP addresses is via Secure Shell Access methods only (SSH). We do not use insecure FTP, but secure SFTP.
- Secure password policy for logins
- Systems kept up to date where feasible*
- Reputable content management systems and plugins that has in-built security protection
- Hard to guess admin URLs
- SSLs as standard**
- We have strict guidelines, standards and a go live checklist we follow to build websites to a high standard and to ensure security is met
- Security and firewall plugins to monitor and protect it from malicious access
- Includes virus and maliclious file scanner contnuously scanning the server for malicious files with immediate quarantine
- Automatic and frequent updates to Wordpress core, themes and plugins
- Disabled XMLRPC and JSON API
- Only reputable themes and plugins and used, with high ratings and frequent updates.
- We try our best NOT to use Wordpress themes that are abundantly available online, due to securiy, bug and usage issues. ***
- Further information about Wordpress security can be found here
- All our eCommerce websites do NOT store credit card information. We use third party gateways to process the payments (e.g. Stripe or Paypal)
- Where possible we encourage customers to use offsite payment processing where the user is directed to the payment gateway site for payment, or to use Stripe, so card data never passes through our system (some eCommerce websites do process card data via the payment gateway plugins and so could technically be hijacked if malicious users gain access. The above security policy is aimed to prevent this access).
* Some older systems are not easily upgradeable and require rebuilds at cost, and so would be the responsibility of the customer to instigate this. Newer systems such as Wordpress are auto-updated
** SSLs as standard has only been in practice since 2017 and so older websites may not have them unless requested
*** Except DIVI which is technically theme, but unlike no other!
- Employees are required to surrender any company data they may have upon leaving employment and sign a form to state they have done so
- Passwords are then changed and any access to systems they may have are revoked
- We operate a seperate email server to web servers so it allows us to be more selective on the software running on them, and reduces the chance of malicious emails stored on web servers
- Secure password policy for email accounts
- Firewall protection as above, with IP banning after several incorrect login attempts
- Secure mail server via SSL
Data ProtectionAs a team, we do need to share passwords and other sensitive data. So we use a leading secure password and note management system to store and share passwords and notes with sensitive data within the team. The password manager uses industry standard encryption to encrypt data, and requires several authentication levels to access it.
It is rare we store sensitive data on paper, but if we do then its temporary and will be shredded afterwards. We normally transfer paper based information to digitally stored.
Mobile devices such as laptops and mobile phones, that may have access to sensitive data (e.g. in an email) are protected by password, PIN or fingerprint access that only the owner knows.
- Our office is in a shared business centre protected first by a passcode/card entry door, and then our own office door.
- CCTV exists on the premises
- The office door is locked when no one is present
- Out of general office hours the main front door is locked and the building protected by an alarm
Data Breach ProcessIf in the unfortunate event we do have a data breach, we have a data breach process in place here here.
- Controlled access - access cards, biometrics and visual identification
- 24/7/365 manned security
- High security standards - ISO27001:2005 Security Management standard
- Audited by the governments Centre for the Protection of National Infrastructure