“It’s no longer a question of if, but when your website gets unwanted attention”
The National Cyber Security Centre (NCSC) updated its guidance on content management systems; (CMSs) such as WordPress, Drupal and Joomla, in July 2018. As WordPress is used by around 34% of all websites worldwide, up to 38% in the south-west of the UK, North Devon based data protection and privacy practitioner Nigel Hellewell AMBCS took particular interest in the document. Following recent client experiences, Nigel believes it’s no longer a question if, but when a site gets unwanted attention. However, upon reviewing the advice, Nigel found that it was not as comprehensive as he had expected. Hoping for information about the GDPR, Data Protection Act 2018 and associated legislation; user setup, security, backup’s etc. the communications simply expressed: “Not public sector?”
Take the time to understand if your website (or websites) use a CMS, and make sure you know who is responsible for keeping it up to date. You can then check if it's being updated regularly, and if it's not, find out what you need to do to make sure patches are applied as soon as possible” - NCSC guidance.
Nigel Hellewell, founder of eNaycH, is Associate Member of BCS, The Chartered Institute of IT and has a Certificate in Data Protection. Nigel offers training and advice to organisations to help them maintain compliance with the Data Protection Act and associated legislation.
Upon further examination of the release, Nigel found that not at all did it address, or offer any advice on the very current and relevant concerns that businesses are facing around cyber security and hacked websites. This all too common issue has disastrous effects for businesses including content being defaced, personal data breaches resulting in bad publicity, damage to reputation, loss of customers and the possibility that the affected organisation may never recover!
While Nigel was encouraged to see that the centre’s observations and analysis had identified 593 sites that were out of date in the public sector, he says that he would have liked to have known the total number of sites checked so that he could have compared this to his own analysis of some of the 549k websites using just the WordPress CMS alone, operated by organisations based in the United Kingdom.
Nigel’s analysis has already found that 66% of the sites that he has checked personally had not updated the ‘Core’ system (that is WordPress), 69% had not applied updates to additional
functionality provided by ‘plugins’, and 64% had not applied security measures that left users personal login/user data exposed. He was left with the nagging questions:
“What about advice and guidance for these organisations?”
He decided to get his head down and write a guide to help any organisation (public or private), operating a WordPress website to start to secure it. Utilising Nigel’s expertise and experience with all his clients over the years, the guide offers advice around how to maintain site security and encompass the General Data Protection Regulation (EU) 2016/679 (GDPR), Data Protection Act 2018 (DPA2018) (UK), The Data Protection (Charges and Information) Regulations 2018 (UK).
Sections in the guide also cover the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) (Direct Marketing), to ensure that it can be reliably used as an Information Society Service (ISS).
So, what has he ended up with and how does he feel now?
“Well, there’s now one source for the basic information that any organisation should need when processing personal data; no more trying to make multiple searches online for ‘GDPR advice for WordPress’ or ‘Data Protection advice for WordPress’. I have tried to structure the guide in a manner very similar to my own data protection & privacy training: Start with the basics; scope, definitions, principles, lawful bases, consent, documentation etc. then weave in the specific of the WordPress CMS”, he said.
“It’s over 100 pages, and I feel that if every organisation adopts at least the basic WordPress setup, applies the security advice, cares for and maintains the website going forwards and then takes the steps in respect of the Data Protection and Privacy legislation, we will all be in a much better place than we are today”.
The guide is affordable and online now at www.wpdataprotection.com Each copy is personalised with the buyer’s information, which of course is covered under Nigel’s legitimate interests of processing personal data!
