Articles

A clean pass on security audit

Name: Newism
Price range: $

The ABCs of security

The recent takeover of the ABC News Facebook page was a timely reminder of how quickly vulnerabilities can be exploited - even for organisations with significant resources and experienced teams.

Security failures aren’t always the result of sophisticated attacks. More often, they stem from overlooked basics, legacy access, or systems that have quietly drifted away from best practice. In the ABC’s case, it came down to a single phishing email that duped one employee.

Our security practices put to the test

Over the past few months, three separate Newism clients (entirely coincidentally!) commissioned independent security audits on major web platforms we manage and support.

Different auditors.
Different scopes.
Different organisations.

Same outcome: ✅ every audit passed without issue.

No critical findings.
No warnings.
No uncomfortable follow-ups.

That wasn’t good luck. It reflects Newism's consistent attention to quality, discipline and good practice over time.

What the audits actually examined

The audits were presented as penetration testing (“pen testing”). While each differed in scope, they focused on areas that most commonly expose organisations to risk, including:

Hosting and server environments
Access controls and permissions
Authentication methods
Development and deployment practices
How code and configuration are maintained over time

These platforms held up under scrutiny from people whose job is to find weaknesses.

Invest in a solid Security Framework

Strong security doesn’t come from a single tool, plugin, or policy. It’s the result of many small, consistent decisions - often made in unglamorous places.

Some of the non-negotiables include:

Strong authentication, with multi-factor protection wherever available
Locked-down access policies, including IP-based restrictions
No casual server access, no FTP shortcuts, no “just this once” exceptions
Clearly separated development, testing, and production environments
Keeping platforms up to date with versions that address known vulnerabilities

None of this is flashy. All of it matters.

Business as usual.... until it isn't!

For most organisations, web platforms are no longer “just a website”. They unpin:

how customers engage
how staff work
how members log in
how services are delivered

When something goes wrong, the impact is rarely contained.

Common risks we see when security isn’t treated seriously enough:

Critical systems going offline at the worst possible time
Loss or exposure of sensitive data
Reputational damage - sometimes caused by the breach itself, sometimes from what follows

Once trust is lost, it’s hard to win back.

5 ways employees can think more security-first

You don’t need to be technical to protect digital platforms. Most security incidents start with very normal human behaviour.

Treat logins like keys, not conveniences
If you wouldn’t hand someone the office keys, don’t reuse passwords or share access “just for now”.
Slow down when something feels urgent
Many attacks rely on pressure — “do this now”, “your account will be locked”. Take a breath and double-check before acting.
Use multi-factor authentication everywhere it’s offered
One extra step that blocks a huge percentage of attacks. Mildly annoying. Massively effective.
Be mindful of where you log in
Public Wi-Fi, shared devices, or out-of-date personal laptops quietly increase risk. When in doubt, wait.
Ask before installing or connecting anything new
Plugins, extensions, third-party tools - even helpful ones - can open doors if they’re not vetted.

Most breaches don’t come from hackers being clever. They come from someone being rushed, tired, or trusting.

5 essential things to avoid website hacks

These are common patterns we see when platforms don’t perform well in audits.

Shared or generic admin accounts
When everyone logs in as “admin”, accountability disappears.
Leaving old access in place
Former staff, contractors, and agencies are a major hidden risk.
Bypassing process “just this once”
Temporary shortcuts tend to become permanent vulnerabilities.
Ignoring updates or security warnings
Updates exist for a reason. Delays increase exposure.
Assuming “it won’t happen to us”
Size doesn’t protect you. Visibility doesn’t protect you. Good habits do.

Newism behind the global parkrun App

A game-changer for parkrun, the Virtual Volunteer App facilitates half a million personal results every week across the globe.

Learn More

How to find a good-fit web partner

Selecting a new web partner can be a dubious task. A bad fit can cost you time, money and frustration. A great partnership can bring your ideas to life and provide the support your team need to build, manage and scale your digital assets.