Is your site secure?

The ABCs of security

The recent takeover of the ABC News Facebook page was a timely reminder of how quickly vulnerabilities can be exploited, even for organisations with significant resources and experienced teams.

No, we’re not talking the sophisticated, elaborate, Hollywood-style super hackers - the kind that shuts down the city grid to gain access. More often, security failures stem from overlooked basics across, legacy access, or systems that have quietly drifted away from best practice. In the ABC’s case, it came down to a single phishing email that duped one employee. 

Put to the test

Over recent months, three separate Newism clients (entirely coincidentally!) commissioned independent security audits on major web platforms we manage and support. 

Different auditors. Different scopes. Different organisations.
✅ Every audit passed without issue 

That wasn’t good luck. Nor was it a surprise. It reflects Newism's consistent attention to quality, discipline and good practice over time.

What the audits actually examined

The audits were presented as penetration testing (“pen testing”). While each differed in scope, they focused on areas that most commonly expose organisations to risk, including:

• Hosting and server environments
• Access controls and permissions
• Authentication methods
• Development and deployment practices
• Vulnerabilities on the front-end website (or unlocked doors around the back!)
• How code and configuration are maintained over time

Our platforms held up under scrutiny from people whose job is to find weaknesses.

Invest in a solid Security Framework

Strong security doesn’t come from a single tool, plugin, or policy. It’s the result of many small, consistent decisions and ongoing review and management. 

Some of the non-negotiables include:

• Strong authentication, with multi-factor protection wherever available
• Locked-down access policies, including IP-based restrictions
• No casual server access, no FTP shortcuts, no “just this once” exceptions
• Clearly separated development, testing, and production environments
• Keeping platforms up to date with versions that address known vulnerabilities

None of this is flashy. All of it matters.

Business as usual.... until it isn't!

For the clients we work with, their digital platforms are business critical. Besides loss or exposure of sensitive data (possibly litigation), the potential loss of trust and reputational damage in the aftermath is the long-term risk. 

Leevi, our Technical Director, puts it this way: 

And when something goes wrong, the impact is rarely contained.

Everyday behaviours for security-first thinking

Most security incidents start with very normal human behaviour. You don’t need to be technical to protect digital platforms.

1. Treat logins like keys, not conveniences
   If you wouldn’t hand someone the office keys, don’t reuse passwords or share access “just for now”.
2. Slow down when something feels urgent
   Many attacks rely on pressure - “do this now”, “your account will be locked”. Take a breath and triple-check before acting.
3. Don’t click email or message links asking you to sign-in!
   Just don’t. Most will be phishing attempts. Take the scenic route: manually go to the website or platform and login as you normally would, then check for legitimate notifications/alerts.
4. Use multi-factor authentication if it’s available
   One extra step that blocks a huge percentage of attacks. Mildly annoying. Massively effective.
5. Be mindful of your online connection
   Public Wi-Fi, shared devices, or out-of-date personal laptops quietly increase risk. When in doubt, defer until you’re on a safe connection.
6. Ask before installing or connecting anything new
   Plugins, extensions, third-party tools - even helpful ones - can open doors if they’re not vetted.

Most breaches don’t come from hackers being clever.  They come from someone being rushed, tired, or trusting.

6 essentials to avoid platform hacks

These are common themes and behaviours reported when platforms don’t perform well in audits.

1. Shared or generic admin accounts
   When everyone logs in as “admin”, accountability disappears.
2. Leaving old access in place
   Former staff, contractors, and agencies are a major hidden risk.
3. Bypassing process “just this once”
   Temporary shortcuts tend to become permanent vulnerabilities.
4. Ignoring updates or security warnings
   Updates exist for a reason. Delays increase exposure.
5. Audit platform security independently
   Even good teams benefit from external eyes. Conduct periodic, independent security audits and/or penetration-tested and resolve any vulnerabilities uncovered.
6. Assuming “it won’t happen to us”
   Prioritise security. Size doesn’t protect you. Visibility doesn’t protect you. Good habits do. 
   Prevention is better than cure. Guard against risk by reviewing your user policies, platforms and providers. 

Platform Security Basics

Simple things worth checking with your digital platform provider:

1. Who can access what, and why
   Ask how access is managed across your website, hosting, and third-party tools. Good providers can clearly explain who has access, how it’s restricted, and how old or unused access is removed.
2. How logins are protected
   Check whether multi-factor authentication (2FA/MFA) is used wherever it’s available - especially for admin accounts, hosting, email, and deployment tools.
3. How environments are separated
   Your live site should not double as a testing or development playground. Ask how development, testing, and production environments are kept separate to reduce risk.
4. How updates and patches are handled
   Security issues often arise from outdated software rather than “hacks”. Ask how core systems, plugins, and dependencies are monitored and kept up to date.
5. How access is granted (and revoked)
   Find out how new team members, contractors, or agencies are given access - and, just as importantly, how that access is removed when roles change.
6. What happens if something goes wrong
   No system is invincible. A good provider can explain their monitoring systems and incident response approach - who is notified, what steps are taken, and how issues are resolved quickly and transparently.

Website and web platform security matters. Act now.