Security is constantly moving forward online. There’s always more and more you can do as there’s always more and more people out there discovering ways to do things they shouldn’t do.

But these things aren’t always quick and easy to do. Yes, you can click a button to upgrade your WordPress and hope there are no plugin conflicts. But if there are conflicts, you’ll wish you’d done it on a staging server first and tested things carefully. And even if you do upgrade your WordPress – what about your server? What about all the things that could be done on your hosting to help keep the bad guys out? Again, these might be taken care of for you but if you’re running a big site on something like AWS a lot of this will need to be done by your developers. Even if you are just on a WordPress site, who’s going to set up the 2FA plugin for you – or even  highlight to you that that’s something you should be considering?

Who foots the bill?

Something I’ve noticed in the last couple of years, as security measures seem to come at us thick and fast, is that people don’t budget for security.

At the beginning of the year, marketers – who are normally in charge of the company website – think about their ad spend and various campaigns they’re going to be running or the brand refresh they want. But, other than perhaps a few routine updates, they don’t think about security. 

Meanwhile,  the IT department focus their security budget on the company’s internal tools and systems – and leave the website to the marketing department.

And then when the developers tell them they need to upgrade this year, or that they’re being attacked and should consider a firewall and some AWS WAF rules that cost a few dollars a month each, suddenly everyone’s looking at everyone else to see who’s budget this should come from.

Ultimately who pays in your organisation is going to be different for everyone, but I guess the purpose of this blog post is just to flag up that someone needs to. Amongst you all, you need a contingency for this sort of thing. Just like if you run a bricks and mortar shop you need to have some cash for if someone puts  a brick through the window or a tap starts to leak, you need some cash incase you need to do some maintenance on your online premises too.

Yes, it’s very tricky to know how much that might be, and it’ll vary depending on your framework and set up – but try and have a conversation with your developers about it. Try and think if there’s anything that might be coming up – like a new version of PHP or an update to Laravel – and allow a few days for that. And then allow a few days or a week for complete unknowns.