Bold statement I know, but your site does need an audit
Yahoo, Equifax, eBay, Uber, Sony and Adobe, these are just some companies on the ever growing list of sites (and services) that have been compromised and their user data stolen over the last few years.
In many cases the breaches have happened because of simple errors and mistakes that could have been avoided altogether, and one way to achieve that is through periodic audit of your sites, services, and IT infrastructure.
But it’s not just about security and data breaches, it’s also about quality of your sites and services, as well as the compliance to laws, regulations, and standards.
What is an audit?
Let’s start with the simple question, what is an audit? Usually, we associate an audit with the examinations of books, accounts, records and documents for tax reasons. To make sure that everything is according to and as required by law. Website audits are similar.
There are different types of audits for websites (and services) with varying focuses, some that focus on quality, some that focus on security issues, or on specific legislation (such as the GDPR), but all of them examine your website and the infrastructure used to host it for compliance, web and IT standards, as well as best practices.
Why do I need to audit my site?
There are many reasons to have your site audited, the core ones being quality, security, compliance and maintainability. You want to cover all of these; as all of them are important.
But why would you want to, what’s the return on investment you ask?
There are many reasons, with increased quality and maintainability you reduce technical debt and costs for running and further development.
With better security you avoid data breaches, being hacked, and the site being taken offline altogether. When it comes to compliance it’s not just about avoiding fines, it’s also about empowering your users, and making the web and your service accessible for everyone. Not to forget about the image damage to your company or service that a breach brings with it.
A quick checklist for you to consider when thinking about quality:
- How well was your site built?
- Was it developed adhering to standards and best practices of the technologies used in your site?
- Is it documented, both inside and outside the code base?
- Are there automated tests, unit tests, integration tests, acceptance tests?
- Is the code base structured in a way that makes it easy to work and maintain the site?
- Is the development team using the right set of tools and services to work on the site?
These are just some of the questions that you want to ask when checking for quality. Having your site audited can provide you with the answers to those (and many more) questions.
How certain are you that there aren’t any holes in your site or service that can be exploited? Having a site that is not secure can lead to great damage being done to your site and your company. It can compromise the integrity of your data and in worst cases leak valuable data to whoever is using security holes in your site and its infrastructure.
In 2017 hardly a month passed by without another data breach being reported. Data of millions of users stolen in the Equifax breach, financial data that the users trusted Equifax with. Breach that was caused by an unpatched piece of software, something that an audit would flag.
Yahoo had its site breached in 2013, but it was only until quite recently that it came out that it wasn’t one billion users who were affected, but three billion. Republican National Committee voter data, Uber’s user data, Kromtech data breach that exposed 10 million vehicle identification numbers, were also among some of the bigger breaches in 2017.
You want your site to be compliant with the regulations and laws that apply to it. The fines (depending on regulations or laws that you are not adhering to) can be as high as 4% of worldwide turnover or €20 million, whichever is highest.
You might think that it already is compliant and that you don’t need to worry about it, but do you really know for a fact that it is? With ever changing landscape in laws and regulations, you might want to find out if you still are compliant with the applicable ones.
Take GDPR for example, which is a new regulation that is coming and will be in effect later this year. We estimate that most sites that store user data of people based in EU aren’t compliant with it, yet.
For more information, check out this post about GDPR.
Maintainability & technical debt
Technical debt (also known as design debt or code debt) is a concept in software development that reflects the implied cost of additional rework caused by choosing an easy solution now instead of using a better approach that would take longer.
As your site (or service) grows, as more features are added, removed and changed, the technical debt increases. It makes it harder to maintain, find and fix bugs, and even add new features.
In order to reduce the technical debt you need to know how much of it there is and where it is. Find out which parts of the service could use an overhaul to increase the maintainability without sacrificing further hours lost in maintaining technical debt.
When is it a good time to have an audit?
So we know that it is a good thing to audit your sites and services, but when does it make sense to do so?
You should get your site audited when you:
- want to future-proof your site
- are not sure if your site meets required standards, laws or regulations
- want to renew your site, or greatly extend your site’s features
- want to make sure that you are getting excellent quality, and a secure, reliable, and maintainable site
What should I expect from an audit?
You should always expect to get a comprehensive report that lists what was done, when was it done, and how it was done. The report should outline the findings both for technical and non-technical users.
The findings and reports should always be honest, impartial, and fair.
Find out more
If you’d like to find out more, reach out to us and we’ll help you and your business.