Menu
How secure is your website really? 5 unexpected checks
-
-
- Featured on
Websites no longer have to belong to a large or well-known organization to be interesting to cybercriminals. Smaller sites, webshops, and customer portals are just as attractive when security is set up just slightly less than properly. This has become even more relevant now that attacks are increasingly automated.
For many organizations, website security feels like something that is “taken care of.” There’s a padlock in the browser, passwords are in order, and updates are being installed. The basics seem checked off. But that can create a false sense of security. The biggest risks often aren’t in what you see directly, but in everything happening underneath, around, and in between.
As a digital agency with 27 years of experience developing websites and webshops, we’re sharing 5 less obvious checks to help you assess whether your website is truly secure. Not to solve the technical details yourself, but to ask better questions and recognize earlier where a false sense of security may arise.
This is a repost of our article written for Frankwatching (Dutch).
1. Your website runs on more building blocks than you think
What you see on the front end is only a small part of your website. Beneath the surface, a website consists of many building blocks that need to work together: the CMS, plugins, frameworks, libraries, and small software packages that depend on other packages. That last part is what makes it complex. Even if you haven’t added anything unusual, your website may still rely on dozens or even hundreds of underlying packages.
This matters because vulnerabilities rarely sit in the visible part of your website. They are often hidden in one of those underlying components. We previously wrote about why it’s important to always keep your CMS up to date, but even then, you can still face risks. A problem may exist somewhere deeper in the chain.
For marketing managers, this is essential to understand: a website is not one closed system, but a collection of components that all influence security. The more additional functionalities, plugins, and integrations you add, the larger the dependency chain usually becomes. And the larger that chain, the greater the chance that something somewhere turns out to be vulnerable.
2. A secure website can still run in an insecure environment
Even if your website itself is properly developed, that doesn’t tell the whole story. Your website also needs to run somewhere: on a hosting environment, server, container, or cloud platform, with various settings that determine who has access to what and how the environment is protected.
This introduces a different type of risk. Not in the building blocks of the website itself, but in how the overall environment is configured. Think of open ports, outdated server software, overly broad access rights, or configurations that once made sense but were never reviewed again.
For non-technical stakeholders, this is harder to spot because everything on the front end may appear to function perfectly. Behind the scenes, however, the foundation may still be too open or outdated.
This isn’t about what your website contains, but about the digital environment in which it lives. That environment largely determines how well digital attacks can be prevented or stopped.
Do you want to know more about your website's security?
Please feel free to contact us
Lukas Jansen
Web Developer & Security Officer
3. Smart integrations can quietly introduce additional risk
Not every security risk starts with a sophisticated attack. Sometimes it begins with something that was once convenient. A temporary integration with a tool. A script added for a campaign. An export file that needed to be shared. A tag in the tag manager that was once relevant but never reviewed again.
In marketing environments, a lot is rolled out, connected, optimized, and tested temporarily. That makes sense, because speed and experimentation are part of the job. But speed has one downside: temporary solutions often stay longer than intended. And what disappears from view is rarely critically reassessed.
Imagine your marketing team builds an n8n flow where new leads or order information are automatically sent from the website to a CRM, a Slack channel, and an AI summary for internal follow-up. That can be highly efficient. But if such a flow was set up quickly to test something and never reviewed again, it may continue forwarding more data than intended. For example, to a tool you no longer actively use, or to an environment where too many people have access.
The core principle is simple: the more tools, scripts, and integrations that are added over time, the greater the chance that unnoticed security risks emerge. Who in your organization is responsible for this intermediate layer of scripts, flows, and integrations?
4. AI makes it easier to build something that works, but not automatically something that is secure
AI lowers the threshold for quickly adding something to a website. Generating a script, setting up a chatbot, testing a small feature, or writing a piece of code feels easier than ever. That creates a new type of risk: things are built faster and pushed live faster, while in-depth review lags behind.
This is a fundamental difference. Working code is not the same as secure code. Something can do exactly what you want while simultaneously introducing unnecessary dependencies, granting overly broad access, or failing to properly align with the rest of your website. For non-technical teams, this is difficult to assess because the result often looks fine on the surface.
Moreover, AI primarily answers the direct question asked, not the full context of your platform, processes, and risk landscape. It may generate a solution for one problem while unintentionally introducing a weak spot somewhere else.
For marketing, this is an interesting shift. The autonomy to build things independently is increasing. But so is the responsibility to recognize that being able to build something yourself does not automatically mean it’s wise to put it live without additional review.
5. The more data you store, the greater the impact if something goes wrong
How much data are you actually collecting? Many organizations store more than strictly necessary. Not out of carelessness, but because data feels valuable. It might be useful later. It could support personalization. It may come in handy for a future campaign or analysis.
But that reflex has a downside. The more data you store, the greater the damage if something leaks, is shared incorrectly, or becomes accessible to parties who should not have access.
Some data does not immediately feel “sensitive,” even though it is. A date of birth for a birthday email may sound harmless, until you realize that such information is often used in passwords or PIN codes.
More data feels like more opportunity. But in security, less is often stronger. This principle is also reflected in privacy legislation: collect what is necessary, not what might be useful someday. The GDPR principles around data minimization closely align with this idea.
What information do you truly need? What information do you collect simply because you can? And how much risk are you unintentionally carrying as a result?
Security is not a one-time check, but ongoing maintenance
The question is not whether your website is secure today, but whether security is structurally well organized. New vulnerabilities continuously emerge, even in systems that are currently functioning perfectly. That requires ongoing insight into dependencies, active monitoring, and timely improvements. Not something you handle occasionally, but a fixed part of how your website is managed and further developed.
At WHITE, we believe in long-term relationships and see the launch of a new project as the start of an ongoing process of optimization and development. We feel responsible for the stability and security of the websites we build. To ensure this, we have our Client Success Team. A dedicated team that monitors, analyzes, and proactively identifies improvements every day, ensuring your platform not only continues to evolve, but also remains secure and stable.
Coffee?
Would you like to brainstorm about a (future) project?
Willem Moeskops
Client Success