Website cybersecurity is a practical requirement, and Australian organisations have a substantial body of guidance to work from. While the Australian Government's "Essential 8" focuses broadly on workplace security, the Australian Prudential Regulation Authority (APRA) offers a more specific Information Security Manual (ISM) with recommendations that apply to business websites.
Why Website Security Matters
When your business operates a website or web application, you are not just managing content; you are responsible for protecting data. Inadequate security controls expose you to risks such as data breaches, malware, DDoS attacks, and reputational damage. Company executives and operational staff need to implement relevant recommendations to minimise risk and liability if a security breach occurs.
APRA’s ISM: Tailored for Websites
APRA's ISM guidelines are practical for website owners. These are the key recommendations for websites and why they matter:
Network Traffic and Anonymity (ISM-1627, ISM-1628)
Blocking anonymity network traffic reduces the ability of malicious actors to hide their identity. This improves accountability when investigating suspicious requests and reduces security threats.
Cloud Service Providers (ISM-1437)
APRA advises the use of cloud service providers for hosting online services. A well-managed cloud platform can provide security controls and operational maturity that are difficult to match on premises.
Content Delivery Network (ISM-1438)
A CDN is not only a performance tool. It can filter malicious traffic before it reaches the origin and provide an additional layer of security.
Origin Exposure and DDoS Mitigation (ISM-1439)
Hiding the origin IP and using cloud providers for DDoS mitigation helps protect your primary server by dispersing traffic across a distributed network.
Data Encryption (ISM-1781, ISM-1139)
Encrypt all data over the network and use only the latest version of TLS to protect data in transit.
Logging and Auditing (ISM-261, ISM-580, ISM-0585, ISM-1661)
Comprehensive audit logging is vital for tracking activity and identifying irregular patterns. Logs should be detailed and reviewed periodically.
Web Application Firewall (WAF) (ISM-1240, ISM-1490, ISM-1509, ISM-1657)
A WAF provides a control point for monitoring and filtering incoming traffic, enabling you to block harmful requests.
Backup and Configuration (ISM-1511)
Back up your data, website, and configurations, and store them securely, preferably in a version-controlled environment such as Git.
HTTPS and SSL (ISM-1277, ISM-1552)
SSL certificates and HTTPS should be standard for all web content. This helps safeguard data integrity and user confidentiality.
Scaling and Monitoring (ISM-1579, ISM-1581)
Ensure your website can scale during demand spikes and that you have real-time monitoring for capacity and availability.
Virtual Patching and Antivirus Scanning (ISM-1690, ISM-1288, ISM-1694)
Virtual patching and antivirus scanning help protect your website against new vulnerabilities and malware.
Content Types (ISM-0649)
Only allow the specific content types your website needs to run. Restricting this reduces the risk of malicious content affecting your website.
Final Thoughts
Incorporating APRA’s ISM recommendations into your cybersecurity strategy makes your website more resilient against cyberattacks. Treat them as essential operating practices for website security, not as guidance to skim once and set aside.