Articles

cybersecurity Article

<a target="_blank" rel="noopener noreferrer" href="https://cmscritic.com/critics/jurgita-lap">Jurgita Lapienytė</a><a target="_blank" rel="noopener noreferrer" href="https://cmscritic.com/critics/dan-drapeau"> </a>is Editor-in-Chief at <a target="_blank" rel="noopener noreferrer" href="https://cybernews.com/">Cybernews</a> and a CMS Critic contributor. <hr /> Imagine that you’re out shopping for a new jacket, blissfully unaware that somewhere, in the digital shadows, your personal details are being shuffled like cards in a high-stakes game you never agreed to play. That’s the reality for The North Face customers after a <a target="_blank" rel="noopener noreferrer" href="https://cybernews.com/news/north-face-cyberattack-compromised-customer-accounts-vf-corp/">“small-scale” credential stuffing attack</a> – though, let’s be honest, there’s nothing small about having your name, birthday, and address stolen.<h3 id="credential-stuffing:-the-lazy-hacker’s-jackpot">Credential Stuffing: The Lazy Hacker’s Jackpot</h3>Credential stuffing is the digital equivalent of trying every key on a ring until one fits. Hackers scoop up usernames and passwords leaked from previous breaches, then let automated bots loose on other websites, hoping you’ve reused your old faithful password yet again. Spoiler: <a target="_blank" rel="noopener noreferrer" href="https://cybernews.com/security/password-leak-study-unveils-2025-trends-reused-and-lazy/#:~:text=The%20Cybernews%20research%20team%20conducted,the%202025%20password%20creation%20trends.&amp;text=%E2%80%9CWe're%20facing%20a%20widespread,highly%20vulnerable%20to%20dictionary%20attacks.">Most people do</a>. It’s like giving every houseguest you’ve ever had a copy of your key and never changing the locks.Why does this keep happening? Because password reuse is the internet’s dirty little secret. We all know we shouldn’t, but convenience wins. The North Face’s attackers didn’t need to break down the door – they just waltzed in, armed with credentials bought in bulk from the dark web’s version of a discount warehouse.<h3 id="what-was-stolen-–-and-why-it’s-important">What Was Stolen – and Why It’s Important</h3>No, your credit card wasn’t filched this time. But don’t breathe easy just yet. Names, addresses, phone numbers, birthdays – these are the building blocks for identity theft and phishing scams that can cost you far more than a new parka. Cybercriminals love this data because it’s the clay they mold into convincing cons.<h3 id="how-to-break-the-cycle">How to Break the Cycle</h3>Here’s what CMS and DXP vendors can do to help brands secure the end user experience: <ul><li>Enable <a target="_blank" rel="noopener noreferrer" href="https://support.microsoft.com/en-us/topic/what-is-multifactor-authentication-e5e39437-121c-be60-d123-eda06bddf661">Multi-Factor Authentication (MFA)</a> by default, especially for risky logins and sensitive actions.</li><li>Use AI-powered bot detection and rate limiting to block automated credential stuffing attempts.</li><li>Integrate <a target="_blank" rel="noopener noreferrer" href="https://support.google.com/a/answer/1217728">CAPTCHA</a> challenges smartly to stop bots without frustrating real users.</li><li>Adopt secure, decoupled architectures and protect APIs with strong authentication protocols.</li><li>Check passwords against breach databases and enforce strong, unique password policies.</li><li>Monitor login patterns in real-time to spot and respond to suspicious activity quickly.</li><li>Provide built-in user education on security best practices and phishing awareness.</li><li>Keep platforms updated automatically with the latest security patches and protections.</li><li>Leverage cloud-native, vendor-managed security to reduce risks and maintenance burdens.</li></ul><h3 id="last-take">Last Take</h3>The North Face did the right thing by alerting customers, even if the law didn’t twist their arm. But let’s not kid ourselves: until unique passwords and two-factor authentication are as routine as zipping your coat before a snowstorm, credential stuffing attacks will keep finding their mark. Don’t be the low-hanging fruit. In the wilds of the internet, survival favors the cautious. <hr /><h3 id="upcoming-events">Upcoming Events</h3> <img style="width:31.83%" src="https://cmscritic.com/ms-content/uploads/2025/01/cms-connect-2025-logo.png" alt="" /><h4 id="cms-connect-25"><a target="_blank" rel="noopener noreferrer" href="https://www.boye-co.com/conferences/cmsconnect25">CMS Connect 25</a></h4>August 5-6, 2025 – Montreal, CanadaWe are delighted to present the second annual summer edition of our signature global conference dedicated to the content management community! CMS Connect will be held again in beautiful Montreal, Canada, and feature a unique blend of masterclasses, insightful talks, interactive discussions, impactful learning sessions, and authentic networking opportunities. Join vendors, agencies, and customers from across our industry as we engage and collaborate around the future of content management – and hear from the top thought leaders at the only vendor-neutral, in-person conference exclusively focused on CMS. Space is limited for this event, <a target="_blank" rel="noopener noreferrer" href="https://www.boye-co.com/conferences/cmsconnect25">so book your seats today.</a>

When Passwords Become Skeleton Keys: The North Face Breach and the Perils of Credential Stuffing

jurgita-lap

<hr /> <a target="_blank" href="https://cmscritic.com/critics/nazy">Nazy Fouladirad</a> is President and COO of Tevora, a leading global cybersecurity consultancy, and a CMS Critic contributor. Most organizations today are increasingly dependent on more than just their internal teams and on-premise solutions to drive their businesses forward. The growing popularity of cloud platforms and "as-a-service" models across various industries has also led to a significant increase in organizations partnering with third-party providers.However, while collaborating with multiple external vendors and service providers can help organizations expand, it can also introduce new risks. Given the rise in cybercrime and strict regulatory standards today, the need to have a mature third-party risk management program is essential to ensure <a target="_blank" href="https://cmscritic.com/how-to-secure-your-cms-in-5-steps">their data is secure</a>, especially when handled by those outside the company.<h2 id="recognizing-the-risks-of-third-party-vendors">Recognizing the Risks of Third-Party Vendors</h2>Establishing strong business partnerships is an important component of business growth. Whether hiring an outside marketing firm to drive brand awareness or working with a managed services provider to outsource IT and cybersecurity, the right partnerships help businesses operate more efficiently. However, it's important to be aware of certain risks associated with extending your operations outside your organization.When vendors require access to confidential business information to offer their services, the duty to protect that data starts moving beyond the company's immediate reach. Without due diligence, this can pose <a target="_blank" href="https://www.checkpoint.com/cyber-hub/cyber-security/what-is-cybersecurity/biggest-cyber-security-challenges-in-2023/">significant security challenges</a>, particularly if your partners aren't upholding the safety standards your business adheres to. While most service providers are obligated by data protection laws and regulations to protect sensitive client information, the reality is that not all companies are equally secure. Besides the financial risk associated with a major business disruption across connected services, businesses may also face significant fines and penalties if they fail to maintain regulated compliance standards that govern their specific industry.<h2 id="what-are-third-party-security-&amp;-compliance-audits?">What are Third-Party Security &amp; Compliance Audits?</h2>For organizations that need to have more transparency regarding potential security risks that may be present with a third party, security risk and compliance audits are essential. A third-party security and compliance audit or assessment is a methodical review process handled by outside risk management experts to thoroughly vet the security standards of any business partnership.Depending on the industry your organization operates in, there are a variety of different assessments or audits that can be used to identify any areas of concern.For example, a SOC 2 attestation, sometimes referred to as a <a target="_blank" href="https://www.tevora.com/what-is-a-soc-audit/">SOC audit</a> or SOC certification (which is technically incorrect), is often used to benchmark internal control frameworks in the following Trust Criteria:<ul><li>Security</li><li>Privacy</li><li>Confidentiality</li><li>Availability</li><li>Process Integrity</li></ul>These attestation reports are the opinion of a CPA firm and identify an opinion of conformity against the selected Trust Criteria. It is important to note that not all SOC 2 reports test all five Trust Services Criteria, as it depends on scope. This is similar but holds a bit less rigor than an <a target="_blank" href="https://www.tevora.com/blog/what-is-an-iso-audit/">ISO 27001 audit</a>, which checks that systems and processes align with the framework established by the International Organization for Standardization.<a target="_blank" href="https://www.fedramp.gov/">FedRAMP High Authorization</a>, used for assessing Cloud Service Providers performing critical and essential services for Government Agencies, has over 400 controls and is even more rigorous than the ISO 27001 certification.To streamline third-party vendor assessments, some may use SOC 2, ISO 27001, HITRUST, or FedRAMPas alternative evidence for vetting vendors rather than conducting one-off assessments.<h2 id="steps-to-executing-third-party-security-&amp;-compliance-audits">Steps to Executing Third-Party Security &amp; Compliance Audits</h2>Conducting a third-party compliance audit is often left to risk management specialists due to the complexity of the process. While every audit can be different depending on the depth and scale of the partnership, most external audits will follow a similar formula.Below are the typical steps used when executing third-party security and compliance audits:<h3 id="1.-identify-all-of-your-partnerships">1. Identify All of Your Partnerships</h3>Thoroughly evaluating the business's active partnerships is the first step before performing any type of third-party audit. Oftentimes, businesses may be primarily concerned with only one or two active partnerships they rely on regularly. However, having a completely transparent understanding of your complete risk profile requires identifying each and every vendor you engage with. This could be a supplier of physical goods, logistics companies that you currently contract, SaaS (Software-as-a-Service) providers, or a company where this is a direct change of company information.<h3 id="2.-tier-your-vendors">2. Tier Your Vendors</h3>Not all vendors are created equal. The most important vendors are those that you share the most sensitive data with, have access to your networks, host or build applications, have physical access to your facilities, or can interrupt your key business processes. These vendors are often referred to as Tier 1 vendors. Other vendors you may rely on but are not as critical can be considered Tier 2. Vendors that do not provide essential services – such as a coffee supply vendor or shipping provider – may be considered a Tier 3 vendor.  For Tier 3 vendors, just knowing that they are accounted for and have been identified as a Tier 3 vendor is all that is required. <h3 id="3.-build-a-plan-for-vendor-assessments-by-tier">3. Build a Plan for Vendor Assessments by Tier</h3>Working with a trained risk assessment professional, you should define the assessment, process, depth, and acceptable alternative evidence allowed for each tier of vendor.  By organizing your assessment process by Vendor Tier, you'll be able to narrow down the focus of your audits to the areas that are most critical for the services provided.Part of building a successful vendor assessment plan should start with the alignment of your company’s existing security framework to your Vendor assessment model (ISO 27000 series, NIST 800 series, HITRUST Certification, or FedRAMP/StateRAMP). Typically, more mature vendors will have their own security programs developed and backed by one of these frameworks. Having the ability to crosswalk between the frameworks can help show how your company’s security controls are implemented through outsourcing to these vendors. A tool commonly used within the Third Party Vendor Management space is the <a target="_blank" href="https://sharedassessments.org/sig/">Standardized Information Gathering (SIG) Questionnaire</a>, which helps map controls to various frameworks. The SIG Questionnaire has over 1000 controls, whereas the SIG Lite contains about 200 controls. Many Vendors will have a SIG or SIG Lite available for review during the third-party assessment process and this can be an effective way of getting standardized information from your vendors. <h3 id="4.-notify-your-vendors">4. Notify Your Vendors</h3>While certain portions of a third-party risk assessment can be managed without the direct involvement of your vendors and with the use of various monitoring tools, their participation is essential to complete an assessment. Many companies will make assessment requirements part of their new vendor onboarding process to ensure that all parties are aware of the potential for assessment before or during the length of the partnership. In any event, it's important to clearly lay out any requirements your business may have when it comes to completing assessments to ensure vendors are aware and willing to comply.<h3 id="5.-define-scope-of-engagement">5. Define Scope of Engagement</h3>Some assessments are much more comprehensive than others. In all situations, though, it's important to define the scope of engagement that will be required for each vendor. This is another area where understanding your risk categories will help, as it will assist in prioritizing engagement in the right areas and with the right teams. Doing so helps to avoid your vendors becoming overwhelmed with requests for information that could potentially cause strain on the relationship.<h3 id="6.-complete-the-review-and-identify-areas-of-improvement">6. Complete the Review and Identify Areas of Improvement</h3>After gathering the required information, your risk management team can produce a detailed review of potential areas of concern. Given the thoroughness of the data collected, some areas might need additional exploration to guarantee the review's accuracy and to ensure the insights provided are easy to understand and actionable.<h2 id="don't-let-your-third-party-risk-catch-you-off-guard">Don't Let Your Third-Party Risk Catch You Off Guard</h2>While your organization might prioritize and invest in proper security measures, not all vendors necessarily share that commitment. However, collaborating with skilled risk management experts can help confirm that all your partnerships value security and risk mitigation as much as you and your clients do. <hr /><h3 id="upcoming-conferences">Upcoming conferences</h3> <img style="width:29.67%" src="https://cmscritic.com/ms-content/uploads/2024/01/cms-connect-2024-logo.png" alt="CMS Connect 24 logo" /><h4 id="cms-connect-24"><a target="_blank" href="https://www.boye-co.com/conferences/cmsconnect24">CMS Connect 24</a></h4>August 6-7, 2024 – Montreal, CanadaWe are delighted to present our first annual summer edition of our prestigious international conference dedicated to the global content management community. Join us this August in Montreal, Canada, for a vendor-neutral conference focused on CMS. Tired of impersonal and overwhelming gatherings? Picture this event as a unique blend of masterclasses, insightful talks, interactive discussions, impactful learning sessions, and authentic networking opportunities. <img style="width:29.58%" src="https://cmscritic.com/ms-content/uploads/2024/01/cms-kickoff-2025-logo.png" /><h4 id="cms-kickoff-25"><a target="_blank" href="https://www.boye-co.com/conferences/cmskickoff25/tickets">CMS Kickoff 25</a></h4>January 14-15, 2025 – Tampa Bay Area, FloridaJoin us next January in the Tampa Bay area of Florida for the third annual CMS Kickoff – the industry's premier global event. Similar to a traditional kickoff, we reflect on recent trends and share stories from the frontlines. Additionally, we will delve into the current happenings and shed light on the future. Prepare for an unparalleled in-person CMS conference experience that will equip you to move things forward. This is an exclusive event – space is limited, so secure your tickets today.

Make Sure Your Vendors and Partners aren’t a Security Risk with Third-Party Security & Compliance Audits

nazy

<hr /> The digital transformation of <a target="_blank" href="https://cmscritic.com/what-is-a-content-management-system-cms">content management systems (CMS)</a> is accelerating, with AI capabilities becoming a significant differentiator among providers. Some CMS vendors are enhancing their platforms with ChatGPT add-ons, while <a target="_blank" href="https://cmscritic.com/kontent-ai-pioneers-native-ai-in-headless-cms-interview-with-vojtech-boril">others are weaving AI more intricately</a> into their technology stacks. A select few are even making AI the heart of their offerings. This diversity in AI integration presents a spectrum of challenges, particularly in terms of securing and maintaining the privacy of customer data.<h3 id="what-is-at-stake">What is at stake</h3>CMS platforms are the custodians of a wide array of data, from the mundane to the mission-critical. This data can include everything from public-facing content to sensitive internal documents detailing future product launches and marketing campaigns. The impact of a data breach originating from a CMS vendor can be severe, with the potential for significant financial and reputational damage.Data breaches are not only disruptive but also expensive. The average <a target="_blank" href="https://www.ibm.com/reports/data-breach">cost of a data breach</a> can be staggering, with public reports often calculating it in millions on affected organizations. Furthermore, CMSs are frequently tasked with processing data that is protected by various regulations, such as Protected Health Information (by HIPAA in the US) and financial information (by GLBA in the US, DORA in Europe, etc.). Personal data processing is a given, necessitating adherence to privacy laws like GDPR and CCPA.Regulatory frameworks mandate a set of controls to safeguard this data, and AI implementations within CMSs must meet these same stringent requirements. If AI functionalities are implemented incorrectly, they can lead to the mishandling of sensitive data, compliance issues, and even data leaks across customer accounts.<h3 id="how-to-address-the-challenges">How to address the challenges</h3>Despite the relative novelty of generative AI, there are already established standards and best practices that leading CMS vendors are adopting. The architecture of the AI solution is paramount; a well-designed architecture will prevent data leaks between customers and ensure at least logical data separation. Utilizing well-tested AI models and implementing AI governance on the vendor's side are also crucial steps.Frameworks such as the EU AI Act, capAI methodology, and the NIST AI Risk Management Framework provide guidance for responsible AI risk management. While specific "AI security certifications" do not exist yet, adherence to recognized security and privacy best practices, such as ISO/IEC 27001, 27017, 27018 certifications, GDPR compliance, SOC 2 Type 2 Report, and Cloud Security Alliance STAR registry, is indicative of a vendor's commitment to security.Transparency from vendors about their AI implementations and their approach to security and responsible AI development is essential, as is ensuring the privacy of data.<h3 id="what-kontent.ai-brings-to-the-table">What Kontent.ai brings to the table</h3><a target="_blank" href="https://kontent.ai/">Kontent.ai</a> is at the forefront of AI integration in the CMS market, being the first headless CMS vendor to natively incorporate AI capabilities. With a strong AI-powered feature set and a forward-looking AI roadmap, Kontent.ai leads the way in AI in content management.On the compliance side, the company's approach to AI governance is in line with the best practices of capAI and NIST AI RMF, and it ensures immediate compliance with the EU AI Act. Kontent.ai's security program is robust and certified by ISO/IEC 27001, 27017, and is audited regularly by Trust Services Criteria. To provide customers with assurance, Kontent.ai offers a suite of artifacts:<ul><li>SOC 2 Type 2 Report</li><li>Comprehensive OWASP penetration test reports</li><li>CSA STAR level 1</li><li>HECVAT</li><li>GDPR audit report</li></ul>These resources demonstrate Kontent.ai's commitment to security and governance, and the company requires its suppliers to adhere to the same high standards.For more information on Kontent.ai's commitment to trust and governance, visit <a target="_blank" href="https://kontent.ai/trust-and-governance/">https://kontent.ai/trust-and-governance/</a><h3 id="summary">Summary</h3>The integration of AI into CMS platforms is revolutionizing the way content is created, managed, and delivered. It's imperative to understand that AI implementations vary widely, and the security and privacy of customer data are paramount. Responsible and secure AI integration involves adhering to established best practices and regulatory standards, ensuring that AI offerings are not only innovative but also trustworthy.Kontent.ai exemplifies this approach by being the first headless CMS vendor to natively incorporate AI capabilities, adhering to best practices such as capAI and NIST AI RMF, and ensuring compliance with the EU AI Act. With a robust security program and a suite of assurance artifacts, Kontent.ai demonstrates its commitment to security and governance, setting a standard for responsible AI in CMS. As AI continues to shape the CMS landscape, it is crucial for vendors to prioritize the responsible use of AI to maintain the trust and confidence of their users.

Not Every AI is the Same: A Guide to Responsible and Secure AI in CMS

matej

Another day, another episode of the cybersecurity blues. And once again, WordPress has a starring role.
According to <a href="https://www.bleepingcomputer.com/news/security/new-linux-malware-uses-30-plugin-exploits-to-backdoor-wordpress-sites/" target="_blank" rel="noopener">Bleeping Computer</a>, a previously unknown Linux malware is exploiting over 30 vulnerabilities in outdated WordPress plugins and themes to inject malicious JavaScript.
The malware targets both 32-bit and 64-bit Linux systems. The trojan’s main functionality is to hack WordPress sites using a set of hardcoded exploits until one is successful. The operator would then have remote command capabilities.
WordPress <a href="https://www.searchenginejournal.com/cms-market-share-june-2022/455912/#close" target="_blank" rel="noopener">holds the largest share</a> of the global CMS market, with an estimated 43% of all websites powered by the open source platform. This makes it a big target for hackers, bad actors, and cybersecurity threats – and this is only the latest in a string of complex and nefarious attacks.
<h2>Using plugins and themes to control WordPress websites</h2>
There’s always a risk that any WordPress widget could be a ticking timebomb.
In 2022 alone, researchers <a href="https://siliconangle.com/2022/08/29/researchers-find-malicious-plugins-25000-wordpress-sites/" target="_blank" rel="noopener">found malicious plugins</a> installed on over 25,000 WordPress websites. In most cases, the plugins were procured through legitimate marketplaces. Once added to a website, malware was injected by exploiting a vulnerability – much like this new Linux threat.
Thousands of WordPress websites may be affected by this threat. According to <a href="https://www.scmagazine.com/brief/vulnerability-management/many-wordpress-plugin-flaws-leveraged-by-novel-linux-malware" target="_blank" rel="noopener">SC Media</a>, once attacked, an infected site may be used for phishing and <a href="https://www.imperva.com/learn/application-security/malvertising/" target="_blank" rel="noopener">malvertising</a> campaigns, as well as malware distribution initiatives.
It’s worth checking your WordPress instances to see if any of these affected plugins are in use:
<ul>
<li>WP Live Chat Support Plugin</li>
<li>WordPress – Yuzo Related Posts</li>
<li>Yellow Pencil Visual Theme Customizer Plugin</li>
<li>Easysmtp</li>
<li>WP GDPR Compliance Plugin</li>
<li>Newspaper Theme on WordPress Access Control (CVE-2016-10972)</li>
<li>Thim Core</li>
<li>Google Code Inserter</li>
<li>Total Donations Plugin</li>
<li>Post Custom Templates Lite</li>
<li>WP Quick Booking Manager</li>
<li>Facebook Live Chat by Zotabox</li>
<li>Blog Designer WordPress Plugin</li>
<li>WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)</li>
<li>WP-Matomo Integration (WP-Piwik)</li>
<li>WordPress ND Shortcodes For Visual Composer</li>
<li>WP Live Chat</li>
<li>Coming Soon Page and Maintenance Mode</li>
<li>Hybrid</li>
</ul>
<h2>Combatting an evolving landscape of security threats</h2>
With hundreds of millions of active websites across the globe, hackers are having a field day.
According to <a href="https://www.securitymagazine.com/articles/98695-leading-cyber-risks-and-trends-in-2022" target="_blank" rel="noopener">Security Magazine</a>, cyberattacks are on the rise and becoming more sophisticated by the day. Among the top threats in 2022, malware led the pack, representing the highest cost of damage to organizations.  
WordPress, as mentioned, continues to be a growing vector. Case in point: <a href="https://thehackernews.com/2022/12/new-gotrim-botnet-attempting-to-break.html" target="_blank" rel="noopener">The Hacker News recently reported</a> on another <a href="https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites" target="_blank" rel="noopener">Go Trim botnet attack</a> that targeted WordPress website administrator accounts. Botnet malware has the capability to bypass traditional anti-bot protections, making sites even more vulnerable to the standard bot-evasion techniques.
But all is not lost. WordPress CMS administrators can fight back by adopting solid policies around their security practices. By vetting all plugin source code via an experienced DevSecOps team, many vulnerabilities can be uncovered before a plugin is pushed to production. This can augment strong password policies and the use of multi-factor authentication to reduce the surface area for would-be attackers.
WordPress websites can also be hosted in more secure environments like <a href="https://www.cmscritic.com/wp-engine-releases-worlds-first-study-of-the-wordpress-economy-cites-awe-inspiring-numbers/">WP Engine</a>, which disallow certain plugins and themes due to security or performance issues.

New Linux Malware Targets Plugins to Backdoor WordPress CMS Websites

mk-patterson

Ask anyone at <a href="https://www.cmscritic.com/aws-joins-mach-alliance-as-enabler-member-reflects-growth-of-cloud-native-solutions/">AWS</a> about the importance of security, and they're likely to say it's  "job zero" – and for good reason.
Unless you've been living under a rock, you probably know that cybersecurity threats and data breaches are on the rise, reaching epic proportions last year. According to <a href="https://www.sonicwall.com/news/sonicwall-the-year-of-ransomware-continues-with-unprecedented-late-summer-surge/" target="_blank" rel="noopener">SonicWall,</a> a leading security provider, there were nearly 500 million ransomware attacks through September 2021, with a staggering 1,748 attempted attacks per organization.
That's equivalent to a single business receiving 9.7 ransomware attempts every day. Yikes.
While many software platforms have embraced security standards in an effort to validate their trust, not all content management systems (CMS) have invested in these credentials. However, as more CMS platforms move to SaaS delivery and enterprise self-service, security is becoming a more pressing issue than ever before.
While new benchmarks for security compliance continue to emerge, the International Organization for Standardization – <a href="https://www.iso.org/home.html" target="_blank" rel="noopener">also known as ISO</a> – has long been an institution for normalizing critical business practices and product requirements. Along with providing a heightened degree of technical governance around key information security requirements, ISO's 27001 certification might offer a new model for CMS platforms to project a more secure posture across global markets.
To that end, <a href="https://www.storyblok.com/" target="_blank" rel="noopener">Storyblok</a> – an enterprise headless CMS that enables developers and marketers to deliver powerful content experiences on any digital platform – recently announced that it had received <a href="https://www.certipedia.com/quality_marks/9000020037?locale=en&amp;certificate_number=01+153+2100668" target="_blank" rel="noopener">ISO 27001 certification</a> from TÜV Rheinland, an independent third party. This critical certification verifies that all of Storyblok’s products, operations, support processes, and data storage protocols meet the highest international security standards when it comes to managing information security. 
To understand more about how users view their CMS security, Storyblok surveyed 530 professionals who personally use a CMS in the United States, UK, Germany, Sweden, and the Netherlands. We had a chance to chat with <a href="https://www.linkedin.com/in/sgierlinger/" target="_blank" rel="noopener">Sebastian Gierlinger</a>, VP of Engineering at Storyblok, about the data they received from the survey – as well as some of his insights on the headless CMS market. You can read our Q&amp;A below. 
<h2>Understanding the perception of security for CMS users</h2>
If you don't already know from personal experience (and we hope you don't), security problems can be very expensive for enterprises – and in some cases, even sink a business. 
In a report called <a href="https://www.forrester.com/report/The-Four-Tenets-Of-SaaS-Application-Security-And-Protection/RES165119" target="_blank" rel="noopener">The Four Tenets Of SaaS Application Security And Protection</a>, analyst firm Forrester said: “Losing data in a SaaS application because of insufficient data protection is every CISO’s and compliance officer’s nightmare. Mitigation costs can exceed $3 million to $3.5 million per incident — and that’s a conservative estimate.”
Once again, we'll insert a yikes for dramatic purposes. 
Storyblok conducted its survey to better understand the collective psyche of CMS users as it relates to security. The results were quite revealing and reflect the elevated concern felt across software markets. Here are a few of the most telling data points gleaned from respondents:
<ul>
<li>64.3% worry about the security of their CMS</li>
<li>80% said security is extremely important or very important to them when choosing a CMS</li>
<li>More than half (55.5%) said their CMS has new security issues on a monthly, weekly, or daily basis</li>
<li>46.4% had a CMS security issue affect their content</li>
<li>21.7% conduct security updates 5-9 times per month</li>
</ul>
<h2>The rise of headless and the impact on CMS security</h2>
There's no question that <a href="https://www.cmscritic.com/top-free-headless-cms-platforms/">headless</a> has been powering the energy in the CMS market for the last few years. More businesses are making the move from traditional monolithic platforms to decoupled systems that provide greater agility with API-first architectures. This has been reflected in the rapid rise of composable solutions and <a href="https://www.cmscritic.com/mach-alliance-releases-study-on-adoption-of-mach-technologies-by-tech-leaders-qa-with-sonja-keerl/">MACH</a> (Microservices, APIs, Cloud-first SaaS, Headless) architectures – and the proliferation of the <a href="https://www.cmscritic.com/mach-alliance-releases-study-on-adoption-of-mach-technologies-by-tech-leaders-qa-with-sonja-keerl/">MACH Alliance</a>. 
There are many advantages to using a headless CMS. While they don't provide the same backend rendering capabilities as a traditional CMS, they do offer more flexibility, scalability, and ease of use. But there's also one key advantage of headless that is often overlooked: security. By maintaining a separated frontend and backend, a headless architecture is much less susceptible to security threats like distributed denial of service (DDoS) attacks.
To learn more about Storyblok’s commitment to the highest standards of security, visit its <a href="https://www.storyblok.com/trust-center" target="_blank" rel="noopener">Trust Center.</a>
<h2>Q&amp;A with Sebastian Gierlinger, VP of Engineering at Storyblok</h2>
CMS Critic had an opportunity to connect recently with Sebastian Gierlinger. He shared some of his views on the headless CMS market, particularly around security, as well as the rise of MACH. 
As Gierlinger noted in the company's press release, “Traditional CMSs have a bad reputation for the security headaches they cause, and for a good reason. Getting the ISO 27001 certification was especially important to us because it ensures that any enterprise using Storyblok to share their content with the world is doing so on the most secure, enterprise-grade headless CMS available on the market.”
<hr />
CMS Critic (CC): Where are the top security advantages with a headless CMS versus traditional?
Sebastian Gierlinger (SG): Generally speaking, Headless CMS reduces the exposure of infrastructure that’s front-facing. This reduces the surface of potential attacks. In addition, the hosting infrastructure of a Headless CMS is less complex compared to a traditional CMS.
<hr />
CC: The headless CMS market is growing, but so too are the platform options. How important is the ISO certification to differentiating across an expanding field of competitive players?
SG: Security is a major concern for many enterprises, and the ISO certification of Storyblok recognized that all our products, operations, support processes, and data storage protocols meet the highest standards. Customers do expect best-in-class security, and we believe that Storyblok’s ISO certification provides more proof that we deeply care about the modern enterprise tech stack and making it as secure as possible.
<hr />
CC: How is infrastructure (ie, Cloud) playing into the overall security posture for CMS users – particularly with headless?
SG: A headless CMS is built on top of a best-of-breed approach that sits on cloud infrastructure solutions. While on-premise hosting has been the default situation up until recently (a few years ago), we would argue that cloud infrastructure tends to be more secure as it comes with security resources, 24/7 support, and uptime guarantees. With those things in place, there’s hardly anything that could really go wrong. Sure, cloud infrastructure isn’t 100% safe from security attacks or other issues; however, the likelihood of an AWS outage tends to be much smaller than that of an on-premise infrastructure managed by you and your team.
<hr />
CC: How specifically is the ISO certification reinforcing trust for Storyblok? Are there specific tenants of the ISO standards that were challenging to meet – but now provide heightened security that other platforms aren’t able to meet?
SG: During the ISO certification process, we did not apply for any exemptions in the statement of applicability (SoA) and met all specific requirements right away. 
We are really proud that the ISO certification covers the entire operation, maintenance, and development of Storyblok’s CMS and all related services. In order to fulfill those requirements, we had to make sure that Storyblok establishes secure processes and standards in all departments across the organization.
<hr />
CC: On the same topic: how is the ISO certification supporting Storyblok’s global growth strategy? Do you foresee this as an opportunity to grow your customer base in other markets where the ISO certification is preferred or even required?
SG: We do see existing and potential customers in all regions requesting security standards that are now being met with the ISO 27001 certification. Also, leading analyst firms reassured us that ISO 27001 certification is a top priority amongst many enterprises. Other security certifications can be mapped and fulfilled with ISO 27001.
Overall, ISO 27001 is definitely an important requirement in many European countries; however, we also see US-based companies requesting this certification.
<hr />
CC: As of late, there’s been increased attention around MACH. We see that you are a member of the MACH Alliance – can you talk about the importance of being an open, best-of-breed technology in this ecosystem? Is this proving to be a differentiator?
SG: The MACH principles provide an innovative solution for creating and launching the modern enterprise tech architecture and building new experiences quickly and efficiently. Additionally, as the MACH principles adhere to the best-of-breed approach, organizations can easily add and replace tools as needed, unlike in monolithic structures.
Due to working with structured or atomic content, the way in which content moves within its ecosystem has been radically transformed. 
Content creators are now decoupled from developers due to CMS platforms, giving them the freedom to power on without leaning on developers for minuscule changes or edits. Simply put, the way we work has evolved along with our technology.
Overall, we believe that the MACH principles are becoming the standard way that the modern enterprise stack should look like. And with the MACH Alliance, we've found a group that tells this story on a global scale.
<h2>About Storyblok</h2>
Storyblok is an enterprise headless CMS that enables developers and marketers to deliver powerful content experiences on any digital platform. Developers create flexible components that are independently managed by content teams through a collaborative visual editor and customizable workflow. Published content is delivered through an API, so changes are made once and will appear everywhere: websites, mobile, IoT, the metaverse, and beyond. This approach reduces maintenance and makes content management more efficient. Leading brands such as Adidas, Pizza Hut, and Marc O’Polo use Storyblok to manage and share their content with the world. Storyblok was named the #1 CMS for 2022 by G2.
For more information, visit <a href="https://www.storyblok.com/" target="_blank" rel="noopener">https://www.storyblok.com</a> and follow Storyblok on <a href="https://www.linkedin.com/company/storyblok" target="_blank" rel="noopener">LinkedIn</a> and <a href="https://www.twitter.com/storyblok" target="_blank" rel="noopener">Twitter</a>.

Storyblok Earns ISO 27001 Certification for Secure, Enterprise-grade Headless CMS: Q&A with Sebastian Gierlinger

paris-tuzun

Storyblock featured image of ISO 27001 logo with Storyblok logo icon and headshot of Sebastian Gierlinger

Shopify - The global commerce platform

Build your business with Shopify to sell online, offline, and everywhere in between.

The global commerce platform

#ffffff

Explore a wide range of informative articles on cybersecurity, insights, and industry updates. Stay informed and ahead of the curve with our diverse collection of news and posts covering the latest trends and developments in the industry