Background
Time-to-detect for SME breaches is measured in weeks or months, mostly because nobody's watching. If your website doesn't log meaningful events, and nobody's reading the logs, an attacker has the run of the place until something visibly breaks.
Questions to ask yourself
- Does our website log security-relevant events?
- Does anyone read those logs?
- Are we alerted automatically on obvious anomalies?
- Are logs stored somewhere an attacker can't reach?
For owners — questions to ask your developer
Questions to ask your developer
You don't need a SIEM. You need someone reading the right thing.
- 01“What security-relevant events do we log — authentication, admin actions, errors, bulk data exports? Where do those logs go?”
- 02“Who reads them? On what cadence? When was the last alert anyone acted on?”
- 03“Are logs stored off-server, so an attacker who gets in can't wipe them?”