Members started calling to complain that they were getting a message “Your connection to this site is not secure” when they visited the association’s website. It grew to a storm of complaints, but it was the report from a major donor threatening to cut off funding because they had received a routine security scan report that showed the website was not secure that led to action. An angry board meeting quickly followed. Something had to be done, and it fell on the head of marketing and communications to fix it, and fast.
It seemed like an easy fix – just get the hosting company to update the Secure Certificate on the website. (It used to be that a simple secure certificate, or SSL, was what you needed. But now the industry standard is the Transport Layer Security, or TLS. The most current version of TLS was defined in August 2018, but for now the accepted standard is still TLS 1.2.)
Is it enough to just install TLS 1.2 and be done with it? No, TLS 1.2 may not be compatible with the underlying software that makes up your website. The hosting company reported that in order to install a TLS 1.2 certificate, you would need to upgrade the software running the website. And that could take weeks. By that time, the zombies will have taken over.
In this case, the problem was that the organization had not updated their CMS in years. They were running the popular Kentico version 6, and Kentico 6 is not compatible with TLS (Kentico 12 is the most current version.) Like most software products, there are layers of other components used to create the product. The Kentico product is built on Microsoft .NET framework and in sticking with an old version of Kentico, this organization was also sticking with the underlying software that was woefully out of date and not supported by the related vendors who developed the software. Kentico no longer officially supports any version prior to version 10.
Trick or Treat!
Of course, the association never budgeted for maintenance related to the website software. All of the support funds go to content and design changes throughout the year. Any upgrades to Kentico or any other underlying software would have to be funded from a new source. While saving money, the association put itself in the unfortunate position of not staying current. It is a lot like not having enough candy when the trick-or-treaters come around. Now the upgrade is not a quick fix. Upgrading to the most current version of all the software could be quite extensive, and expensive.
Baby Steps or One Big Step?
Should the association upgrade from Kentico 6 to version 7, then to version 8, then to version 9 et cetera to get to the least disruptive and least costly upgrade that is still supported and compatible with TLS 1.2? Or is it better to just bite the bullet and upgrade to Kentico 11 or 12 in one big step?
The problem with letting your software fall this far out of maintenance is that leaping five versions forward is likely to cause everything to break. It is unlikely that a big step forward will work due to the changes and underlying software updates, as well as the impact on third-party applications.
Upgrading in baby steps is not particularly enticing either – essentially they would be upgrading five times, one after another. That is the most expensive approach and likely to cause the most headaches.
Is There a Good Answer?
The marketing and communications chief felt that just switching to a different platform was the most logical answer and chose a popular inexpensive solution – just switch to WordPress! Unfortunately, she did not think through the functionality that led to the selection of the full-featured Kentico CMS in the first place. Switching to WordPress guaranteed that the support team would need to learn a new platform, but the loss of features for marketing to the association’s members was a loss that had a real impact on the organization’s ability to communicate and track member engagement through analytics. With WordPress, the association was left with Google Analytics and while that is not such a terrible result, it has none of the marketing automation features that led to choosing Kentico when version 6 was the current version.
As it turns out, the cost of upgrading the entire site from version 6 to version 11 wasn’t such a big deal after all. The cost of the upgrade was well worth the peace of mind that the website was secure, and that member data was well protected. Comparing the cost of redoing the entire website on a new platform, including changing the connectors for the third-party APIs and integrations, retraining the staff, dealing with design tweaks, and considering new functions that would need to be provided by another method, the upgrade turned out to be the least costly answer.
The marketing and communications chief now budgets for upgrades of the software every year and there are no more skeletons in the closet. The moral of the story is that a website runs on software and that software needs to be kept up to date along with everything else. While it might be OK to not upgrade every year, skipping versions will eventually catch up to you. In this case, the site really was at risk because of security problems.