According to the Government’s Cyber Security Breaches Survey 2025, just over four in ten businesses (43%) and three in ten charities (30%) reported having experienced any kind of cyber security breach or attack in the last 12 months. This equates to approximately 612,000 UK businesses and 61,000 UK charities that identified a cyber breach or attack in the past year.
This goes to show how prevalent cyber attacks are and demonstrates how ‘under attack’ all businesses are. And, we know, through talking to clients, that wanting their website to be as secure as possible is a major concern, so keeping security up-to-date, patched and secure is absolutely vital.
In our most recent blog, we compared Composable DXPs and Monolithic Suites and, again, the way they both operate can affect how you approach security. For example, with a Monolithic Suite, everything is operated through one system; security updates are easier to perform and everything is rolled into one system ‘on the web’, including all your business functions, such as email campaigns and content management.
With a DXP system, your business functions are essentially ‘locked away’ and your website only deals with the data it needs to function, such as personalisation. It doesn’t need to hold customer data and payment history, for instance. As you are ultimately using ‘best in breed’ systems, you will benefit from their high-level focus on security.
At Lake Solutions, we are proud to be an Umbraco Silver Partner and, if you benefit from Umbraco Cloud, then you’ll discover security has high priority, compared with managing your own hosted CMS infrastructure.
Umbraco Cloud runs on Microsoft Azure and uses Cloudflare for network-level protection. This means your site benefits from enterprise-grade safeguards, such as Transport Layer Security (TLS) encryption, firewalls and Azure’s infrastructure security, without you having to configure or maintain them yourself.
All Umbraco Cloud websites use HTTPS by default. Both the default and custom domains are protected by periodically renewed certificates issued by Cloudflare and this service is offered as part of Umbraco Cloud for all plans. In addition, Cloudflare-powered protection can help block common attacks, like DDoS, SQL injection or Cross Site Scripting (XSS).
Umbraco Cloud also applies automatic CMS updates, security fixes and patches. It also provides automatic backups with point-in-time restore, so you can recover quickly from unexpected issues.
All of this means you don’t have to manually manage OS patching, TLS certificate renewal, firewall rules or infrastructure hardening, as Umbraco Cloud handles that as part of the service. This results in fewer gaps and human errors, improved compliance and faster, safer deployments.
Any automated upgrades and patches from Umbraco Cloud only happen on a Tuesday, when everything that needs doing is bundled together. That said, security updates are often released on that day largely because of a mix of history, practicality and industry coordination, not because Tuesday is inherently more secure. For example, Microsoft started ‘Patch Tuesday’ in 2003, with security updates released on the second Tuesday of each month. Once Microsoft did this, much of the tech industry aligned around the same schedule.
But, why Tuesday? If you look at an IT department’s week, then Monday is typically spent dealing with weekend outages and planning the week; while Friday is risky. If an update breaks something, teams may have to work over the weekend. In theory, Tuesday is early enough in the week to sort out any glitches and avoid panic-driven patching.
However, Tuesday is really just guidance and not set in stone. If your website is hacked, then you’ll want that issue sorted out quickly. Typically, nowadays, security researchers will often find security risks before they fall into the hands of somebody with malicious intent. Then, if patching is always done on a Tuesday, it reduces the window for hackers to reverse engineer it.
Looking again at typical Composable DXPs, having these multiple systems – albeit best in breed - can cause challenges, as log-ins to the email system, Office 365, CRM etc, can sit with multiple different team members. We’ve probably all had an experience trying to log into a system at work, only to discover that the log-in credentials were set a while ago by a colleague who has now left the organisation or is on annual leave… It’s not ideal and certainly not sensible when it comes to security. At this point, it’s useful to know that Umbraco Cloud has a single sign on – eliminating the need for multiple means of authentication.
It’s possible to use tooling to reduce the security footprint by, for example, removing form data after a set period of time. Within the CMS, we can also operate role-based security to limit the scope of data that individuals can see and alter different sections of your website.
Generally, while Umbraco offers a Composable DXP, it is not a collection of plug-ins with an unknown source and this reduces the surface area for potential attacks. In addition, Umbraco Cloud manages the security certificates and offers protection against denial of service attacks, where sites are potentially flooded with fake traffic, so real customers can’t use your service.
If you’d like to talk further about how Umbraco Cloud can benefit your security, call us at Lake Solutions on: 020 3397 3222.