Five questions every organisation should ask their web supplier about security
14.05.2025
When commissioning a new website, design and functionality tend to dominate the conversation. Security often sits further down the list, until something goes wrong. By then, it’s too late.
Cybersecurity isn’t just a technical detail. It’s about protecting your users’ trust, safeguarding sensitive data, and ensuring business continuity. A secure website isn’t optional. It’s essential.
Yet many organisations don’t feel equipped to challenge suppliers on security. The language can feel opaque. The assurances vague. That’s why it helps to have a clear set of questions that cut through the jargon and get to the heart of how your site will be protected.
Here are five questions every organisation should ask before they sign off on a new web build.
1. How do you keep the platform and plugins secure?
Out-of-date content management systems and plugins are among the most common entry points for attackers. Ask your supplier how they monitor vulnerabilities, apply updates, and test compatibility. A robust process here is non-negotiable.
2. What’s your approach to data protection?
From newsletter sign-up forms to booking systems, your website will handle personal data. Your supplier should explain how data is stored, encrypted, and transmitted, and how their approach aligns with GDPR and wider regulations. Vague assurances aren’t enough.
3. Who is responsible for hosting, firewalls, and penetration testing?
A secure website isn’t just about code; it depends on the infrastructure behind it. Ask about hosting environments, firewalls, SSL/TLS certificates, and backup routines. Regular, tested backups mean you can recover quickly if the worst happens.
Many web design agencies don’t directly manage hosting. Even so, they are responsible for helping you choose a host that does: securing servers, applying patches, managing firewalls, and carrying out penetration testing. In some cases, the web company may provide or manage these services themselves. Either way, someone must be clearly accountable, and your agency should make sure responsibilities are defined and evidenced.
4. How will you monitor and respond to threats and what happens if something goes wrong?
Good suppliers don’t launch and walk away. They put monitoring in place to detect suspicious activity and have a clear incident-response plan. Ask how alerts are handled, how quickly action can be taken, and what you should expect in terms of communication and hosting SLAs. No system is invulnerable; what matters is speed, transparency and recovery.
5. How do you embed security into the design process?
Security isn’t only about servers and firewalls, it starts with how your site is planned and built. Ask whether they consider things like user permissions, secure development practices, and data minimisation from the outset. Security built in from day one is far stronger than security bolted on later.
Asking the right questions builds confidence
Security can feel like a specialist subject. But you don’t need to be an expert in encryption or firewalls to have an informed conversation. By asking straightforward questions, you set the tone: security matters, and you expect clarity, not jargon.
Planning a new website?
We can help you shape the right brief, ask the right questions, and select a supplier who takes security as seriously as you do.
Schedule an initial conversation: hello@path.ie
News & Insights
We are a strategic design company that creates user-focused services and simplifies complex systems for effortless use.
Have a project we could help with?