APRA Recommendations for website security


Cybersecurity is non-negotiable for websites, and if you're operating in Australia, there's no shortage of guidance available to fortify your online assets. While the Australian Government's "Essential 8" focuses broadly on workplace security, the Australian Prudential Regulation Authority (APRA) offers a more specific Information Security Manual (ISM) which contains numerous recommendations applicable to business websites.

Why Website Security Matters

When your business operates a website or web application, you're not just managing content; you’re also responsible for safeguarding data. Inadequate security measures expose you to risks like data breaches, malware, DDoS attacks, and reputational damage. It is incumbent on company executives and operational staff to implement recommendations to minimise their risk and liability in the event of a security breach.

APRA’s ISM: Tailored for Websites

APRA's ISM guidelines are particularly insightful. Here are key recommendations for websites and why you should consider them:

Network Traffic and Anonymity (ISM-1627, ISM-1628)

Blocking anonymity network traffic minimises the risk of malicious actors hiding their identity. This enhances accountability and reduces security threats.

Cloud Service Providers (ISM-1437)

APRA advises the use of cloud service providers for hosting online services. By leveraging the cloud, you can benefit from robust security measures that often outclass on-premises solutions.

Content Delivery Network (ISM-1438)

A CDN isn’t just for speed; it’s also for security. A CDN can filter out malicious traffic and thus provide an additional layer of security.

Origin Exposure and DDoS Mitigation (ISM-1439)

Hiding the origin IP and using cloud providers for DDoS mitigation keeps your primary server safe by dispersing traffic across a distributed network.

Data Encryption (ISM-1781, ISM-1139)

Encrypt all data over the network and only use the latest version of TLS to ensure secure data transit.

Logging and Auditing (ISM-261, ISM-580, ISM-0585, ISM-1661)

Maintaining comprehensive logs is vital for tracking activities and identifying irregular patterns. Your logs should be detailed and periodically audited.

Web Application Firewall (WAF) (ISM-1240, ISM-1490, ISM-1509, ISM-1657)

A WAF is essential for monitoring and filtering incoming traffic, enabling you to block harmful requests.

Backup and Configuration (ISM-1511)

Back up your data, website, and configurations and store them securely, preferably in a version-controlled environment like Git.

HTTPS and SSL (ISM-1277, ISM-1552)

SSL certificates and HTTPS should be a standard for all web content. This safeguards data integrity and user confidentiality.

Scaling and Monitoring (ISM-1579, ISM-1581)

Ensure your website can scale during demand spikes and that you have real-time monitoring for both capacity and availability.

Virtual Patching and Antivirus Scanning (ISM-1690, ISM-1288, ISM-1694)

Virtual patching and antivirus scanning fortify your website against new vulnerabilities and malware.

Content Types (ISM-0649)

Only allow specific content types to run. Restricting this reduces the risk of malicious content affecting your website.


Incorporating APRA’s ISM recommendations into your cybersecurity strategy makes your website resilient against various forms of cyberattacks. Don’t just consider these as mere guidelines; view them as essential practices for robust website security.

Coincidentally, Peakhour helps you address every single recommendation in the list, best of all we're Australian owned and based. Reach out if you need help securing your website.

security learning

© PEAKHOUR.IO PTY LTD 2024   ABN 76 619 930 826    All rights reserved.