Category: Banking website

We recently blogged about secure domains and how to assess whether or not your web project requires one. This article will give you tips on how to choose a marketing agency that will be able to provide you with a business environment that is truly secure. It is really important to evaluate and choose your team wisely; realizing your team could be a liability when the project has already started can be costly and risky.

All web development is not created equally

When choosing the team that will develop your web presence, cost should not be the primary factor. Spending what is necessary at an early stage can help you save in the long run. Likewise, web development and web security should not be an afterthought.

Here are a few things to look for in your web design or marketing vendor:

1. They should be highly experienced at producing quality and secure code. This is a professional’s job and amateurs shouldn’t be trusted with such a crucial part of the project.
2. They should be familiar with the most common exploits – a bug or glitch in your system that hackers use to their advantage to invade your domain – used to gain unauthorized access to your data.
3. They should be familiar with code auditing tools. In the case that the code fails the audit, they should be able to understand why and fix the issue quickly.
4. They should be familiar with passing audits of their hosting infrastructure. For this, your team should have total control over the infrastructure, or at least, a good relationship with the hosting provider.
5. They should be accountable for issues that are raised under future audits. Indeed, new exploits are discovered on a continuing basis and no code is 100% protected. For this reasons, you need a solid ongoing relationship with your vendor. You also need to be sure that if a new exploit is found during a future audit, your vendor will be aware of it and be able to address the issues immediately.

Tips for choosing the right marketing team for your secure web development project

1. Third-party auditor. If you do not have one, hire one; you should not rely solely on your marketing agency for your security audit. The auditor should scan the site as often as possible during the pre-deployment phase.
2. Investigate common exploits and ask your vendor how they plan to defend against them. They should know what SQL Injections are and be familiar with Cross Site Scripting. A good question to ask the team is how they would prevent common exploits from being introduced in your site’s code. If they do not have a well-reasoned answer, we advise you to look elsewhere.
3. The team’s experience. They should have been developing web software for quite a while and be familiar with security audits. If you give your prospective web team an example report from an auditing company, they should understand how to solve the issues raised by the audit and apply it to your business or domain.
4. The hosting environment. If it is not hosted in-house, a good relationship with the hosting provider is essential.  It should preferably be hosted on a machine dedicated to your domain that host no other client and that isn’t being used to develop code. It is also preferable that your team has complete control over the machine and that they personally administer it. Ask where the server environment is located, what operating system is in place and what applications will be running your code. Finally, it is also important to know how often the server is patched, what firewall is in place, and how it’s managed.
5. Ask if the web team is dedicated to your project. According to who you’re dealing with, the web team and marketing vendor can be in the same agency, but it may happen that the web team is outsourced on a project by project basis. This is very common especially if you’re working with a traditional marketing agency. If this is the case, you do not want to wait to find out if they will work well together, it is better to pick teams that have already collaborated on web projects. Keep in mind that advertising agencies outsourcing web development may pose a problem when it comes to accountability. Having a web team that is an employee of the firm makes it easier to build a trusting relationship with the developer, and improves turnaround on addressing issues, especially those that may arise after the site is in production.
6. Direct access to website developers. Developer access is essential to quickly diagnose problems that need immediate attention. Therefore, domain security experts and auditors for your business need to be able to access the developers to discuss the issues that have presented themselves.
7. Talk about the future. It is recommended that you have agreements with your vendor for support after the website is live, and make sure both you and the vendor are comfortable with the ongoing arrangement before work begins.

Some web projects require a higher level of security than others. Making the right decision about your website development is even more important in this case, as not only your security, but also that of your customers could be put in jeopardy by making the wrong choices.

Is security a primary concern for your web project?

Handling of sensitive information: banks, hospitals, law enforcement

Secure business domains are required for organization whose data is highly sensitive, or who may be of interest to those who are not authorized to view it. The most obvious example of a company needing a secure domain is a bank, which stores account numbers, credit card information and personal financial data on all of its customers. Hospitals and law enforcement agencies also need secure domains as they store highly sensitive personal information on their customers. Fortunately for the customers, there are rules and standard that regulate the privacy of data.

There are two main standards that regulate secure business domains. The first one is the Payment Card Industry Data Security Standard (PCI DSS), a multifaceted security standard that includes requirements for any business that stores, processes or transmits payment card holder data; these organizations must follow the standard. The PCI DSS standard is intended to help organizations proactively protect their customers’ credit card information.

The second one is  Health Insurance Portability and Accountability Act (HIPAA), it is similar to PCI DSS except that instead of protecting payment cards information, it protects patient data. Its rules specify a series of administrative, physical and technical safeguards to assure the integrity, confidentiality and availability of electronically protected patient health data. Any health care organization located in the United States that handles patient information is required to follow the HIPAA regulation.

Recent breaches

In the past few months, there has been several high profiles security breaches. In August, the group of hackers known has “Anonymous” hacked more than 70 websites from law enforcement agencies in Arkansas, Kansas, Louisiana, Missouri, and Mississippi. Anonymous stole more than 10GB of user data including names, email addresses, credit card information and some sensitive personal information. Many of the websites hacked were registered to the same marketing agency. The hackers chose that particular agency because they had noticed a breach in the security system that allowed them to easily steal the information.

Another high profile breach was the Citigroup’s attack where hackers accessed the information of 200,000 bank accounts. The attack happened at Citi Account Online which holds Citi’s customers information such as names, email addresses and account numbers . The hackers explained that they simply logged in the site reserved for the credit card customers, and then modified the URL in the browser’s address bar to access other customers accounts.

These security breaches are more and more common and not making yourself an easy target is the first step towards preventing them. If you handle sensitive information and are thinking of using a secure domain,come back soon for our tips on how to choose you marketing team.