The importance of having a secure website cannot be overstated. Besides protecting customers' e-commerce data, you need to be able to fend off denial-of-service attacks and other viruses that can crash your site for days or even weeks. Web security also entails foiling hackers who seek to infiltrate your firm's underlying network by figuring out user identification and passwords and thereby gaining access to sensitive data or emails. A breach in any of these areas could result in a loss of not just money, but also customers, employee trust and your competitive status.
Given that many middle market firms don't have a dedicated IT department or even a full-time IT employee, the executive suite should have a basic understanding of how to determine the right vendors and products for Web security. Here are a few things you can do, along with questions you should ask, when seeking security providers for your firm's website:
- Get an insider's perspective. Confer with the person who maintains your website, whether that's an internal IT employee or an outside consultant, for an assessment of the site's complexity. Have him or her walk you through the potential for attack against the parts of your website and how any threats might burrow deeper into your internal network. Then ask for a few security companies you should approach with proposal request.
- Lay out your needs. If your website host is a major domain-registration company such as Register.com or GoDaddy.com, then you can consider the antivirus, antimalware and firewall products that company offers. Otherwise, look at similar solutions from security providers such as Symantec, Sophos, McAfee, Kaspersky, F-Secure and ESET. In either case, present potential vendors with a profile of your website's current functions along with any capabilities you might add in the future. Current features could include online credit card transactions; system logins and information exchanged online; connection between an email client like Microsoft Outlook and an email server like Microsoft Exchange; Web mail and applications such as Microsoft Outlook Web Access and Office Communications Server; workflow and virtualization applications like Citrix Delivery Platforms or cloud-based computing platforms; and intranet-based traffic such as internal networks, file sharing, extranets and database connections. Some firms might also have data transfer services for when they update website pages or transfer large files, or virtual private networks for connectivity outside the office.
- Test vendors to find the right fit. Ask each vendor to assess your site for potential vulnerabilities and have them demonstrate the security solutions they've implemented for firms with similar website functionality and complexity. What's more, require vendors to make their case in layman's terms rather than technical jargon or buzzwords. They should explain clearly why your site needs security elements such as an intrusion-prevention system, a next-generation application-aware firewall or a secure sockets layer (SSL) certificate type that's appropriate for the number of customer transactions your site will handle.
- Assess product durability. Ask each vendor about its products' update frequency. Regular updates help account for the diversity and sophistication of viruses, malware and hacking techniques. Also consider any proactive detection capabilities, which catch malicious programs that have not yet been discovered and catalog them across the cybersecurity industry. Some products' scanning engines can detect malware without relying on documented updates of antivirus signatures by identifying intrinsic malicious behavior. Lastly, keep in mind that Web security is not the same as full network security, so have vendors explain product parameters and how far each one goes to protect internal functions.
- Understand contingency plans. Even the best security measures might not counter every attack. Address the worst-case scenarios by asking for details on disaster-recovery protocols, downtime estimates for different types of breaches and warranty figures. Some SSL certificates offer up to $250,000 in compensation for security-related economic losses. According to security journalist Michael Goldstein, "Anybody who is honest will tell you that nothing is 100 percent secure, because things on the dark side evolve every single day."
- Enlist employees in the security effort. Back in the workplace, remind everyone to change their passwords every few months and to keep usernames and passwords out of sight and secret. Among the most frequent causes of website and network infiltration is exposing sensitive information to a customer, vendor or coworker. Increased employee awareness will highly improve your firm's Web and network security.
From personal experience, what are a few security concepts that were essential for your company's leadership to understand? Share with other executives by commenting below.
Rob Carey is an NCMM contributor and a features writer who has focused on the business-to-business niche since 1992. He spent his first 15 years at Nielsen Business Media, rising from editorial intern to editorial director. Since then, he has been the principal of New York-based Meetings & Hospitality Insight, working with large hospitality brands in addition to various media outlets.