It is far easier to build a web portal for your business today than ever before: with a plethora of vendors offering everything from one-click hosting platforms to drag and drop website builders, your options are endless. However, when your reputation is at stake, you need to be able to differentiate between those service providers that include the right level of information and cyber security and those that don’t. We take you through some important aspects that will help you make the right choice.
They need to understand your business
An asset management website has a very different threat profile from a college or manufacturing website. Understanding the threats posed to your site daily is an essential skill for any hosting provider.
Knowing the most common vectors will enable the vendor’s security teams to focus on the areas that pose the biggest risk to your site and, ultimately, your reputation.
But how can you tell if they understand your business? Simple: look at their labels. Who are their customers? A specialist vendor will most likely only deal with other customers in a similar sector, so look out for ones who mostly deal with asset management sites.
Verify their credentials
It is easy for a vendor to say, “Security is our top priority!”, but the only way to be 100% sure is external accreditations such as ISO27001, SOC and verified assessments by recognised security providers.
ISO27001 certification serves as a guarantee that the vendor has been independently audited and that the correct policies and processes are in place to safeguard your data. It is also a good indicator that security has been given the correct priority by the business and that the management is fully committed to the cause.
External security vendors, such as Security Scorecard, independently assess the vendor’s security posture. And be sure to compare their ratings to other vendors on your list!
Security cannot be an optional extra
This one is simple. The following items cannot be optional extras:
- TLS encryption: in an age where encryption is considered a default, your site’s traffic must be secured by default.
- Web application firewalls: asset management sites are under constant threat from a wide variety of threat actors. The ability to detect and block threats is a must-have.
- Proactive security monitoring: You need the assurance that your site is constantly monitored. SIEM and the monitoring thereof is critical to your site’s safety.
- Protection mechanisms as standard: Your site’s administrative functions should be protected by mechanisms such as MFA by default.
Providing the above as a standard is a good indicator that security is part of a vendor’s architecture.
Don’t build on sand
When uptime is a priority, be sure that your site is built on proven technology. Self-hosted infrastructure tends not to be as robust or secure as a product built on well-known infrastructure platforms such as AWS, Google Cloud or Azure. Such providers will have well-defined processes for building secure systems atop their technology.
Most will have benchmarking tools to confirm that your architecture complies with best-practices and is secure by default.
Where possible, check whether the vendor can provide compliance reports that measure their build standards against CIS Benchmark Standards. CIS benchmarks are configuration baselines and best practices for securely configuring a system. Each of the guidance recommendations references one or more CIS controls that were developed to help organizations improve their cyber defence capabilities. CIS controls map to many established standards and regulatory frameworks, including the NIST Cybersecurity Framework (CSF) and NIST SP 800-53, the ISO 27000 series of standards, PCI DSS, HIPAA, and others.
Transparency is key to a healthy relationship
Vendor management is a hot topic at the moment and for good reason. With supply chain attacks up by nearly 500% since 2018 (2020 State of Software Supply Chain by SonaType), transparency between vendors and customers has never been more critical.
Vendor risk assessments are a good way to establish the security posture of an organisation it also confirms whether the vendor complies with any regulatory standards required to host your system.
Regular customer reports are also important. This should detail any threats that their platform is exposed to, any mitigating actions to counter the risk, detected vulnerabilities and any incidents that impacted the confidentiality, integrity or availability of the platform.
And, most importantly, their security team should be approachable! If their InfoSec team is guarded by a complex helpdesk escalation system or it is impossible to get them on a call, then you should be alarmed. What would happen if there was a security incident? Who will you rely on to help you get your site back up and secure if their security teams are hard to contact? You need to have a direct line with their security staff, no matter what.
And insist on periodic review meetings with their security team. This will not only make you aware of the security challenges your site faces but also strengthen your relationship with the vendor.
TL; DR – When selecting a vendor, remember:
- Do they understand your industry and the threats it faces?
- Do they possess internationally recognised accreditations that prove their commitment to a well-run security program?
- Do they build their systems secure by default, or is it an optional extra?
- Will your system be built on solid underlying infrastructure, or will it be on a self-hosted server rack in some office?
- Can you speak to someone if the chips are down?
If you are considering a web refresh or refinement, feel free to reach out for a conversation.
If you are interested in receiving more information on this and other topics regularly, please sign up for our newsletter at the bottom of the page.
You can also request a demonstration of how our tools and services can add value to your digital transformation.
