Our Thinking

Branding and Web Security

What determines the confidence in your brand?  Yes, the visual identity and what people see.  And yes, the experience and interaction people have, both online and in the real world.  And yes, the social media (and traditional media) buzz – both positive and negative.  But there is another factor, hidden from most marketers, that can have a critical impact: the security of your website.

If a hacker gets into the website or prevents access to it, your brand is tugged into a very difficult place: trust suffers.  Even worse, if data is copied or stolen, your reputation is definitely in crisis.  You appear either incompetent, careless, or uncaring.  And while the media does report data breaches quite frequently, and it might be argued that the public is becoming immune, when it happens to a particular person, the sting is real.

While most marketers will never deal with web security directly (except in times of crisis), and most IT professionals should know how to address web security, a trust-but-verify approach is not such a bad idea.  With apologies to the non-techies, here are the rudiments of web security:

  1. Physical security:  Physical access to the actual server needs to be tightly controlled.
  2. Operating system:  Parts of the computer’s operating system that are not required should be removed.  Non-essential “ports” should be closed, and directly permissions set properly.  (And the operating system needs to be kept updated.)
  3. Physical firewall:  Depending on the level of security required, all traffic might be routed through a firewall, both to restrict all but the required type of internet traffic.  The firewall and network infrastructure should also prevent distributed denial of service attacks.
  4. Web Server software:  The latest version needs to be installed and kept up-to-date.
  5. SSL certificate:  Instead of serving pages unsecurely (eg http://), the purchase and installation of a security certificate allows the pages to be encrypted in transit (eg served as https://), and allows the user to verify that the pages actually came directly from who they said they came from.
  6. Separate web server and database server:  Instead of having the database housed on the website – which might be hacked – the database that powers the site can be housed on a completely separate machine. Using this architecture also delivers a welcome benefit: faster performance.
  7. Database and scripting languages:  The database version (SQL Server and MySQL as examples) and any scripting languages (PHP as an example) need to be kept up-to-date.
  8. Content Management System (CMS) software:  The core software (WordPress, SiteCore, SharePoint, as examples), as well as any plug-ins and modules need to be kept-up-to-date.  More importantly, the CMS needs to be “hardened” to prevent basic attack vectors.
  9. Software firewall:  This software monitors and repels hacking attempts at the CMS level.
  10. Two-factor authentication:  Instead of having a user log in only with their username and password, they also would need to put in a time-based code that would be sent to their phone, or would be generated from an app.  This prevents people from using “stolen” passwords.
  11. Social engineering:  It is too easy for an authorized individual to be conned into providing access to the website.  Staff need to be trained on their role in keeping the site secure, and the basics of site security.

Clearly, there is a cost to implementing security, but this cost needs to be balanced against the cost of rehabilitating the brand if the site is hacked.  The greater the potential cost to the brand, the more of these should be implemented.

What’s next?  Use this post as a checklist (you may need to speak to your web development team): how well did you do?  If you have confidence in the technology, the market will have confidence in your brand.

A few more questions for the techs:  Are there two independent back-up systems?  How long are back-ups kept?  How often are the back-ups tested?  Are there automated notifications if the site goes down?  And if the site is hacked, how long will it take to get back up?

And for the marketers:  Do you have an external crisis plan in case of data breach?  Is there a plan B in case ecommerce is not available?  And is there an internal communication plan, particularly for the front line (receptionists, call center, etc)?