Case Studies

10 security questions to address before appointing a technology provider

by
Equiem Marketing
|
January 11, 2018

In today’s world, business is driven by technology. With more personal data and customer information being collected than ever before, business owners and managers are being forced to rethink their cybersecurity strategy. With customer portals and online membership websites on the rise, it’s time to think about your security needs.  

Many companies focus on important security features, compliance and best practices to ensure that their data remains secure. But the best way to ensure that sensitive information stays where it belongs is to have a trusted, layered system.

Keeping sensitive information secure from theft and vulnerability in today's digital world can be overwhelming. But knowing which risks your business is most susceptible to, and protecting against them is the only way to ensure the safety of yourself and your customers.

Working with experienced technology partners is one the best ways to evaluate risks and select the most important security features for your business. By asking the right questions, they can develop a deep understanding of your business’ needs to provide transparent advice and a secure online platform.

Below are critical security features and the key questions you need to be asking before appointing a technology provider, for any real estate technology platform, such as a tenant portal. 

1.  Application Layer Security

Key question: What security tools are you using as a foundation for your platform?
Your customers connect with you through apps, and your employees can’t do their jobs without them, but as critical as they are, applications also expose your business to threats. Application layer security (ALS) protects data and information at the points where applications interact with the network. Security applied to the application layer directly protects from external attacks trying to access your device.

Attacks at the application layer are harder to detect and even harder to contain, so it’s important to have a robust security system in place at this level for your online customer platform.

Monitoring Threats

Key question: How often do you monitor or check for vulnerabilities?
Frequent vulnerability assessments make your platform more resilient to the risk of data theft. Continuously monitoring for emerging threats and vulnerabilities gives insight into all modules of your online product that require security updates. When done professionally, minor problems are detected automatically and can be easily addressed.

Performing a static code analysis is another method of monitoring for potential risks. A static code analysis is done by examining the code before releasing each update or change to your platform. The process aims to ensure that the coding adheres to security best practices.

Cloud Locations

Where is the data stored?
Threats increase with the number of locations your data is sent to. Many businesses use “Cloud” storage to save on space and resources. Understanding how cloud storage works and where the infrastructure is based is critical to protecting your information.

By ensuring that your customer information is hosted on a server within your company’s country of operation, you’re helping to reduce the risk of “data shipping”. Data shipping is when information is moved between servers when needed to save on space and to make it cheaper for the server owner. By keeping your data in one place it is much less likely for theft or tampering to occur.

2.  Network Security  

Key question: How secure are your servers?
Network security creates an ecosystem for computers, users and programs to perform within a secure environment. Robust network security must be a top priority for virtually any digital project today. External attackers gain access to network resources through the internet, which is a very common way network security is compromised. Network security systems protect access to the database servers and file storage system and prevent the chance of data and identity theft, privacy spoofing and denial of computer network attacks.

Network security starts with authentication, commonly a username and password. Once authenticated a firewall will enforce access policies such as which services are allowed to be accessed by the network users. Though two-factor authorisation and firewalls are effective to prevent unauthorised access it’s important to supplement these two basic network security standards with intrusion detection systems, encryption and other anti-virus software.

Weak authentication, authorisation, and fraud detection capabilities present high risks to data and customer retention.

Firewall  

Key question: Do you employ a firewall and other first-line measures?
A Firewall is a network security system that uses rules to control incoming and outgoing network traffic. It acts as a barrier between a trusted network and an untrusted network.

As the first line of defence, a firewall protects an app from risks such as unauthorized remote access and blocking messages linking to unwanted content.

Intrusion Detection System - IDS  

Key question: How protected is your data from intruders?
An Intrusion Detection System is a network security technology that monitors the platform environment, alerting administrators to detected intrusions and vulnerabilities. Having an IDS can protect against accidental information leakage, security policy violations, unauthorized clients and servers, and even configuration errors. An IDS may respond to suspicious traffic by taking action such as automatically blocking the user (or source IP address) from accessing the network.

The IDS needs to be properly configured to recognize what is normal traffic on your secure website vs. what might be malicious traffic. The administrators responsible for responding to IDS alerts also need to understand what the alerts mean and how to effectively respond.

Denial of Service - DoS

Key question: Is your system protected from DoS attacks and intrusions?
A Denial of Service attack is a cyber attack that floods servers, systems or networks with unwanted traffic in order to overwhelm the system. This causes the platform to become temporarily or permanently unavailable to its intended users. In serious circumstances, attackers can gain control of the system and cause enormous damage or inconvenience to your business.

While an attack that crashes a server can often be dealt with successfully by simply rebooting the system, modern flooding attacks can be difficult to recover from.

It’s important for your IT team, security administrators and managers to understand the threats, vulnerabilities and risks associated with DoS attacks and implement a detection system such as application layer firewalls to block potentially offending traffic.

3.  SSL/HTTPS

What level of encryption do you have?
A Secure Sockets Layer (SSL) creates a foundation of trust by establishing a secure connection for your users. It’s the standard security technology for building an encrypted and private link between a web server and a users browser.  To be able to create a trusted SSL connection a web server requires an SSL Certificate with a public and private key. These keys work in unison to establish an encrypted connection.

When a browser connects to a secure site it will retrieve the site's SSL Certificate and check that it has not expired, it has been issued by a Certification Authority the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end user letting them know that the site is not secured by SSL.

Similar to SSL, Hypertext Transfer Protocol Secure (HTTPS) is another security standard that protects communication and data over your network. It allows the web browser to check the website’s security certificate and verifies it was issued by a legitimate certificate authority. When you send sensitive information over an HTTPS connection, no one can take advantage of it in transit.  

Both SSL and HTTPS protect sensitive information such as customer names, phone numbers, addresses and credit card numbers. They offer your web service credibility and provide a secure platform for your business and customers.

4.  PCI-DSS Compliance and Stripe - Payment Gateway

How secure is your payments system?
The PCI-DSS is a multifaceted security standard for eCommerce merchants that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organisations proactively protect customer account data.

Using a reputable payment gateway, such as Stripe or PayPal, is important to keeping your customer information secure whilst providing a seamless purchasing experience. Working with an established payment provider that offers reliable infrastructure allows your customers to purchase with confidence while integrating correctly and securely with your platform.  

The Payment Card Industry issues guidelines that have to be met to ensure compliance and Equiem has an active PCI compliance accreditation. Whilst the storage of payment information within Equiem is minimal, PCI audits ensure that the transmission of payment information both within Equeim systems and to our external payment provider is architecturally designed and implemented in a secure and compliant manner. These audits need to be performed by an Approved Scanning Vendor (PCI ASV) and Equiem remains compliant in this respect.

5.  Physical Security

How secure are your servers from physical attack?
As our lives become increasingly digital, physical security of your system may seem like a less significant threat. However, it’s important to know that your security model is protected on the ground as much as it is in cyberspace. Remember, physical security doesn't just mean protecting against burglary, theft, vandalism and terrorism, it also means protecting from fire, flood and natural disasters.

For the most extensive level of physical protection it’s essential to entrust your servers to a data centre that has military-grade exterior physical security, authorized personnel access, video surveillance, two-factor authentication at each ingress point and that all access is logged and audited.

Creating a robust system

It’s common for online security to be viewed as singular, however possessing a strong security system for your database requires multiple layers, a deep understanding of the industry standards and scalable tools to protect both your business and customers.

Every business requires different solutions to secure its data. When researching your options, think about how they integrate together to provide a healthy and secure online environment. By working with experienced and reputable security partners from the beginning you’re building a strong foundation for your platform’s ongoing cybersecurity. Having a team that can help implement and maintain industry-leading protection will give both you and your customers the confidence you need to do business.

Equiem has purpose-built integrated solutions that, once combined with the Equiem Portal take the risk out of security.

Equiem leverages a shared responsibility model for security of its platform. The infrastructure is housed by Amazon’s AWS cloud services and Acquia manages the application layer. As such Equiem inherits Amazon’s certifications and accreditation for the infrastructure, network and physical security of the environment. This provides the highest security making sure all of the above security risks are managed in a cohesive and safe system.

Find out more about the Equiem Portal here.

Never miss an update, subscribe to IQ monthly below:

Product Updates
Engagement Campaigns
Company News
Case Studies
Latest Events

Thank you! Please check your email to confirm.

Something's not right - please try again.

Find us

Keep connected

Copyright © 2018 Equiem Services Pty Ltd. All Rights Reserved
|
Privacy Policy