The slide on the security scale just went from less to more.īy asking the right questions and listening to their responses (as well as reading between the lines), you will be able to confidently put the proper security controls in place from the beginning. Are you under any compliance requirements?Īdditionally, if you hear any of the keywords below, take mental note.What information is going to be collected?.Some of the first questions during the discovery phase should be: No one likes adding expense and time to the project (surprise!) and by asking the right questions upfront, you can save a lot of headache down the road. By fully understanding their business and site goals, you’ll avoid last minute surprises during the build. Each site is unique, and depending on what your clients are going to do with theirs determines the layers of security needed. Security is not something that is on or off, but rather is on a continuum. We’ll go into these points in a little more detail below. There is no security silver bullet-you need to take a defense in depth approach.What compliance regulations your clients fall under (PCI DSS, HIPAA, FERPA, FISMA, etc.).What is personally identifiable information (PII)?.With (potential) clients hearing these stories, security becomes an easier sell.Īs an agency, there are a few key Drupal security concepts that you need to understand before talking with your clients: The company is in the process of handing iCloud encryption keys to account holders so that no matter how many government subpoenas it receives, Apple has no way to decrypt user data. With the importance of website security established, how do you start the security conversation with your clients? Are you asking the right questions during the discovery process? Do you know what questions to ask? With data breaches making headlines daily, security is top of mind and this conversation is more pertinent-and natural-than ever.įor example, the importance of key management is now resonating with the general public, thanks to Apple. It not only ensured their prospective clients that security was top of mind, but also instilled confidence in the competency of their agency. As an agency, you can and should reduce your risk by implementing proper security for your clients, even if it means taking money out of your bottom line.Īs many agencies that we interact with can attest, adding security as a line-item when responding to RFPs helped them win bids. of America (insurer) filed suit against the bank's web designer, claiming its negligence and “substandard” maintenance of a website set the stage for a breach. One example: In an effort to shift financial responsibility for a data breach at a community bank, Travelers Casualty and Surety Co. Further, by not implementing appropriate security controls, if there is a breach, you can be liable. Your clients expect site security, just as they expect you to anticipate and address their needs in other areas of site development. It may be true that your clients aren’t asking specifically for security, but they are paying you for it. SMBs typically have weaker security controls and are not taking a defense in depth approach to data security-often because they are just not aware of security best practices-not because of price.Īs Chris Teitzel, Drew Gorton, and myself discussed at DrupalCon New Orleans (video below), by having the security conversation and implementing proper security controls, Drupal agencies can not only better protect their clients, but also gain additional revenue and set themselves apart.īut My Clients Aren’t Asking Me for Security Symantec recently published a report confirming that three out of five cyber-attacks target small and midsize companies. Why? Because hackers know that SMBs are an easy target. In fact, it is often a surprise to small and medium sized businesses that they are actually considered a greater target than large enterprises. A company’s website is a portal to customer information, and if hacked, can lead to a very public breach resulting in loss of customers, fines, and brand damage.īusinesses large and small-public and private-have security needs. If they are going to collect private information or integrate external services like PayPal or MailChimp, it is time to sit down and have a discussion-about security. Have you had “the talk” with your clients? You know, the one where you tell them that if they are going to be doing it, they need to be safe.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |