Can your web partner block two million attacks per day?
17 May 2018
By Marla Hurov
It’s every IRO’s worst nightmare: your IR site crashes during earnings, or even worse, your website is exposed to a serious data breach. When you’re looking for a web solution, it’s paramount to ensure that your partner follows best practices for both your website’s security and performance. You need to be confident in your vendor’s ability to protect your data, reputation, and credibility. Essentially, your web partner should be like a ninja bodyguard, invisibly and masterfully warding-off countless attackers, while you confidently go about your business.
At Q4, we take security seriously. Given the highly sensitive (and desirable) nature of investor relations and financial data, we use multiple cloud hosted solutions to successfully block an average of 200,000 attacks per hour. This amounts to essentially two million blocked events per day.
I recently sat down with members of Q4’s infrastructure team to discuss security best practices and industry standards. According to Scott Bennett, Q4’s Security Analyst, “when choosing a web partner, security should always be your priority. It’s more than a question of whether you can successfully host my site, but rather, can you successfully host my data? The first thing you need to verify is that your vendor is secure in handling data.”
It’s also critical to ensure that your site is up and running, and firing on all cylinders, at all times. You can’t afford for your site to falter or go down. Your website’s performance should be closely monitored to optimize user experiences. Q4 also leverages Content Delivery Networks (CDNs) to serve-up website content quickly and reliably, improving page load speeds and handling high traffic volumes.
So when it comes time to assess your web partner, here are a few of the most essential security practices to consider.
It’s all about certifications and security tools
When evaluating website vendors, certifications are key. The right security certifications indicate that certain standards are in place for managing web data and site performance (including state-of-the-art firewalls). Having these certifications mean that the vendor has passed through a rigorous series of processes and checks, culminating with a comprehensive review by an independent auditor. Q4’s hosted cloud solutions are certified by the top tier industry standards of ISO 27001, SOC1, SOC2, SOC3 and Privacy Shield, as well as the SSAE 16 (audit report).
Also, pay close attention to the kinds of tools your vendor uses to protect you against external attacks. For client web traffic, Q4 uses (and recommends) an Intrusion Detection System (IDS) and DosArrest (a DDOS mitigation vendor). IDS can detect malicious traffic and trigger the firewall to block it. While DosArrest can spot potential denial-of-service attacks and fend them off.
Proof is in the testing
Testing is another security best practices. Q4 does a full and regular battery of testing, including nightly scans, vulnerability scans, load testing, and full code reviews. Perhaps most telling, clients are also welcome to do full penetration testing on Q4’s infrastructure itself. According to Matt Twydell, Q4’s SVP of Communications, “we work with our largest clients who hire third-party security teams to attack our infrastructure. It shows how confident we are in our system.”
In fact, it’s Q4’s best practice to at least match the level of security carried out by its clients. Matt explains, “we’re continually being tested by some of the biggest companies in the world who scrutinize everything we do.” This also makes for some pretty compelling and continual self-improvement. He reflects, “Working with our clients to meet and exceed their security expectations, we’re always growing our expertise. We’re essentially crowdsourcing security. It’s a key part of what makes us next level.”
Protocols for the worse case scenario
Whether it’s a temporary crash or serious breach, it’s essential to have protocols in place for handling the worst case scenario. While vendors should always aim to be proactive (rather than reactive), like autoscaling when traffic spikes, they also have to be highly prepared for the unexpected. According to Q4’s Director of Infrastructure, Vee Punia, “we have response policies and processes in place.” He assures, “we’re highly trained on what to do and how we’re contracted to respond.”
Practice what you preach
It’s critical to work with a vendor that operates with their own secure infrastructure and internal processes. Q4 itself selects vendors that have a proven track record of being highly secure and reliable. Matt explains, “as a first step, we validate that vendors handling our data, our host solution providers (and any other relevant third party) meet our same security and compliance standards.”
Essentially, vendors should practice what they preach. Scott cites the example of enforcing added password protection, 2-Factor authentication (2FA), for both Q4 clients as well as across the company. “It’s a relatively new industry-standard that makes it exceptionally more difficult for an attacker to log-in to your account. It requires two authentication methods: your password, as well as your mobile device.”
What’s next for security?
The future of security is all about proactive tools and automated monitoring, especially driven by artificial intelligence. Vee explains, “Our algorithms can spot patterns and know what will happen before it happens; so we’re able to fix anything before an incident occurs.”
More than anything else, security should be ingrained in your vendor’s core mindset and fully integrated into the way they work. Q4 plans to become part of the Cloud Security Alliance, considered to be the world’s leading organization for defining and promoting best practices in cloud computing security. Vee sums up, “We eat, sleep and breathe security. These processes are at the core of everything we do. All of our client websites are built on the underlying premise of security by default and design. Our practices are next level, because we’re dedicated to a whole life cycle of security.”
Marla Hurov is the Content Marketing Manager at Q4 Inc and blogs regularly about trends in brand strategy and digital communications.