10 essential questions
10 ESSENTIAL
QUESTIONS about website security you need to ask today
YOUR WEBSITE SECURITY
10 essential questions about website security you need to ask today Customers are spending more time online than ever before, researching, browsing and buying. They need to trust the websites they visit and the businesses they interact with; they need to trust that their personal information is secure and that it’s being handled correctly. This has made website security critical to business success. SSL/TLS certificates and vulnerability scans are an impor-
These ten questions will help you check if you’re going
tant part of website security but they are not enough. Good
beyond the basics and helping your organization stand out
website security also supports a core business function
in the modern online marketplace, and providing a secure
and ensures better conversion rates.
and safe platform for conducting business.
2 I Symantec Corporation
10 essential questions about website security you need to ask today
The big three First things first: you need to find out if your organization is set up to support effective website security. 1 Do I understand what the business needs from me? As the relationship between a business and its website deepens, it’s vital that anyone working on website security understands the business implications of their role. Tim Williams, global security director for the $42.5 billion construction equipment manufacturer Caterpillar, firmly believes that a solid grounding in business principles is key to delivering effective security. ‘Spouting catchphrases can get you into more trouble than it is worth. It’s better to take the time to really understand business,’ says Williams. ‘You need that immersion so you can put all the pieces together.’
2 Have I got buy-in from the board? Just as the security team have to understand and support the business, so the business has to support website security. It’s not just a last-minute compliance issue. You have to bake security into website projects from the start. ‘The job of a senior security professional is changing rapidly: it’s more about persuasion and being able to navigate the political minefield of a large organization than it is about fighting bad guys,’ argues Mike Rothman. Senior management has traditionally pulled the purse strings tight against IT security requests. It’s up to you to communicate just how important website security is for client acquisition and the company’s reputation if you want to ensure you have both the financial support and the authority you need to keep your website safe.
3 Does our company culture support security? Getting buy-in from the board is one thing, but you need support and professional investment from the rest of the organization as well. Unfortunately, many employees see IT security as an obstacle, rather than a business enabler. ‘Two aspects of a company’s culture have outsized effects on the security of its information,’ says Carl S. Young in the Harvard Business Review. They are ‘the organization’s tolerance for inconvenience and the degree of collaboration across business units and among employees.’ If you encourage education and communication to help colleagues understand the processes and technologies you have in place to maintain website security, they are more likely to adhere to them and support your security policies rather than work around them.
3 I Symantec Corporation
10 essential questions about website security you need to ask today
Getting down to the details Next you have to look at the processes and technologies you have in place 4 How many SSL/TLS certificates do we have and when do they expire?
Do you have a clear and auditable way of tracking all SSL/TLS certificates across the organization? Do you know how many
certificate authorities you buy from? Can you keep track of all your expiry dates?
Centralizing SSL/TLS management keeps your sites safer because it helps you detect rogue certificates and makes sure
you have ample warning before a certificate expires. Once you have all your data in one place, it’s also easier to buy in
bulk, thereby reducing costs.
5 Are your private intranet sites and services safe?
Since November 2015, you are no longer able to get an SSL or TLS certificate for a reserved IP address or internal
server name; and in October 2016, all publicly trusted SSL/TLS certificates with an internal name or reserved IP address
will be revoked and/or blocked by browser software.
Do you know what you’re going to do? Have you thought about the transition? Have you looked into tools, such as
Symantec’s Private Certificate Authority, which allow you to issue intranet certificates without worrying about the change
in regulations?
6 Are your mobile sites and apps secure?
‘With consumers constantly on the go, they prefer iPhones over iPads after work and at the weekends – people’s digital
behavior is changing and this provides new opportunities for fraudsters to hide in the noise,’ says Stephen Moody,
European solutions director at ThreatMetrix.
With more people using smartphones and tablets, the demand for apps has spiked. Along with websites, they provide a
vital way for customers to interact with organizations online. Unfortunately they also pose security and reputation risks
when not managed properly.
Website security needs to expand to take in code signing and malware scanning to ensure customers aren’t put at risk by
any of the online touch points you offer.
4 I Symantec Corporation
10 essential questions about website security you need to ask today
Looking ahead 7 Do you know what’s coming next?
Are you up to date with the changing threat landscape? Do you know how criminals are getting around traditional website
security methods? Do you know how to close the gaps they are exploiting?
Maintaining website security is about more than today’s routine work – it’s about being ready for the challenges of
tomorrow. If you’re feeling a little behind with the latest security news, why not start by downloading Symantec’s latest
Website Security Threat Report.
8 How can I add to the business with website security?
While the first few questions focused on supporting the business, people in website security can go above and beyond
support and actually contribute pro-actively to business goals.
Choosing Symantec’s SSL/TLS certificates, for example, means you can deploy the Norton Secured Seal on your website,
the most recognized trust mark on the Internet. This has a proven impact on sales and conversion rates by making your
site seem more trustworthy.
You can also encourage click-throughs to your site with Symantec Seal-in-Search, which means any visitors who use
browsers enabled with security plug-ins will see the Norton Secured Seal on search engine listings, partner shopping sites
and product review pages.
9 Am I collaborating with others?
‘Collaboration is the key to successful information security,’ says Computer Weekly.
Your organization may have grown up in an era when protecting trade secrets and keeping infrastructure particulars
private was a top priority, but the world has moved on.
Cybercriminals are more sophisticated than ever, collaborating and creating an information black market that mirrors the
best security collaborations out there.
It’s time to start sharing, whether through government programs, like the UK’s Cyber-security Information Sharing
Partnership (CiSP), or peer-to-peer industry networks. Don’t be left out in the cold.
10 Is there a better way to manage website security?
Finally, are you up to date with the latest website security solutions? You might think you have individual pieces of the
puzzle sorted, but how well do they fit together?
Symantec recognizes that the old way of delivering website security solutions no longer matches the threat landscape or
the business demands the modern security department faces.
That’s why we’ve developed Symantec™ Complete Website Security – a set of flexible solutions that answer all your
website security needs in a single package.
Why not find out more today? Contact us at [email protected] 4 I Symantec Corporation
10 essential questions about website security you need to ask today
For specific country offices and contact numbers, please visit our website. For product information in the US, Call: 1-866-893-6565 Symantec World Headquarters 350 Ellis Street Mountain View, CA 94043 USA 1-866-893-6565 www.symantec.com/ssl
No part of the contents of this white paper may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Copyright © 2016 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Circle Logo and the Norton Secured Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
10 essential questions about website security you need to ask today
QUESTIONS about website security you need to ask today
YOUR WEBSITE SECURITY
10 essential questions about website security you need to ask today Customers are spending more time online than ever before, researching, browsing and buying. They need to trust the websites they visit and the businesses they interact with; they need to trust that their personal information is secure and that it’s being handled correctly. This has made website security critical to business success. SSL/TLS certificates and vulnerability scans are an impor-
These ten questions will help you check if you’re going
tant part of website security but they are not enough. Good
beyond the basics and helping your organization stand out
website security also supports a core business function
in the modern online marketplace, and providing a secure
and ensures better conversion rates.
and safe platform for conducting business.
2 I Symantec Corporation
10 essential questions about website security you need to ask today
The big three First things first: you need to find out if your organization is set up to support effective website security. 1 Do I understand what the business needs from me? As the relationship between a business and its website deepens, it’s vital that anyone working on website security understands the business implications of their role. Tim Williams, global security director for the $42.5 billion construction equipment manufacturer Caterpillar, firmly believes that a solid grounding in business principles is key to delivering effective security. ‘Spouting catchphrases can get you into more trouble than it is worth. It’s better to take the time to really understand business,’ says Williams. ‘You need that immersion so you can put all the pieces together.’
2 Have I got buy-in from the board? Just as the security team have to understand and support the business, so the business has to support website security. It’s not just a last-minute compliance issue. You have to bake security into website projects from the start. ‘The job of a senior security professional is changing rapidly: it’s more about persuasion and being able to navigate the political minefield of a large organization than it is about fighting bad guys,’ argues Mike Rothman. Senior management has traditionally pulled the purse strings tight against IT security requests. It’s up to you to communicate just how important website security is for client acquisition and the company’s reputation if you want to ensure you have both the financial support and the authority you need to keep your website safe.
3 Does our company culture support security? Getting buy-in from the board is one thing, but you need support and professional investment from the rest of the organization as well. Unfortunately, many employees see IT security as an obstacle, rather than a business enabler. ‘Two aspects of a company’s culture have outsized effects on the security of its information,’ says Carl S. Young in the Harvard Business Review. They are ‘the organization’s tolerance for inconvenience and the degree of collaboration across business units and among employees.’ If you encourage education and communication to help colleagues understand the processes and technologies you have in place to maintain website security, they are more likely to adhere to them and support your security policies rather than work around them.
3 I Symantec Corporation
10 essential questions about website security you need to ask today
Getting down to the details Next you have to look at the processes and technologies you have in place 4 How many SSL/TLS certificates do we have and when do they expire?
Do you have a clear and auditable way of tracking all SSL/TLS certificates across the organization? Do you know how many
certificate authorities you buy from? Can you keep track of all your expiry dates?
Centralizing SSL/TLS management keeps your sites safer because it helps you detect rogue certificates and makes sure
you have ample warning before a certificate expires. Once you have all your data in one place, it’s also easier to buy in
bulk, thereby reducing costs.
5 Are your private intranet sites and services safe?
Since November 2015, you are no longer able to get an SSL or TLS certificate for a reserved IP address or internal
server name; and in October 2016, all publicly trusted SSL/TLS certificates with an internal name or reserved IP address
will be revoked and/or blocked by browser software.
Do you know what you’re going to do? Have you thought about the transition? Have you looked into tools, such as
Symantec’s Private Certificate Authority, which allow you to issue intranet certificates without worrying about the change
in regulations?
6 Are your mobile sites and apps secure?
‘With consumers constantly on the go, they prefer iPhones over iPads after work and at the weekends – people’s digital
behavior is changing and this provides new opportunities for fraudsters to hide in the noise,’ says Stephen Moody,
European solutions director at ThreatMetrix.
With more people using smartphones and tablets, the demand for apps has spiked. Along with websites, they provide a
vital way for customers to interact with organizations online. Unfortunately they also pose security and reputation risks
when not managed properly.
Website security needs to expand to take in code signing and malware scanning to ensure customers aren’t put at risk by
any of the online touch points you offer.
4 I Symantec Corporation
10 essential questions about website security you need to ask today
Looking ahead 7 Do you know what’s coming next?
Are you up to date with the changing threat landscape? Do you know how criminals are getting around traditional website
security methods? Do you know how to close the gaps they are exploiting?
Maintaining website security is about more than today’s routine work – it’s about being ready for the challenges of
tomorrow. If you’re feeling a little behind with the latest security news, why not start by downloading Symantec’s latest
Website Security Threat Report.
8 How can I add to the business with website security?
While the first few questions focused on supporting the business, people in website security can go above and beyond
support and actually contribute pro-actively to business goals.
Choosing Symantec’s SSL/TLS certificates, for example, means you can deploy the Norton Secured Seal on your website,
the most recognized trust mark on the Internet. This has a proven impact on sales and conversion rates by making your
site seem more trustworthy.
You can also encourage click-throughs to your site with Symantec Seal-in-Search, which means any visitors who use
browsers enabled with security plug-ins will see the Norton Secured Seal on search engine listings, partner shopping sites
and product review pages.
9 Am I collaborating with others?
‘Collaboration is the key to successful information security,’ says Computer Weekly.
Your organization may have grown up in an era when protecting trade secrets and keeping infrastructure particulars
private was a top priority, but the world has moved on.
Cybercriminals are more sophisticated than ever, collaborating and creating an information black market that mirrors the
best security collaborations out there.
It’s time to start sharing, whether through government programs, like the UK’s Cyber-security Information Sharing
Partnership (CiSP), or peer-to-peer industry networks. Don’t be left out in the cold.
10 Is there a better way to manage website security?
Finally, are you up to date with the latest website security solutions? You might think you have individual pieces of the
puzzle sorted, but how well do they fit together?
Symantec recognizes that the old way of delivering website security solutions no longer matches the threat landscape or
the business demands the modern security department faces.
That’s why we’ve developed Symantec™ Complete Website Security – a set of flexible solutions that answer all your
website security needs in a single package.
Why not find out more today? Contact us at [email protected] 4 I Symantec Corporation
10 essential questions about website security you need to ask today
For specific country offices and contact numbers, please visit our website. For product information in the US, Call: 1-866-893-6565 Symantec World Headquarters 350 Ellis Street Mountain View, CA 94043 USA 1-866-893-6565 www.symantec.com/ssl
No part of the contents of this white paper may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Copyright © 2016 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Circle Logo and the Norton Secured Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
10 essential questions about website security you need to ask today
