Security Studies in Studios / Agencies
Hi, Habr! Recently, we conducted (including, in Habré ) a survey among studios and agencies, and now announce the results of our study .
As part of the research, in April 2014, Ruward and SiteSecure site protection service conducted a survey of more than 270 representatives of studios and agencies specializing in customized development of Internet projects.
We will tell you more about the results:
')
More than three quarters of the agency market companies, in principle, do not have a specialist who could set up the necessary processes and help in case of problems with their prompt elimination. Every fifth studio has a similar specialist in the state (of course, this situation is more typical for large companies specializing in the development of complex projects in the high price segment).
Only 7% of respondents have a clearly defined timeline for responding to security incidents, and more than half of the companies believe that there is a “semantic understanding” of what to do in case of problems. Almost a third of the companies do not have such a regulation and are not ready for the prompt resolution of such incidents.
In a sense, this question is a good indicator of the overall market situation. A significant part of the companies of the agency market does not pay enough attention to security issues or believes that the problem can be solved on its own “on the fact of its occurrence” In this approach, there is a significant threat to ensure the security of customer projects.
Nearly 60% of studios / agencies do not sign agreements with their employees that would regulate compliance with the rules of security and confidentiality. In many ways, this suggests that in the event of problems, the studio itself bears the main risk, since the customer’s claims in a significant number of cases are presented to the company that develops / maintains the site.
More than two thirds of companies do not make the corresponding clause in contracts with customers.
We would like to note that in this case the studio is not only formally free from risks, but also may incur additional losses. In the absence of such clauses, not only what the agency should be responsible for is not formally spelled out, but also what it should not (for example, force majeure on the side of the hosting provider). Since in the agency market much is built on the level of trusting relationships, in the event of an incident, the client contacts the studio regardless of the contract, and the lack of a clause about what the contractor is not responsible for - can serve as a basis for an unjustified claim and deterioration of relations with the client.
From the point of view of the password policy, the situation is slightly better - every fourth company has clearly defined rules, and another half apply various elements of password policy in their activities. At the same time, a quarter of companies, in principle, are not inclined to take care of such issues.
The introduction of such a regulation / process does not incur any costs for the agency, and we strongly recommend that companies in which it has not yet been resolved take appropriate measures - this will significantly reduce the risks of various threats to both the studio and the client. We also recommend that this set of rules be communicated to customer representatives who interact with the agency.
Of these security measures, the most common is data backup (more than 80%). It is worth noting that agencies that do not resort to this practice are subject to significant risk not only in matters related to security, but also in matters of a purely technical nature (equipment failure, data loss).
Nearly two thirds of companies constantly monitor the availability of their projects. Given the large number of free and low-cost automated services for monitoring accessibility, this is not the highest indicator - a third of market players ignore this simple and basic method for monitoring problems.
Slightly less than half of the companies control the introduction of changes to the site and the monitoring of blocking sites by search engines. Just over a third carry out checks for hidden links and redirects, less than a third of companies regularly check for viruses for projects. And only every sixth agency provides clients with DDoS protection services.
The distribution of areas of responsibility to the customer is especially curious in the context of the previous schedule - on average, companies undertake more obligations than they carry out real actions.
Only 16% of the players in the agency market are fully confident in the safety of their projects. Almost half of the companies admit that there are problems, but in most cases they manage to solve them before the consequences for the customer’s business arise.
And more than a third of companies admit that they have certain difficulties with ensuring the security of their clients' websites - both in terms of problems with customers and in terms of resources that are spent on promptly solving a sudden problem.
40% of web studios and agencies in one way or another faced with security problems over the past year. This once again confirms the relevance of the issues discussed in our study.
Nearly 60% of studios do not face tenders with customer questions about how security issues are arranged in a company.
On the one hand, this indicates a certain passivity and low customer awareness of these issues (despite the high urgency of the problem).
On the other hand, this gives companies that have well tuned the relevant processes an additional marketing advantage - in the event that they take the initiative in presale and update this aspect to the customer against the background of competitors.
Also within the framework of the study, the respondents were profiled, which showed a distribution close to the overall market situation, which only confirms the overall representativeness of the results obtained.
The main conclusion of the study is the fact that the majority of studios / agencies do not consider safety aspects as relevant for their activities and do not pay enough attention to the processes related to these issues. Nevertheless, as our previous research shows, the problem is very topical. For example, every seventh site in RuNet is at risk of financial loss due to security problems.
After analyzing the results of the study and understanding the scale of the problem in the agency market, our colleagues from SiteSecure decided to conduct a series of free webinars on the organization of an effective security service in studios / agencies. Already now on the special page the opportunity to subscribe to these webinars is available - we recommend.
With the full version of the study and expert comments can be found on the page of our special project .
As part of the research, in April 2014, Ruward and SiteSecure site protection service conducted a survey of more than 270 representatives of studios and agencies specializing in customized development of Internet projects.
We will tell you more about the results:
')
1. Does your studio / agency have a qualified person responsible for the information security of client sites?
More than three quarters of the agency market companies, in principle, do not have a specialist who could set up the necessary processes and help in case of problems with their prompt elimination. Every fifth studio has a similar specialist in the state (of course, this situation is more typical for large companies specializing in the development of complex projects in the high price segment).
2. Does the organization have security rules and regulations for responding to incidents related to the security of customer sites (loss or theft of passwords, hacking, virus infection, blacklisting of the site, etc.)
Only 7% of respondents have a clearly defined timeline for responding to security incidents, and more than half of the companies believe that there is a “semantic understanding” of what to do in case of problems. Almost a third of the companies do not have such a regulation and are not ready for the prompt resolution of such incidents.
In a sense, this question is a good indicator of the overall market situation. A significant part of the companies of the agency market does not pay enough attention to security issues or believes that the problem can be solved on its own “on the fact of its occurrence” In this approach, there is a significant threat to ensure the security of customer projects.
3. Does the employment agreement with employees who have access to passwords from hosting, CMS and to the content of client sites confidentiality and security rules?
Nearly 60% of studios / agencies do not sign agreements with their employees that would regulate compliance with the rules of security and confidentiality. In many ways, this suggests that in the event of problems, the studio itself bears the main risk, since the customer’s claims in a significant number of cases are presented to the company that develops / maintains the site.
4. Is there a clause in the contract with the client about ensuring your company’s security of its website and data?
More than two thirds of companies do not make the corresponding clause in contracts with customers.
We would like to note that in this case the studio is not only formally free from risks, but also may incur additional losses. In the absence of such clauses, not only what the agency should be responsible for is not formally spelled out, but also what it should not (for example, force majeure on the side of the hosting provider). Since in the agency market much is built on the level of trusting relationships, in the event of an incident, the client contacts the studio regardless of the contract, and the lack of a clause about what the contractor is not responsible for - can serve as a basis for an unjustified claim and deterioration of relations with the client.
5. Does the password policy apply: password complexity requirements, control over password changes, compromise response, assignment of a person in charge?
From the point of view of the password policy, the situation is slightly better - every fourth company has clearly defined rules, and another half apply various elements of password policy in their activities. At the same time, a quarter of companies, in principle, are not inclined to take care of such issues.
The introduction of such a regulation / process does not incur any costs for the agency, and we strongly recommend that companies in which it has not yet been resolved take appropriate measures - this will significantly reduce the risks of various threats to both the studio and the client. We also recommend that this set of rules be communicated to customer representatives who interact with the agency.
6. Which of the following measures do you take to ensure reliable operation and security of client sites?
Of these security measures, the most common is data backup (more than 80%). It is worth noting that agencies that do not resort to this practice are subject to significant risk not only in matters related to security, but also in matters of a purely technical nature (equipment failure, data loss).
Nearly two thirds of companies constantly monitor the availability of their projects. Given the large number of free and low-cost automated services for monitoring accessibility, this is not the highest indicator - a third of market players ignore this simple and basic method for monitoring problems.
Slightly less than half of the companies control the introduction of changes to the site and the monitoring of blocking sites by search engines. Just over a third carry out checks for hidden links and redirects, less than a third of companies regularly check for viruses for projects. And only every sixth agency provides clients with DDoS protection services.
7. What are the tasks for ensuring the efficiency of your clients' projects?
The distribution of areas of responsibility to the customer is especially curious in the context of the previous schedule - on average, companies undertake more obligations than they carry out real actions.
8. Which of the following statements is best for your situation?
Only 16% of the players in the agency market are fully confident in the safety of their projects. Almost half of the companies admit that there are problems, but in most cases they manage to solve them before the consequences for the customer’s business arise.
And more than a third of companies admit that they have certain difficulties with ensuring the security of their clients' websites - both in terms of problems with customers and in terms of resources that are spent on promptly solving a sudden problem.
9. In the past year, have you had any problems with customer complaints regarding security issues?
40% of web studios and agencies in one way or another faced with security problems over the past year. This once again confirms the relevance of the issues discussed in our study.
10. Are there cases when, as part of a tender for the development of a project, you are separately asked to talk about security issues?
Nearly 60% of studios do not face tenders with customer questions about how security issues are arranged in a company.
On the one hand, this indicates a certain passivity and low customer awareness of these issues (despite the high urgency of the problem).
On the other hand, this gives companies that have well tuned the relevant processes an additional marketing advantage - in the event that they take the initiative in presale and update this aspect to the customer against the background of competitors.
Profile of respondents
Also within the framework of the study, the respondents were profiled, which showed a distribution close to the overall market situation, which only confirms the overall representativeness of the results obtained.
11. How many employees are there in your studio / agency?
12. From the point of view of developing Internet projects, what types of sites do you specialize in to a greater degree?
13. Where are you geographically?
Conclusions and recommendations
The main conclusion of the study is the fact that the majority of studios / agencies do not consider safety aspects as relevant for their activities and do not pay enough attention to the processes related to these issues. Nevertheless, as our previous research shows, the problem is very topical. For example, every seventh site in RuNet is at risk of financial loss due to security problems.
Recommendations to agencies / studios
- Check weaknesses in terms of organization of processes (for example, according to the list of issues - the checklist described above in our study) - and draw up a plan for the gradual improvement of issues related to security aspects.
- Pre-configure basic processes for monitoring and proactive protection of sites that the agency develops and supports.
- Timely respond to updates of CMS versions, web servers and other software elements involved in the work of the site.
- Use monitoring and proactive protection services throughout the entire fleet of projects (it does not matter whether it is an external service or built-in, for example, in a CMS).
- Conduct explanatory work with customers, explaining the possibility of a problem and possible solutions.
- Carry out periodic work to clarify the security policy with your own employees who have access to passwords, hosting, test servers, etc. Sign an agreement on hiring for compliance with the rules of security and confidentiality of customer data.
- Prepare in advance a short marketing document that would describe the agency's approach to security issues - the processes, rules, services used, etc. The presence of such a document may be an additional advantage when selling services and interacting with current customers (and an additional method of detuning from competitors).
- In case the company cannot afford to have a full-time security specialist, we recommend negotiating with one of the external experts who would help set up the processes, and also quickly connect to their elimination in case of detection (by staff or automatic monitoring systems).
- Check the contract and other legal documents for descriptions of the relevant items on security issues.
Recommendations to the customer
- When choosing a contractor, organizing a tender and initial communication with representatives of agencies, be sure to ask questions about how the security policy in the company is arranged. Include relevant questions in the formal evaluation sheet of the procurement committee (if such procedures are carried out within the company).
- With a certain regularity, find out from current contractors about changes / improvements in their processes related to this area.
- To control that the clauses of the contractor’s responsibility in case of incidents due to his fault are written in the documents (as well as the items that are not the responsibility of the contractor). Ideally - to have a written procedure (SLA) - for responding to various types of incidents.
A series of webinars on security in the studio / agency
After analyzing the results of the study and understanding the scale of the problem in the agency market, our colleagues from SiteSecure decided to conduct a series of free webinars on the organization of an effective security service in studios / agencies. Already now on the special page the opportunity to subscribe to these webinars is available - we recommend.
With the full version of the study and expert comments can be found on the page of our special project .
Source: https://habr.com/ru/post/220191/
All Articles