If you have a website/ web application, you are on the hit list of cyber-attackers. With the increasing number of websites globally (1.9 billion at present), the attack surface available for cyber-attackers is mounting. Combined with the technological advancements at their disposal, it is immaterial if you have a simple blog or a high-volume e-commerce website there is a high risk of cyber-attacks. It is especially so if you do not have a proactive website security strategy and holistic measures.

Statistics point out that 50-65% of all cyber-attacks in the past year have been aimed at small and medium businesses. This is because they do not take cybersecurity seriously and assume that attackers are looking to fry bigger fish. The reality, however, is that cybercriminals are looking for vulnerabilities and gaps in web applications/ websites that they can exploit. This makes the choice of website security provider critical.

To enable you to make the right choice and avoid hidden costs, we have compiled a set of 5 questions to ask service providers before making the choice.

Questions about website security:

What are the inclusions in the web application security solution offered?

A simple automated firewall will not suffice. As mentioned earlier, the sophistication and gravity of cyber-attacks are intensifying. So, the security solution should be able to give your business the first-mover advantage to be one step ahead of attackers and continuously secure your web applications and websites. To this end, your service provider must offer an automated web scanning tool, an intelligent, comprehensive Web Application Firewall (WAF) combined with round-the-clock monitoring and services of certified security professionals.

So, you must compare the different plans offered to see if the service provider offers all of this. You may want to find out how many manual pen-tests will be done, how many pages will be scanned, what kind of involvement can be expected from the security experts and so on. With AppTrana, for instance, you will get a fully managed, round-the-clock, cloud-based security solution with zero assured false positives.

Will the WAF make the website/ application slow?

Today, the speed of the website is an important aspect of the UX and when websites take longer to load, the customers just bounce and move onto a competitor’s site. Often, the WAF is placed on the server (for instance, as a plugin) which will run down server resources and make the website slow and inefficient.

Cloud-based solutions like AppTrana are placed between the web traffic and your website’s server. From this vantage point, the WAF is able to monitor all web traffic, detect threats and vulnerabilities effectively and instantaneously block malicious requests. The website security checks and automated everyday scanning happens in the background, without slowing down the website’s speed or efficiency.

Additionally, AppTrana also offers free CDN services to its customers to accelerate their website and reduce latency while maintaining high standards of security.

Web Application Scanning

Will the solution be customized to suit the risk profile, posture, and needs of your business?

The risk posture, profile, and needs of businesses differ widely. So, it is obvious that web security should also be customized to meet the differing needs of your business. Before onboarding with a service provider, find out if they allow custom rules to secure business logic vulnerabilities, custom-build the solution based on your current risk posture and make changes to the solution based on continuous monitoring of the risk posture. Choose a service provider who understands your business well.

Questions about incidence response and ongoing protection:

If your website has already been infected, you cannot lose time. Or else, your business will face heavy losses. So, it is crucial to know what the service provider will do if you go to them after the attack has happened.

Will the incident response be automatic or manual or managed?

While complete manual fixing will be time-consuming, automation can help achieve speed in response. However, not all attacks can be fixed automatically by bots which are often deployed by service providers to clean up malware from the website; intervention by security experts is essential in many cases. Choose a managed security solution so that you have the benefit of speed and human expertise without having to shell out extra for the manual cleaning.

Is there ongoing protection after the cleanup?

If you just on-boarded for a website cleanup/ website security check with the service provider and your website is re-infected quickly after, what happens then? Will there be a new charge for the cleanup? What happens when there is cross-site contamination? Does the service provider offer ongoing protection such as WAF after the cleanup?  Find out the answers to these questions before onboarding to avoid hidden costs and to maintain website security.

Choose and invest in the right web security provider so that you focus on your core business while they focus on keeping your website secure.