You’ve Been Hacked!

You’ve Been Hacked!

A financial services company provides a website portal for their clients to access their investment accounts. Clients visit frequently to review their accounts and browse the company’s rich library of helpful information about saving and investing. One afternoon, while the company president is at lunch with a client, he receives a panicked message from his IT manager: the site has been hacked and an ISIS banner is prominently displayed on the home page. After the initial clean up and damage control, the president vows that they will never again risk such an event, and demands that marketing and IT do whatever it takes to make the site 100% secure.

It is not uncommon for business websites to get hacked, and vowing airtight security begs a host of questions:

  • How secure can any site really be?
  • What are the best practices for sites requiring strong security?
  • What are the additional costs of building a site with maximum security? Is there a point of diminishing returns?

 How Secure Can Any Site Really Be?

“The first thing I…tell website owners is that security is about risk reduction, not risk elimination. You must get your head around this simple fact…there is no such thing as a 100% solution to staying secure.”
-Tony Perez, Sucuri

Website attacks generally fall into two categories: an automated attack of opportunity (by far the most common type), or a targeted attack (the type more likely to occur on larger entities or governmental organizations). To be frank, at some point one of these will likely happen to your site. It’s not so much a matter of if a site will be attacked, but when. However, taking well-planned and reasonable tactics to prevent hacks puts the odds in your favor. Many of the horror stories we hear about, like the 2013 Target hack, are the result of human failure, not because of the software or applications themselves. Most commonly, people fail to follow processes and best practices in IT management, website maintenance, and updating.

What are the generally accepted best practices for sites requiring high security?

It begins with experienced developers who understand the current applications and best practices when building a site. They should know the most likely points of vulnerability, and how to write code that allows desired data to pass, but blocks potentially harmful data. They also should  understand how to plan and build for enterprise-level security, as well as hosting applications that can help manage security risks.

Once a site is built, it’s chiefly about who gets access. There are basic security precautions (e.g., making sure access information is not obvious, and is regularly refreshed) that should be implemented, and the site should be properly maintained as new software patches and updates become available. It’s also important to have the right hosting setup, and applications to monitor for security risk. Lastly, have a response plan for how to handle such threats, and worst case, a malicious hack. This includes having a separate backup to get your site immediately up to speed again.

There are costs to maximizing security when building the site. Is there a point of diminishing returns?

One can make the case that a more secure site is one that is custom built from the ground up. However, significant liabilities come with a custom built CMS (Content Management System), compared to off-the-shelf CMSs like WordPress or Joomla:

  • It’s much more time consuming, and thus more costly, to build
  • If your developer or IT person goes away, so does the one repository of the knowledge of your CMS and how it was built. Code can be as individual as people, so bringing in another developer would be time consuming and expensive
  • A home-grown system does not guarantee security. In fact, even if built perfectly, they are notoriously unreliable over time because owners fail to keep them updated

The advantage of going with an existing content management system (CMS) solution vs. custom development is the availability of the functionality that makes content management easier and less costly to implement and to keep updated. These systems are constantly improving because they are open source platforms. (Open source software is software whose source code is available for modification and distribution by anyone.) The White House, the FBI and the CIA all use open source software for their websites, rather than custom, built from scratch code. The core features to look for in decent Content Management Systems include:

  • Strong security
  • Theming functionality
  • Page templates
  • Menu systems
  • Blocks/widgets
  • User/role base authentication and access control
  • Revision control
  • Regular updates

Along with these core features, a CMS should have the capability to support modules, plugins, and extensions. There are various prominent open source and third party licensed extensions that bring enhanced functionality to a CMS. These enhancements include search engine optimization, tools for analytics, social network integration, etc. Of course, all should be added with the understanding that security is a priority.

The most widely used CMS platform is WordPress, and with proper development and maintenance, businesses experience minimal security problems. The New York Times, CNN, Sony, UPS and IBM all use WordPress. For companies with extreme security concerns, there are other CMS platforms, such as Drupal, that are solid candidates for consideration. Drupal has strong coding standards and a rigorous community code review process that gives it security and stability.

“Security is hands down the biggest differentiator between WordPress or Drupal. Drupal has enterprise level security and site scale. Numerous government websites are built with Drupal, with the most famous being Whitehouse.gov.”
Adam Hermsdorfer, Big Tuna Interactive

Currently The Economist, Cisco, Voya Financial (formerly ING U.S. Inc.), Novartis, GE, Pfizer, U.S. Department of Transportation, The White House, and many more entities are using Drupal.

Ultimately, there is no 100% secure system. A mature CMS with a proven track record provides the best return on investment, due to the amount of existing development that can be leveraged. Following the best practices for maintenance and updates is a practical and effective way to keep your site secure, without having to re-invent the wheel in an effort to maintain full ownership of the codebase. In addition to the CMS platform, there are content delivery networks (CDNs) that can be placed in front of your site to reduce the workload, as well act as a website firewall. (But that’s another blog.)

The best website security is proactive prevention.

Hire the right experts to help you implement best practices, including the initial site development, proper hosting, and ongoing maintenance. Have a smart access and content management process, and make sure your team has an action plan in place to manage a security emergency. Follow these tips to reduce your risk of being hacked.

Does your site have the proper security built in? Do you need to learn more about proactive maintenance to minimize risks? Just click the button below.

Four Keys to Eye-Popping App Design

With Great Resolution Comes Great Responsibility

Today’s technology gives us access to devices with extremely high resolution and amazing display capabilities – but not all devices (and all users) are created equally. And as with any comic book superhero, this great power can be used for good or for not-so-good. In other words, with great resolution comes great responsibility. To avoid going to the dark side, do not get caught in these high-res pitfalls.

Avoid the Squeeze Play

When designing for high-res displays there may be a desire to push the limits of size and spacing of interactive elements, squeezing more and more functionality into a single screen. Fingers are not as precise as mouse-based cursor inputs, so don’t get carried away here or your users may struggle. Users may attempt to tap on what they think is a touch control, but if they miss a too-tiny touch zone they may think that it is not actually a control after all. End result: user exits stage left frustrated and confused. When considering the appropriate size of touch zones for interactive elements (and spacing between elements) think about who will be using the app. For example, if you are designing an app for young children, their finger size is much smaller; however, their manual dexterity and fine motor skills may not be fully developed, therefore requiring a larger target zone for tapping.

Just Because You Can, Doesn’t Mean You Should

Small font size and extremely fine detail may be possible on high resolution displays but may interfere with ease of use. Just because your device can graphically support a clear rendering of a 4-point font does not mean you should take advantage of that capability. The size of text, level of graphic detail, and related color choices should fit the unique needs of your app audience. Again, it’s really important here to consider who will be using your apps. If you are designing a dating app for seniors, the visual acuity and color perception of your users is going to be much different than an app targeting high school baseball players.

Aim to add fine graphic details and extra text only when it buys its way in to the app by adding value. Does the extra detail aid in the users’ understanding of an icon, make navigation clearer, or reduce scan time? If so, congrats! You’ve made the team!

Prevent Brain Freeze

We all know about brain freeze, right? Eating too much ice cream way too fast – brain freeze!  Well, brain freeze can also occur when you’re hit with too much information too quickly. With high-res displays, avoid the urge to overwhelm the user with too much information all at once just because it is easier to fit more content on to a single screen. The thinking may go something like this: More Info on One Screen = Fewer Screens = Better Experience. However, going this route may actually have the opposite effect, making the user’s experience less efficient and less enjoyable by bogging down the user on a content-heavy screen that they simply may not tolerate. Again, the end result is user exiting stage left to find the next app on the list.

Establish early in the design process the specific tasks that will be accomplished in the app, as well as the associated information required for the user to successfully accomplish these tasks. 

As you are designing the app, walk through mockups screen-by-screen to ensure you are providing the right level of information at the right time for your users. Allow them to effectively complete the desired tasks without overwhelming them. Whenever possible, simplify the experience to guide the user in a clear, intuitive manner that makes them want to keep exploring. An extra screen or two may be okay if you are simplifying each interaction and reducing the cognitive burden of the user throughout the experience.

Honey, I Shrunk the Icons

When developing your app you want to establish a good sense of the range of devices on which it will likely be used, and prepare your design accordingly. Make sure that your app display does not get lost in translation when being rendered on a lower resolution device – not everyone is on a Retina display yet. Device canvases vary greatly between high and low resolutions and between mobile phone and tablet platforms. Make sure you are able to appropriately scale your design for the full range of devices you expect to be used, so that you do not alienate any segments of your market.

If you want your app to stand out in the vast wilderness of the app store, take an extra second to consider both the available display capabilities and your users’ unique capabilities and limitations. There are a lot of choices available in the app store so please design responsibly when going high res!

Thinking about a new mobile app for your business? We can help. Learn more about our mobile app development team or contact us with any questions you may have about the app design and development process.

Unreasonable Responses to Reasonable Requests

Why would a professional designer take a suggestion from a client who works in an entirely different field? It’s not as crazy as it sounds. Sometimes clients have good ideas and it is a designer’s responsibility to listen with an open mind.

Two examples of bad responses to client requests suggest the advantages of a respectful give-and-take between businesses and their marketing partners. The stories highlight two extremes on the spectrum of how creative companies deal with suggestions from their clients.

One example comes from the case files right here at Red Letter Marketing. In our first discovery meeting with a new client, one of the things we discovered was how badly the company had been treated by its previous web design vendor. As a new website had taken shape over a period of several months, the client had posed reasonable questions concerning some of the creative decisions made by designers at the web firm. Among them: Are you folks sure (our new client had asked) that the headline font you’re using (the H1 font, in HTML-speak) is the best choice?

The response from the design firm was to send the client a link to Google Fonts, with a suggestion that he find one he likes. In a bizarre exaggeration of accommodation to client wishes, the design firm had simply sloughed off its role as experienced guide through the subjective decision-making process of font choice. When we heard this story, we realized that our client had been so ill-advised that we couldn’t wait to show him what a real marketing partnership is like.

At the other extreme is the creative individual who will brook no suggestions at all from the company funding the project. My favorite example of this behavior occurs in Ayn Rand’s novel The Fountainhead, in which architect Howard Roark responds to changes made to his building design by, um…well, by blowing up the building.

Howard Roark might have had a legitimate beef. Maybe the design changes were bad ideas. But—dude. Dynamite? It’s a bit showy. Rand mimicked her character’s behavior when she learned that Roark’s speech to the jury had been trimmed in the screenplay of the movie starring Gary Cooper. In a fit of pique that lasted the rest of her life, she refused to sell the movie rights to Atlas Shrugged.

The vast majority of web designers avoid the use of explosives to make their point. And yet, a dismissive attitude to client requests is all too familiar. Ironically, the most unyielding creative people often attract a particular type of loyalty from clients who are reassured by their certainty.

Creative decisions are founded partly in reason and partly in a mysterious “gut feel” that arises from the interplay between a designer’s innate taste and the mix of current design trends. Designers call on their gut every day and each time they do, it gets stronger. So it’s more likely that a working designer will make, say, an appropriate font choice than would an accountant who may be looking at the bewildering variety of font choices for the first time.

But a designer who listens carefully to a client request is increasing the odds of creating something worthwhile. It doesn’t mean she must necessarily take the suggestion. But the willingness to consider its possible validity is a sign of openness that will serve both her and the client well. Legendary ad man Bill Bernbach made a shtick out of carrying around a card conveying the thought “Maybe he’s right.” While the card itself may have been a bit of show-biz, the sentiment strikes me as one that still rings true.

Websites, like cars, require maintenance.

At Red Letter we specialize in helping our clients get the right site for their needs. That might require building a new custom site, a templated site, or updating their existing site. But no matter what, we also know every site requires regular maintenance, and we want you to understand why.

Website functionalities are constantly changing.

Clients are often under the impression that once their site is built, it will function flawlessly forever. Sadly, there is no such thing (because if there was, we’d build only that). The fact is websites need routine upkeep and adjustment, much like cars, to keep things running smoothly. The environment in which your site functions changes every day, and that means your code and software require regular maintenance to stay on pace.

Because we’re familiar with cars, we know better than to think that driving one off the lot means it won’t need gas or oil. But where the web differs from the road is that it’s not the car that’s slowly changing, but the road. Essentially, you need to adjust your vehicle to the landscape –a landscape that, for better or worse, you’re constantly navigating. You wouldn’t dare take your heavy, bald-tired pickup down a rainy Seattle highway, even though it’s perfectly fine to drive 300 days a year in Arizona. Transfer that attitude to your site, and it seems obvious you’d want to keep everything safe, and smooth.

Invest a little on regular maintenance or spend a lot to recover after you’ve lost prospects.

The expectation that a fresh site should never require care comes from 1) the want to save money, and 2) unfamiliarity with the way sites work. The first can be dismissed easily using our car metaphor. Refusing to replace your wiper blades because your car still runs is absurd. Driving has many other facets than a solid vehicle. There’s a user to consider, and if that user faces complications, your running engine is useless.

The latter is simply a matter of being unacquainted with site function. Most of the websites you use and visit everyday –particularly those utilizing databases (like Google and Amazon)– contain countless lines of code, and rely on software that runs on your web host. The strength of each system varies, but odds are the code within was written by several developers at different times, and with different skill sets. Much of this is “open source,” or code made available to the general public for use and/or modification from its original design, completely free of charge. Needless to say, this code changes often and drastically, and results in malfunctions within your site. Pages load slower, links break without warning, and most importantly, it’s a security risk.

The familiar threat to neglected sites are hackers (and other digital villains) who search for vulnerabilities in code, and don’t mind throwing kinks in yours to get at desired information. If you’re even vaguely familiar with code, you know that, like Christmas lights, one glitch can cause the whole shebang to go dark. The fallout from a site hack is devastating, and reinstalling from a backup won’t always cut it. Whatever data processed between the fallout and reinstall is likely lost to the ether. For businesses that can mean lost leads, or in the ecommerce world, missing orders.

You must understand and address exactly how your site was exploited –that means fixing existing damage, and upgrading the code (and themes, and extensions) to run the latest software so it doesn’t happen again. And if you were worried about the expense of initial maintenance, these fixes can cost. Put that on top of the lost revenue during downtime, and you’re looking at a hefty bill.

Regular website maintenance assures smooth and secure operations for both you and your site’s visitors. Without it, things will start to chip away –and that’s if nothing bad happens. At its worst, unmaintained sites get exploited through outdated source code, bringing down the castle walls.

Users expect everything to function predictably, and they will quickly leave your site if it’s not working as expected.

To keep everyone happy, and your business well represented, get that oil changed methodically, and adjust your equipment to the road. Invest in website maintenance.