Understanding the principles, methodologies, and processes behind how cybersecurity insurance ratings work is important to RCP Marketing (RCP) and our clients. Additionally, staying up to date with the ever-changing landscape of vulnerabilities and having plans to improve our hosting services is always a high priority. The following FAQs are for the inclusion in cybersecurity reports regarding website hosting with RCP.
RCP MARKETING CYBERSECURITY INSURANCE RISK & RATING STATEMENT
CYBERSECURITY INSURANCE FOCUSES ON TWO AREAS:
Internal and External networks and applications associated with your business or organization.
Internal Networks are never handled by RCP. Security for Internal Networks would be handled by your IT company or your companies employees.
Internal networks include things like:
- Company computers connected to your network
- Internal document servers
- Internal Exchange or Active Directory Servers
- Network devices like hubs, wireless hot spots, switches and routers
- Your network firewall and antivirus software
- Your client data and accounting information
External Networks & Applications are handled in a *limited capacity by RCP.
Security Examples NOT handled by RCP:
Office 365 or Gmail cloud email services
Cloud Storage (e.g.,DropBox, Google Drive or Amazon s2)
SasS applications like SalesForce, HubSpot or ERP software
E-commerce payments and accounting information
Authorize, PayPal, Square, Stripe and other payment gateways
Security Examples that ARE handled by RCP:
Virtual Private Servers (as a GoDaddy Partner)
Content Manage Systems (WordPress software, plugin software)
E-commerce systems (e.g., WooCommerce)**
*It is important to understand that the services managed by RCP are not connected to any internal or external network of your company.
- The files that make up your website (e.g., code, images, videos, pdfs, etc.)
- A database to store the content on the website
- A mail server to send contact form and server status emails (that is NOT connected to your business email in any way)
- FTP access to update and edit the files and media on the website
- An SSL certificate
- RCP’s suite of backup and security software
- A web based login to content manage your website
- A web based login to manage the Virtual Private Server (please note, this is no different than web applications like Google Gmail or DropBox)
RCP MARKETING HOSTING GENERAL FAQ'S
First, many of these assessment reports include language related to “possible issues” or “opinions based on other known network types.” Most of these reports feature fine print that states: “Risk-related analyses and statements in this assessment are statements of opinion of possible risks to entities as of the date they are expressed, and not statements of current or historical fact as to the security of any entity.
”Essentially, these are guesses based on the type of network an outside scanner detected. Unfortunately, these are usually used by companies to scare you into making a purchase (such as a new piece of security hardware or justifying higher insurance premiums).
RCP would fully support looking into any stated vulnerabilities should you wish to follow up with an addition assessment of your internal network. We recommend this being performed by a qualified and experienced network security analysis firm. Furthermore, the only way to truly asses RCP’s hosting servers is from an internal scan, which we do on a regular basis.
This is typically because RCP had your IT department assign your A(@) record in your DNS configuration to point towards a server we manage that hosts your public website. Your DNS is a record that lets your domain know where your mail server is located, your file server is located, your public website is located, or even sub domains that point to other services you manage.
For example, your mail could be pointed towards Office365.com or Gmail. Your file server could be in your physical office building or on a cloud storage. Your public website, however, is hosted with RCP.
Typical “scans” follow your DNS entries to where they live on the internet. In the case of your website hosting, these scans followed your A(@) record back to one of our servers IPs. RCP’s servers are an external resource not connected to any of your internal data or financial assets as it is 100% separate.
The short answer is typically no. This is because virtual servers are essentially hosted cloud services. For a website server to work, there are certain things it needs like a database, a hard drive in the cloud, a way to email admins if there is an error or submit contact forms, and a way to access the server to modify files (either through FTP or some web based login). These things can’t be turned off any more than asking Google to turn off Google Drive because you only use Gmail. They are all part of the overall service that make it work.
Things you should know:
(1) Your hosting though RCP is not connected to your internal network and poses no risk to your company’s data in regards to your internal network.
(2) Hosting though RCP is directed to a completely separate IP in your DNS entries.
WooCommerce and RCP Marketing
RCP uses WooCommerce as our E-commerce platform. The payment gateways (e.g., PayPal, Square, Stripe, Authorize) do not store any credit card or personal financial information on RCP’s physical servers. Transactions are redirected away to the processor and then are handed back to our servers when any transactions are complete. Payment gateways are the property of the client. Security of the any payment processor is subject to that specific processor and federal and state laws surrounding online financial transactions.
The only E-commerce data stored on RCP’s servers involve:
• User accounts created to login to a store (including username, password, email)
• In some cases customer addresses for shipping purposes
• Identifiable purchase history