Sandstorm Blog

Janna
ACOEM's New Website Wins a dotCOMM Gold Award for It’s Intuitive UX and Enriched Member Experience Built In Kentico

About

American College of Occupational and Environmental Medicine (ACOEM) is the leading association of medical professionals who advocate and oversee the health of workers, the safety of workplaces and the overall quality of environments.

The Challenge

ACOEM’s website and several related microsites utilized an outdated technology, an ineffective user experience that did not reflect the mission of the association nor the user needs of the occupational and environmental medicine community. The content was extremely deep and relied on a poor search experience, which often led to users contacting the help desk, putting unnecessary strain on their staff, or abandoning the site.

Goals of the redesign included: ensuring the site informed users about occupational and environmental medicine (no tree-doctors need apply); Single sign-on for critical member benefits; reaching emerging professionals entering the workforce (career ops, connecting with peers, educational content); and offering special interest communities to connect and increase member engagement.

The Solution

The new site needed to be clean, intuitive, mobile-first with integrated faceted search, while delivering a robust administration experience for ongoing content management by ACOEM staff.

ACOEM wanted the new site to work from the existing marketing materials, but not be a slave to the printed brand. Sandstorm knew going straight to visual UI layouts would not give the teams the opportunity to work together—to “Yes, And”, which is one of Sandstorm’s guiding principles for our creative work. Because of this, Sandstorm began the UI process with brand/mood boards in order to gain alignment on the visual direction. Once a brand/mood board was selected, Sandstorm quickly transitioned into visual user interface designs with a mobile-first strategy.

We also identified the navigational structure was going to be broad and deep resulting in a dense navigational structure. ACOEM was extremely motivated to use a unique mobile-first drawer pattern for the navigation on all viewports. This innovative navigation resulted in a very clean experience that was user-friendly and unique within the association space.

Sandstorm’s UX and Kentico-certified development team worked collaboratively to build the page layouts using a form-based model instead of an open structure. This approach enabled the site to embody a consistent user experience while making site content and image updates intuitive and easy to manage for the ACOEM team. Knowing search was fundamental to the overall user experience, we leveraged Kentico’s tagging, categorization, Google sitemap, and Smart Search to significantly improve the relevancy and findability of key content; in addition to integrating with Fonteva’s AMS to deliver a personalized member experience.

The website was a critical part of ACOEM’s overall digital transformation journey led by our partner, .orgSource, as they helped modernize the technology landscape including new software for the AMS, finance and workflow analysis.

The Results

The dotCOMM Awards honored the American College of Occupational and Environmental Medicine and Sandstorm with a Gold award honoring excellence in web creativity and digital communications in the association space. Check out the new ACOEM site.

The 2019 dotCOMM Awards is administered and judged by the Association of Marketing and Communication Professionals (AMCP), one of the largest, oldest and most respected evaluators of creative work in the marketing and communication industry.

Since launch in January 2019, ACOEM has seen significant improvement, including:

  • User interactions (sessions) increased 32%
  • Return visitors increased 18%
  • New users (no prior sessions) increased 13%

Sandstorm continues a strong partnership with ACOEM and provides ongoing UX/UI improvements, development and AMS integration support and maintenance for the site, including data analytics in order to drive key insights for optimization. In addition, to further extend the Kentico platform, Sandstorm is underway with building much improved Member and Find a Provider searchable directories that leverage key user data stored in Salesforce (Fonteva), as these are highly visible (and highly utilized) features of the site.

This blog was posted by Janna on August 20, 2019.
Janna Fiester

About the Author

Janna Fiester

Sandstorm's VP of UX & Brand Innovation, Janna, is a design-thinker. Showcased in several design publications and exhibited at the Art Institute of Chicago, she is talented in taking nuggets of good ideas and nurturing them into solutions that are always strategic, engaging and visually delightful.

Amanda Heberg
Search-driven web experience for the National Business Institute

The National Business Institute is a professional association providing continuing legal education (CLE) for attorneys and paralegals for over 35 years and delivering over 18,000 in-person and on-demand resources.

The Challenge
While NBI’s live seminars and OnDemand resources lead the industry, their website and subscriber experience were trailing behind. NBI partnered with Sandstorm—to create a personalized, user-centric (and most importantly, revenue-driving) experience for existing subscribers, transactional customers, and prospects.

The Solution
Sandstorm began with user research that identified the motivations and expectations of each type of customer. Then, we crafted a myriad of user flows based on user groups, extensive site map, navigation, wireframes and creative to align each step in the purchase process with those expectations.

By conducting usability testing, we uncovered user needs, expectations, and insights, including:

  • The use of key statistical information vs. the use of customer testimonials on the homepage was much more impactful to key audiences.
  • Including specialty credit details in the search results, since this is a key identifier in the selection of a course and purchase process for users.
  • Users wanted stronger use of colors throughout the experience, but still honoring the blue that NBI was well-known for.

Because findability and conversion were primary goals, we needed to determine how to best integrate a robust search throughout the experience. The final site includes multiple layers of search exposed within the experience to ensure users can quickly and easily find desired courses and find them in the format they wish to consume them.

Personalization was also key. Sandstorm worked closely with NBI’s development team to build in targeted courses based on a users’ geolocation and schedule (recommended courses, happening soon, and best sellers).

As NBI was shifting its business model to more emphasis on a subscription model vs. one-off courses, the conversion path to becoming a subscriber needed to be clear and slightly varied experience from an individual visiting the site for the first time.

And, knowing the mobile experience was critical to these users, we crafted and deployed a fully responsive designed experience, including personalization based on returning users vs. new users to the site.

Finally, we extended the user experience and creative via front-end development and collaborated closely with NBI’s in-house development team to ensure the experience seamlessly integrated with NBI’s back-end CMS, technology and complex e-commerce systems.

The Results
The Hermes Creative Awards honored the National Business Institute and Sandstorm with a Gold award for the agency’s redesign of the NBI website.

The 2019 award winners were announced by the Association of Marketing and Communication Professionals (AMCP), which administers the annual Hermes Creative Awards international competition.

In addition, the website has experienced significant improvement, including:

  • Organic SEO positioning has increased by 20%
  • Conversion rates are up 12% year over year
  • Experienced higher search and filtering traffic that converts at a much higher rate than the prior site experience
  • Received extremely positive feedback from its subscription-based customers via the streamlined and much-improved checkout flow

 

“Thank you for your help. The site looks great and we couldn’t be happier with what you did for us.”

Jim Embke - Managing Director, National Business Institute

This blog was posted by Amanda Heberg on April 30, 2019.
Amanda Heberg

About the Author

Amanda Heberg

As the VP, Business Development, Amanda leads new business development, sales, partnerships and marketing strategy across Sandstorm. Amanda collaborates closely with new clients to build strong, long-lasting partnerships while aligning Sandstorm's capabilities to solve client business problems.

Amanda Heberg
The Society of Actuaries innovates with an Interactive Toolkit in Drupal 8

The Society of Actuaries (SOA) is the pre-eminent association for the actuarial profession. With over 30,000 actuaries as members, the SOA’s mission is to advance actuarial knowledge and the ability of actuaries to provide expert advice and solutions for financial, business and societal challenges.

The Challenge

In line with their mission, the SOA wanted to take the conceptual idea of an Actuarial Toolkit and bring that to life in Drupal 8 as a web application. The SOA's existing Glossary App needed to be redeveloped into a web app, in addition to incorporating data from multiple websites.

The SOA kickstarted the project internally with some baseline requirements and initial design mock-ups to support the reimagined Actuarial Toolkit. Sandstorm was able to quickly collaborate with the SOA and build upon the work completed, in order to begin transitioning into more detailed user experience and technical requirements. 

The Solution

The SOA partnered with Sandstorm in order to build an interactive web application that delivered a variety of online resources for actuarial candidates, actuaries, and actuarial analysts. We identified with the SOA that Drupal 8 would be the optimal platform that would offer a high level of flexibility and a scalable development framework to support the desired interactions along with a robust mobile experience.

With a Drupal-based solution and our proposed technical architecture, we were able to provide a scalable framework for the SOA to expand and grow to support the other SOA applications. The goal was to make it simple for the SOA to build out new solutions over time, without significant investment each time. The architecture also supports opportunities to transition to a headless Drupal solution (if desired in the future), which could be used to drive native mobile apps.

In addition, the Actuarial Toolkit supports the longer-term vision and consolidation of its online tools to support the Actuarial Profession.

The Actuarial Toolkit includes the following features:

  • Interactive Actuarial Glossary including over 500 peer-reviewed definitions, concepts and practice area terminology for those working with Actuarial Science
  • Bookmarking to save favorite pages in the toolkit
  • Flashcard function to display glossary terms saved for quick access and review
  • Main hub for practice areas, giving users access to pre-defined mathematical definitions and data templates used in the profession including curated live illustrations of actuarial and mathematical concepts using R
  • Integrated Single Sign-On experience with the SOA’s Association Management Software system and website so users can move seamlessly through the entire web experience

The Results

The SOA launched the new Actuarial Toolkit after working for many months curating the content and finalizing the industry definitions and terminology to ensure a highly usable, high-touch, personalized experience. Overall feedback has been incredibly positive from the SOA membership and community, not only offering an interactive suite of tools to advance learning in the profession but also giving the users even more personalized experiences that they can control.

https://actuarialtoolkit.soa.org/

This blog was posted by Amanda Heberg on April 22, 2019.
Amanda Heberg

About the Author

Amanda Heberg

As the VP, Business Development, Amanda leads new business development, sales, partnerships and marketing strategy across Sandstorm. Amanda collaborates closely with new clients to build strong, long-lasting partnerships while aligning Sandstorm's capabilities to solve client business problems.

Sandy
3 Digital Trends Associations Should Start, Stop and Continue Doing

As part of our annual review process we use the start, stop, continue retrospective technique. We've found it's a great way to recognize successes and opportunities for growth for individuals, teams and organizations. Thinking about the digital transformations we've seen with associations lately, below are some retrospectives on what we see trending with membership organizations. 

START
Creating a culture of data. Using data to inform your decisions and weaving that into everything you do is critical to success. We are working with an association today where we're collecting and analyzing data to identify educational gaps and drive new products (and revenue). We're also utilizing data to drive content and functional requirements on new website builds to improve the member experience. By taking a fresh look at member data for a global membership organization, we were able to re-interpret the data and create new marketing campaign messaging to increase membership and product sales. The combination of qualitative and quantitative data helps associations turn subjective decisions into objective ones. Even when we're talking creative and UX – data science for us plays a huge role.

STOP
Stop building websites in proprietary technologies on a web dev shop's server as you are trapping yourself and it’s completely unnecessary now. Many leading associations are utilizing off-the-shelf content managements systems like Drupal, Kentico, etc. to integrate with their AMS and LMS systems, provide personalized member experiences, and track analytics and KPIs. Then you have options when it comes to supporting your chosen system. You can choose to have the original digital agency maintain and support your site, you can select a new partner for support, or bring it in house. We also recommend you own the hosting relationship with a 3rd party provider such as Rackspace, Azure, or AWS so you are never "stuck". We have taken over the maintenance and support for so many association websites that didn't get the service, attention to detail, nor strategic thinking to drive their association forward, and it was all possible because of the CMS they selected (and it's always a smoother transition when a 3rd party hosting provider is involved but not necessary). 

CONTINUE
Continue focusing on member engagement, member value and the overall member experience. This is what we love most about associations. It doesn't matter if you're a trade association or medical, large or niche, everyone shares a common mission to help your members become more than they can on their own. One of the most common challenges and motivations we've seen for launching into a new website overhaul was to improve their members' online experience and increase online member engagement. And we get it – we, too, are all about the user. When you look into the member journey, continue at all touchpoints to remember we're all just people trying to be the best version of ourselves. Keep the humanity alive in your organization that you have already mastered.

This blog was posted by Sandy on February 19, 2019.
Sandy Marsico, Founder & CEO

About the Author

Sandy Marsico

Sandy Marsico is the founder & CEO of Sandstorm®, a digital brand experience agency that turns consumer insights into engaging user experiences through our unique blend of data science, brand strategy, UX and enterprise-level technology.

Jeff
Sandstorm developers Joe Ruel and Jeff Umbricht at DrupalCon 2018

Every year since 2005, the Drupal community has flocked to DrupalCon to learn, explore and share. This year, the Sandstorm® team headed to Nashville, Tennessee–site of DrupalCon 2018–to get the latest updates on one of our favorite CMSs, find inspiration, and get our hot-chicken fix. Here are a few of the things we took away from this year’s conference.

1. “Clients buy solutions not code.”

Software wizard Vladimir Roudakov reminded us that no matter how impeccable and innovative our code looks, what’s most important to our clients is that our code solves the problems they’re facing. It was a great message to ground us throughout our time in Nashville.

2. By 2020, there will be more than 50 billion connected devices
                      and
3. Most traffic on the internet is non-human

Developer advocate Emily Rose made a pretty compelling case for why we’ll be developing for humanoids in the not-so-far future. With 61% of the internet made up of bot traffic and connected devices estimated to outnumber people 6:1 in two years, that’s a concept that’s hard to argue with.

4. Increasing page speed by one second can increase conversion by 27%

Google announced that by July 2018, pagespeed will be a ranking factor for mobile searches. For businesses to reach that coveted first position in the search engine, they’ll need to make sure their site loads lightning fast. And the reward—a big bump in conversion rate—will be worth it.

5. Drupal makes big dreams a reality

To celebrate the total solar eclipse, Miles McLean and Ken Fang used Drupal to create a once-in-a-lifetime viewing experience, integrating more than 20 video feeds and real-time tracker. Forty million people used the tool to see the solar eclipse.

If you’re looking to do big things with your website, drop us a line.

This blog was posted by Jeff on May 2, 2018.
Jeff Umbricht

About the Author

Jeff Umbricht

Jeff is an Illinois native with a passion for web development. Making code into great things drives him every day. He’s often busy building awesome experiences for Sandstorm clients, and there’s a high probability that he’s rocking out to metal while he codes.

Sandy
Just Launched: Kentico Website for Beloved Household Products, CLR® and Tarn-X®

Jelmar is most recognized for its broad range of cleaning products (CLR and Tarn-X) that have helped solve some of the toughest household cleaning problems... maybe you've seen their commercials to clean your showerhead?

The CLR Brands website was outdated and virtually unusable on a mobile device. There was also a great deal of confusion across the brands – parent company, Jelmar vs its flagship products (CLR and Tarn-X) and related products. The site did not provide a cohesive experience, nor was it intuitive for consumers visiting the site for more information or where to buy CLR or Tarn-X products. It also did not properly serve the needs of its distributors and retailers. Given the brand structure and Jelmar’s drastically different audiences, it was critical to have a modernized user experience that was cohesive while providing variations based on the two distinct user groups. Sandstorm was challenged with reinvigorating and personalizing the CLR brand experience integrating social, digital, marketing automation and the website; as well as utilizing technology to drive better business decisions – which is why the Kentico EMS content management system was ultimately selected.

Based on our in-depth user research, one of the primary goals for consumers was to identify where they could buy CLR products. Sandstorm completely overhauled the “Where to Buy” feature (formerly the Retailer Locator feature, which we renamed based on our usability study results). This tool incorporates a custom Product Search, including radius map in several key areas of the site to improve overall usability – check out the Where to Buy feature here. On the administrative side, Sandstorm developed a product management tool within Kentico, so Jelmar staff can easily manage updates to products in a single location, which propagates throughout the site. In addition, Sandstorm implemented Kentico’s Smart Search to drastically improve the findability of products, "How To" videos, FAQ spec sheets, blogs and news, etc.

Behind the scenes, Sandstorm utilized Kentico’s Staging and Synchronization features to manage development and testing in one environment, user acceptance and content editing in a second environment, and live production in a third, while ensuring that integration of code and content between the sites can always be easily managed and synchronized. From a content migration perspective, Sandstorm utilized Kentico’s import utility and custom scripts to map content into the new site, product details, images and related taxonomy. Sandstorm also leveraged Kentico’s features for tagging, categorization, Google sitemap generation, and other capabilities to improve SEO of the site.

The entire project included a complete redesign, in-depth user research, information architecture, usability testing, UX/UI development, Kentico install/configuration, Kentico web development, content migration, QA testing, analytics and launch. Additionally, upon launch, Sandstorm ran multiple email campaigns using Kentico’s Contact Management and Email Marketing features to deliver messages segmented for audiences interested in retail products separately from products for industrial/commercial uses.

End results? 380% increase in use with a 78% increase in site entrances directly to the new "Where to Buy" versus the previous "Retailer Locator". Overall 12% increase of pageviews, and an 11% reduction in bounce rate – within the first 30 days. Visit clrbrands.com.

This blog was posted by Sandy on January 23, 2018.
Sandy Marsico, Founder & CEO

About the Author

Sandy Marsico

Sandy Marsico is the founder & CEO of Sandstorm®, a digital brand experience agency that turns consumer insights into engaging user experiences through our unique blend of data science, brand strategy, UX and enterprise-level technology.

Emily Kodner
NICB Drupal 8 E-Commerce Site

At Sandstorm®, we take security seriously. For the not-for-profit National Insurance Crime Bureau (NICB), that means preventing insurance fraud and theft across the United States. NICB turned to Sandstorm to design and develop a brand-new website that could better help them advance their mission.

The launch of this site represents a significant shift for NICB. The previous website addressed two audiences: the general public and current members. By focusing on non-member audiences, NICB can more clearly convey their message and raise awareness with common consumers.

With an iterative, user-centered approach that utilized usability testing to refine navigation items and page layouts, we designed an intuitive user experience that we developed in Drupal 8. By building in the newest version of Drupal’s content management system, we were able to give NICB a robust e-commerce platform with an intuitive administrative interface.

We are honored to help NICB raise awareness of their mission and help combat insurance fraud and theft. Check out the new NICB website for yourself.

This blog was posted by Emily Kodner on November 21.
Emily Kodner

About the Author

Emily Kodner

Emily is our Senior Director of Client Delivery. She consults with clients, leads projects and works alongside our team of creatives and developers to provide solutions to complex business challenges.

Emily Kodner
Association for Corporate Growth launches new, responsive website.

At Sandstorm®, we thrive on designing and developing exciting new websites. But we also know how important a great event can be. That’s why we couldn’t have asked for a better opportunity in creating a site for ACG.

The Association for Corporate Growth (ACG) is the global community for business leaders focused on driving middle market growth through mergers and acquisitions. As a chapter-led organization, ACG is heavily focused on events, holding over 1,200 around the world each year for industry professionals and the association’s 14,500 members to network.

In order to drive their own growth, ACG turned to us to design and develop a website platform that provided individual sites for the global organization as well as its 58 chapters. Each site not only needed to be mobile friendly and visually appealing, it needed to be user friendly and easy to manage for each chapter, an objective we were able to achieve as a result of several efforts:

  • Attending ACG’s annual event and conducting stakeholder interviews to hear directly from leaders and members what they needed from the new website
  • By integrating the Drupal 8 content management system (CMS) with the netFORUM association management system (AMS)
  • Conducting a usability study on the new design to ensure it was intuitive and easy to use
  • Building a collaborative space for chapters and committees to digitally communicate and share essential documentation

We’re honored to help ACG continue driving middle market growth around the world. Check out the new ACG website for yourself.

This blog was posted by Emily Kodner on June 20, 2017.
Emily Kodner

About the Author

Emily Kodner

Emily is our Senior Director of Client Delivery. She consults with clients, leads projects and works alongside our team of creatives and developers to provide solutions to complex business challenges.

Nick
Drupal vs. Wordpress

Over the years, Sandstorm® has built websites on content management systems (CMS) using a variety of programming languages: Python, .NET, and PHP to name just a few. These programming languages support CMSs like Django, Kentico, and Joomla, respectively. Two of the most popular CMSs are Drupal and WordPress, built on PHP.

A common question we hear from clients is whether they should use Drupal or WordPress. While there’s no right answer, there is an answer that’s right for you. Each one has its place, so we've laid out where you can gain the most benefit from each CMS.

The Benefits of Drupal

Speed and Performance

When it comes to a scalable CMS that can support high-volume traffic and vast libraries of content, Drupal beats out WordPress. Not only does Drupal offer better performance out of the box—including default cache features that help pages load faster—it’s more robust for handling complex projects with lots of functionality.

Security

Drupal is favored by many top companies and government agencies, including whitehouse.gov, for its enterprise-level security. Drupal has a very active security team with a stringent review process for plugins and a robust permissions layer that provides nuanced limitations for user access.

WordPress, on the other hand, is a popular target for hackers whose malicious attacks often succeed due to fully coded plugins compromising security. Additionally, WordPress doesn’t provide the flexibility in tailored permissions that Drupal does.

Lead Conversion

When it comes to getting leads through web contact forms, WordPress requires third-party tools like Gravity Forms or JotForm, which will cost you extra.

With Drupal, web form functionalities are already built into the platform, so you don’t need external tools. Drupal can also enable rules and set up triggers so that when someone fills out a form on your website they receive an SMS message from your company, which helps with lead nurturing efforts and potential conversions.

The Benefits of WordPress

Ease of Use for Small Businesses

Since WordPress started primarily for less tech-savvy bloggers, small businesses with a junior development team benefit the most from the platform. Additionally, most writers and content managers have some experience with WordPress, so there's little need to train them on the platform.

Where It's a Toss Up

Supportive Community

Drupal and WordPress users have created diverse global communities that offer international conferences like DrupalCon and WordCamp; local training events and Meetups; and active forums where users can ask questions and learn more about the platform. While the WordPress community is larger than Drupal’s, it’s uncommon that you would run into an issue with either platform that someone hasn’t encountered, and solved, before.

Search Engine Optimization

It doesn’t matter to Google which platform you use, and both platforms offer excellent plugins and modules to help you with your SEO, including Yoast for WordPress and Content Optimizer for Drupal.

At Sandstorm®, our experts have extensive experience developing, designing, and writing in Drupal, WordPress, and many other content management systems. We’d love to find the one that’s right for you.

This blog was posted by Nick on May 1, 2017.
Nick Meshes

About the Author

Nick Meshes

Nick is Sandstorm’s Director of Analytics and Technology. He’s boosting our quantitative focus. He’s busy increasing our capabilities in web analytics, website optimization testing, SEO, SEM, display advertising, business intelligence, and personalization.

Sean

Now more than ever, digital security is something that needs a thoughtful approach.

From Yahoo! to the DNC, large, high-profile security breaches are filling the news and making security a hot topic for everyday conversation. There are so many hacks that even data visualizers are struggling to make sense of them all. Which is why 2017 will be the year that companies finally realize the value and necessity of security for their digital properties.

Whether cause or effect, our increasing reliance on technology correlates with the spike in frequency, size, and severity of security breaches. At Sandstorm®, we're big fans of Steve Gibson and his podcast Security Now, where he talks about the race to keep up with new security threats. With each new security improvement developers release, hackers are ready to uncover weaknesses. Over the years, this has brought us to a place where both the threats—and the necessary defenses against those threats—have reached a level of complexity that can seem daunting.

From Convenience to Security

The complexity and automated nature of modern attacks has changed the industry’s view on the lengths hackers are willing to go to. Now, we have to assume that there is always someone looking to exploit opportunities and weaknesses.

While these are just a few examples of the risks and remediations that companies need to consider, they illustrate the many different attack vectors that developers need to address. The trick is to do the following:

  • Define the requirements
  • Identify the risks and determine the solutions
  • Design a highly functional application that still puts the user first

Trend #1: Rise of the Botnets

Botnets are a major reason for the increase in security issues. As an industry, we’ve known for some time about the danger of improperly patched or unsecure computers and servers that get infected with malware. But in the last few years, risk has increased exponentially due to the prominence of the Internet of Things (IOT). We have an explosion of internet-connected devices (light bulbs, refrigerators, dishwashers, teddy bears) with many of them rushed to market without regard for security.

Night of the Living Malware

Malware programs target these vulnerable systems to create zombie armies of infected computers that work together to feed on sites. The most recent and well known is the Murai botnet, the code of which was released as open source and has since spawned a plethora of derivations. That's right; you heard me. They’re multiplying, evolving, and getting smarter like a creature out of a bad horror movie.

How bad is it? Projections as of 2016 suggested that 35% of all internet traffic consisted of malicious bots. That's a lot of zombies wandering around looking for your server's brains.

GhostBot in the Machine

Another recent example is GiftGhostBot. This attack came to light in March 2017. Bots are brute forcing the pages that allow customers to check the balance on their gift cards. These bots keep guessing gift card numbers (at an estimated rate of four billion requests per hour) until they get one that has a remaining balance. They can then use that gift code to steal from the gift card holder.

What makes this GiftGhostBot particularly sinister is its sophistication. First, the attack is distributed across multiple compromised devices, servers, and computers—which means there’s no way to track and block these requests by IP. Second, the bots have been set up to use over 740 different user agent profiles, meaning they masquerade as different browsers and operating systems to confuse attempts to filter out their traffic. Vendors might add CAPTCHAs or completely remove these pages to remediate the issue. This is just another example of the exponential scale and complexity of attacks that have shifted the conversation towards security.

What You Can Do

  1. Your best defense is keeping your systems up-to-date. Apply security updates to all technology in your ecosystem in a timely manner (including websites, servers, computers, employee mobile devices, etc.).
  2. Be sure to spend the time to review all new features and components of your digital products with an eye for potential vulnerabilities. Always overestimate the lengths someone would go.
  3. When in doubt, engage a knowledgeable specialist to help review your security configuration.

Trend #2: Are You a Robot? – Identifying Friend From Foe

If you’re thinking this is all about the rise of the machines, you might (or might not) be happy to hear that humans still play an important role in threatening your business’s security. While botnets have increased the quantity of attacks, the level of sophistication for attacks has also dramatically increased. In some areas, malicious entrepreneurs have even turned to crowdsourcing to enhance automated attacks. Take CAPTCHA as an example. When those annoying pictures were too much for some bots to circumvent, unscrupulous companies paid real people to fill them out. Bots passed the CAPTCHAs back to humans whose answers were fed back to the bots so they could proceed with their attack.

Invisible ReCAPTCHA

This resulted in concerns with the CAPTCHA as a solution for determining bot from human. While still used, it was understood that this solution is not 100% effective. Recently, however, Google updated their reCAPTCHA service with their new Invisible reCAPTCHA. Maybe you’ve seen this: It’s a simple checkbox that says “I am not a robot.” Because so much information on your behavior has been compiled by Google, it can compare your digital fingerprints and activity against its vast repository of analytics to determine if you’re a real person. Or that’s the theory anyway; the new service has just rolled out and we're excited to see how it matures.

Mollom

Mollom is another service we recommend, specifically for Drupal projects. It takes form submissions on your site and checks the content to see if it looks like bot-generated content. If it does, the content is flagged. This technique analyzes content to protect against spam, relying on the consolidation of massive amounts of examples to understand how to proceed.

What You Can Do

  1. You can do is realize that identifying bots is not as straight-forward as it seems. They have gotten very good at pretending to look like real users performing real actions on your site.
  2. Shift your thinking to a place where you assume that hackers and spammers are probably smarter (or at least more persistent) than you. Look at each element of your digital products as a place where a bot might pretend to be a human and consider what they might be able to do.
  3. Layer different preventative techniques. Don't assume that one fix is enough and have a contingency plan for is a bot does get past your defenses.

Trend #3: Moving to SSL

Another major trend for 2017 will be the push for secure socket layer (SSL or HTTPS) traffic for everything. This has been an important shift for security in the last few years. Previously, SSL was only considered important for highly sensitive data, but a few things have pushed us into a world where regular HTTP traffic is considered unsecure.

Man in the Middle

First, a number of tools have come out that make watching the traffic of someone else on your network very easy to do. This allows a person to see the sites you are visiting and even steal your username and password. This is generally referred to as a man-in-the-middle attack resulting in session hijacking. Traffic over HTTPS helps to protect against that because your browser and the server are essentially communicating via a secret language that only they can understand.

Man on the Side

Second, browsers pulling in content over regular HTTP can't 100% confirm where the content they’re displaying came from. There have been a few complicated attacks over the past few years where malware was sent to site visitors instead of the assets they were expecting. This is generally referred to as a man-on-the-side attack. The attempted attack on GitHub in 2015 is an example of this. Moving towards HTTPS traffic gives the browser certainty that the content it received is the one it was expecting.

Pushing the Transition

If you’re thinking all of that sounds scary, you're not alone. Google agrees and has started to roll out changes to the Chrome browser—you've probably noticed that grayed out "not secure" message near the URL. Additionally, if you log in to a site over regular HTTP, you may also notice a red "not secure" message. This is meant to push websites towards SSL, and it’s only the start. Google has announced additional plans to clearly mark all traffic as not secure going forward.

What You Can Do

  1. Work with your hosting provider or website developer to purchase an SSL certificate from a reputable vendor.
  2. Have those same partners review your SSL configuration to confirm that you’re using strong protocols and ciphers that have not been deemed to be compromised.
  3. You may also need to review your site to confirm that you don't have any mixed content errors, which is when HTTPS pages are referencing insecure HTTP resources.
  4. While you're at it, complete a full review of your server configuration.
  5. A full penetration test or security scan may also be a good investment.

How Sandstorm Can Help

This is just the start of the conversation and we've only covered a few topics. Whether you’re moving your current website to SSL or want to ensure your new website is developed with the latest security in mind, we utilize the technology and techniques that make sure you’re protected.

This blog was posted by Sean on April 13, 2017.
Sean Fuller

About the Author

Sean Fuller

As Technology Director, Sean is a hands-on developer and technical lead on projects. He works with design and strategist teams from kick off through launch to plan, design and execute technical solutions for client projects. 

THIS FILE WAS POSTED UNDER: 
this file was posted under: 

Pages