shadow it

FormAssembly is a Security-Driven Company: How We Avoid Attacks

When you consider the modern state of our data-driven lifestyles and business models, it’s no surprise that hackers and threat actors try to capitalize on every vulnerability. Hackers may attempt to inflict harm, secure payments, or capture confidential information to use for a future purpose. With these threats looming, individuals and companies must be vigilant when it comes to data security and hacker prevention.

A staggering reality is that hacking attacks happen once every 35 seconds in the United States. Although businesses and governments now devote more resources to cybersecurity than ever before, the hacking threat remains strong. The question is, how can companies protect themselves from hackers?
In this post, we’ll take a twofold approach. First, we’ll share how we help FormAssembly customers prevent hacking attacks. Then, we’ll dive into our own company philosophy and strategy.

How we help our customers avoid hacking attacks

FormAssembly is committed to adhering to the strictest security and privacy standards in the marketplace. This means that our customers can rest assured when they collect data through our platform. You can read an in-depth overview of our practices and procedures on our Security page. As a best practice, this information is public-facing to promote transparency and accountability.
With that in mind, let’s take a look at some of the specific measures that FormAssembly has in place to help our customers guard against hacking attacks.

Protecting customer information

If you collect data from customers or other end users, you are responsible for that information. Your form respondents must know that they can trust you, your processes, and your privacy plan. Here are a few of the many ways that FormAssembly helps you protect your customers’ data.

  • Authentication – Choose from CAS, SAML, or LDAP to ensure that only the appropriate people have access to your web forms.
  • Encryption – Encryption means that your data is not readable by anyone who does not have the right key. FormAssembly implements TLS 1.2, which increases encryption security and gives customers more peace of mind. Additionally, data sent via HTTPS provides three proactive layers of protection.
  • Data Types – Part of good data stewardship involves identifying the type of data you actually need to collect. Different laws and regulations apply to certain types of data (financial, medical, PII, etc.), so be sure to only ask for the kinds of data you need for essential activities.

Each of these areas provides one more access point that hackers must break down before accessing any customer data. By ensuring that these features are reliable, FormAssembly provides peace of mind without extra hassle.
If you’d like a crash course on data security best practices, the FormAssembly knowledge base is a great place to start.

Security incident response

According to the communications experts at Cisco, an incident response is “a set of instructions to help IT staff detect, respond to, and recover from network security incidents.” These plans serve a basic purpose to protect the flow of work, but they also have a deeper purpose when it comes to disclosing data leaks, losses, and hacking attacks.
FormAssembly has an established Incident Response policy and procedure based on NIST guidelines that activates upon a security breach. In the event of an incident, FormAssembly will notify all affected customers in a timely manner of any unauthorized access to your data. The FormAssembly Incident Response plan is tested annually or as needed.

Preventing data leakage

In order to prevent surprising vulnerabilities, we take several necessary precautions to minimize leaked data. Here’s what you can expect if you collect data with FormAssembly.

  • Global data security centers hosted by Amazon Web Services (AWS), which holds numerous international certifications regarding security and privacy
  • Web application firewall to protect against common web attacks
  • IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) are in place to promote network and server security

Additionally, FormAssembly upholds the following certifications:

  • PCI DSS Level 1 Certified
  • Compliance with GDPR, HIPAA, FERPA, and more
  • FedRAMP Ready Government Cloud
  • ISO 27001

Using appropriate data disclosure

FormAssembly’s official Privacy Policy is listed publicly and provides insight as to how, when, and if your data is ever open to disclosure. Data disclosure situations are extremely limited in scope and often happen only if there is a concern as to legality, safety, or public good.
Your customer data cannot be shared with third parties or other companies without your permission and consent to do so.

How we prevent hacking attacks at our own company

At FormAssembly, we recognize the need to practice what we preach. As an industry leader in data stewardship, it’s important that each member of our team has a strong understanding about their individual responsibility as data collectors. Our standard process involves regular teaching, team-wide security training, audits, and security reviews.
Here are a few of the practices that keep us primed and ready to mitigate hacking attempts.

We catch the bad phish

Phishing is one of the many ways that hackers attempt to manipulate users into exposing or sharing confidential data. Although this usually takes place via email, phishing attempts happen through other communication channels as well.

“Administering monthly security awareness training and up-to-date phishing campaigns keeps your workforce mindful of the evolving security landscape. This is one proactive way to limit human exposure to threat actors.”
—Chad Cragle, Director of Security and Compliance

At FormAssembly, we train our fully remote team to keep an eye out for phishing attacks and to handle them appropriately. This company-wide conversation also ensures that team members can distinguish genuine customer messages from nefarious phishing attempts.

We minimize insider threats

Personnel security is another major focus. Each team member goes through a thorough background check and completes the necessary security and privacy training. This step ensures that our team members who have access to customer data are highly trained to handle any red flags or suspicious hacking activity.

We say no to social engineering

Social engineering is a tactic used by hackers and threat actors to manipulate a user into disclosing sensitive information that the hacker considers valuable. Social engineering is especially tricky, because it may seem as though the hacker personally knows the individual they are targeting. This familiarity is often gained through social media and research.
Although we encourage team members to actively engage on social media and to expand their professional networks, we counter this with common sense tactics for preventing social hacking attempts. Monthly security training provides concrete examples of how social engineering looks in the real world, ensuring that our team members are never caught off guard.

We educate on malware and ransomware

Malware and ransomware are some of the most crippling risks to an organization’s cybersecurity structure. In particular, ransomware attacks are on the rise. This strategy can render organizations useless, and it can also prove to be extremely expensive to solve.
Our Security Team is dedicated to protecting both customers and employees from these costly attacks. Regular communication, reminders, and training help keep these vulnerabilities top of mind.

Strengthen your company’s defense

Looking for additional ways to strengthen your company’s defense against threat actors? Check out our ultimate guide to secure, compliant data collection at the link below.

Share

Join our newsletter!

Receive the latest data collection news in your inbox.