With the holidays quickly approaching, many consumers are starting their shopping online. With 2011 being tagged "the year of the hacker" because of all the high profile breaches (Citibank, Sony, Epsilon), many consumers are weary of online fraud. The Ponemon Institute's recent study found that three in four consumers have either some concerns (53%) or serious concerns (25%) about online fraud. So how can e-retailers make sure they and their shoppers are safe this holiday season?
Here's a list of tips for your e-retail business to help make the holiday shopping season free of online security issues.
1. Start with a scan. It doesn't do any good to install security fixes on a system that was never secure to begin with. Have your website scanned with a commercial vulnerability scanner to see where you stand as far as web application security. These scans are sometimes free, but even if not, they are never very expensive.
2. Educate your staff. By all accounts, your company's largest security threat is your staff. Social engineering, the art of fooling someone into revealing security-breaking information, causes more security breaches than all external attacks combined.
3. Consider your office an attack surface. Are your computers left on and open to usage without login sequences? Are your physical access points (LAN connections) and wireless access (WiFi) available to anyone in or near your office, and does this allow access to your internal systems? Is that post-it note on your manager's monitor really his password? After hours, it's not uncommon for the cleaning staff to let in anyone wearing a tie.
4. Recheck the back end of your site every six months. If you don't keep up with security fixes, your network becomes more vulnerable by the day. Your website may have been secure six months ago, but today it could have multiple openings for intrusions. Hackers get smarter every day, systems change and security scanners get more sophisticated. Even sites with a perception of high security can be comprised so keep in mind that your business must be proactive in order to keep your site secure and customer data safe.
5. Encryption. Database encryption is fast, easy and inexpensive. An encrypted database, even if stolen, cannot be maliciously used. I would suggest encrypting anything that is remotely private. And, make sure your encryption practices are solid — use the latest algorithms and safe storage of encryption keys at a minimum.
6. Backup. Make sure you are periodically backing up your database in case there is a breach and your data is maliciously altered or destroyed. Your database backups should always be saved to an offsite location in an encrypted format (this is easily implemented and free with most commercial backup software).