3 key steps for website security

Part of an effective IT security program for most businesses should be protecting online transactions with customers. In this guest post, Anand Srinivasan describes some of the website security keys businesses should keep in mind. 

_____________________________________________________________

A recent survey by Cintas Corporation threw some really scary results for businesses that handle sensitive customer information. According to the report, over 55% of the respondents preferred to change their banks if their account data was compromised. Similarly 46% of the respondents would switch insurance providers if the company offering them their policy had a breach of security. The report also stated that the data of over 16 million customers was breached just last year.

These numbers underline the importance of web security and how even a stray incident may harm your company’s brand identity much worse than you anticipate. Most often, small and medium businesses dismiss such security incidents as an area of concern for larger corporations, such as the multinational banks and insurance companies that have a lot of reputation at stake. A study conducted by the National Cyber Security Alliance showed that 77% of SMBs consider their business to be safe from security attacks although 83% of these respondents did not have a cybersecurity plan in place.

For businesses that have a significant amount of customer engagement online, it is time to take another look at the cybersecurity processes followed by your company. While no amount of security measures can ensure a 100% fool-proof system, these measures are a good a starting point for those who run a transaction-based business website:

1. Data transmission security layer

Before we discuss the need and concept of a security layer, it is important to understand how a typical data transmission happens over the internet. For the sake of simplicity, let us consider a customer entering a social security number on an insurance provider’s website. Now when the customer enters this data from a home computer and hits the enter key, it is transmitted from the home network to the nearest server hosted by the local Internet service provider. From here, this data may travel hundreds of kilometers through various networks to the insurance company’s server. Once the information has been procesed, the data is stored and a subsequent information is transmitted by the insurance provider that again travels hundreds of kilometers to be displayed on the customer’s computer screen. This is a typical path that every piece of information that you type online – including passwords, date of birth, SSNs, bank account details, etc. – travels every single time.

Now if you look at it, any skilled hacker would be able to intercept this data from any of the several hundred servers and networks that the data travels through. This is a breach that is not avoidable given the way the Internet operates. However, if we can encrypt the data being transmitted, we may ensure that the data being intercepted is not comprehensible to malicious users or bots. That’s exactly the job of a security layer.

Security layers are basically scripts that encrypt data that is entered online so that it may not be intercepted by hackers. There are various popular encryption standards available today (like AES, OpenPGP, etc.) that ensure proper protocols are followed while encrypting data online.

2. Security validation

One security challenge that businesses face while using these encryption protocols is that the “secret key” that is used to encrypt a message needs to be transmitted online as well. Without this, the business server may not be able to decrypt and interpret the transmitted information. Also, if it so happens that the key is hacked, then all information being transmitted may be decrypted and accessed.

To prevent this from happening, businesses use the services of what are known as certificate authorities. The popular certificate authorities today include Symantec and Comodo. These certificate authorities issue “digital certificates” to the subscribed businesses. This certificate includes the secret key that may be used to encrypt the information. Incidentally, this key may be accessed by anyone. However, this ‘public key’ may only be used to encrypt the data. The businesses are also offered an alternate key known as the private key which is not accessible anywhere and is not transmitted online ever. This is a key that only the business holds and which is used to decrypt the information. This combination of public key and private key ensures a hassle-free technology to transmit secure data online. Consequently, a website with digital certificate may be seen as secure and trust-worthy.

3. Electronic authorization

Since June 2000, it is legal for businesses in the United States to sign business contracts and agreements online without the need for physical paperwork. Called the ESIGN act, the law makes an electronically signed document as legally binding as a paper one. Despite the ease and comfort that this new law brings, the technology itself is prone to abuse. There have been instances where a hacker or an employee who is not authorized to sign have been able to access the document and have impersonated the authorized signatory. In other instances, the contract document itself has been hacked and reworded after the document has been signed. These security issues may be prevented by routing these confidential documents through trusted third party online signature providers like Silanis and DocuSign. These services are built over a security layer that prevents anyone other than the authorized signatory from viewing or editing the document. Besides, such services ensure that the document is archived as soon as it is signed so that it may not be tampered with. If you are a business that needs to sign a contract with your customer or partner companies, electronic signatures are a great way to simplify the process while keeping it secure.

Data transmission and storage is one of the critical areas of any business transaction. While these measures described above can help protect your website from most hackers, it still does not guarantee 100% security. That’s because a layman customer is still not completely aware of the dos and don’ts of cybersecurity. The onus is on businesses to ensure their customers are educated on the security concerns that exist and how they are being tackled by the organization. This will not only help in creating awareness, but will also help the business build trust and reputation among their customers.

About the author: Anand Srinivasan is an independent consultant who writes on cloud and enterprise business management. He may be reached at anand.srinivasan@gorumors.com

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy