As the news demonstrates, the costs of poor data security can be very high. Furthermore, with more savvy consumers aware of the risks involved with sharing data online, shortcomings in this area will invariably compromise trust in your product or service.
So how can companies guard against the threat? Asking the following questions is a good start.
1) Is your sensitive customer data encrypted?
This is perhaps the most obvious question to ask given the Ashley Madison debacle. All stored data should be encrypted such that even those with privileged access are unable to read it with the naked eye. The most sensitive data will include card numbers, email addresses, or anything that might personally identify users.
2) Have you gold plated your password policy?
Passwords should be stored in a coded format via a number generating system called a hash. But even hash systems are vulnerable because people often use common words within their passwords - guessing these and decoding the rest of the hash is quick work for a hacker. To resolve this problem, IT managers should “salt” the password with an additional string of text before it is hashed, obscuring the original password.
If this sounds like a convoluted process, it’s worth noting that there are already secure log-in routes available via the likes of Google, Facebook or Twitter - offering users the option to sign in through those platforms is a good way to ensure strong security as well as being convenient for your users.
3) Who’s looking after your service?
You might think your service is technically bullet proof, but administrative and other privileges can lead to holes in security. Phishing scams come in all shapes and sizes, and untrained administrators’ human errors could come with a high cost. IT managers should also be sure to delete staff accounts when they are no longer needed, closing off extra points of access. To aid this, it is sensible to control access to servers, databases and other systems via a single sign-on that is easily revoked when the account is disabled.
4) Is every part of your website secure?
Weak staging sites – websites used to test and review newer versions of a site before they go live – are like an open backdoor for hackers. These pages tend to mirror the main site but are often run with less security and care. Make sure your security policies are consistent.
Similarly, if you are using the cloud, research the host company. Cloud providers Google and Amazon employ thousands of hosting experts to manage their data centre security and, as such, they are a fairly safe bet. Finally, although your bespoke code might be safe, encourage developers to review third-party software for potential security threats - likewise for older software that may be out of date.
5) Do you think like a hacker?
Although every hacker tries to be original, they repeat many of the same tricks. Developers should keep abreast of the trends in previous cases to preempt future attacks. Software developers should also spend some time trying to breach their own system, pinpointing and addressing weaknesses in order to bolster its defences. The more a tech expert thinks like a hacker the more secure their code will be.
6) Do your developers peer review?
Encourage the developers building your digital platforms to check each other’s work. Code writing is intricate; a second pair of eyes will catch more mistakes and potential security flaws. Similarly, developers should be sure that they understand all the code they use. A common error is to copy and paste tracking and analytics tags – strings of code which allow advertisers to track visits, clicks, and password entries, as well as collect data from the site.
These tags are normally benign from a security perspective but this should never be taken for granted.
7) Do you look outside the organisation for help?
If not, you should. Many common security flaws can be prevented by using a popular open-source framework like Django or Ruby on Rails. Open-source communities tend to include security experts that are quick to spot and resolve software problems.