Section C – Security Kasey Moore
Introduction All websites are vulnerable to certain attacks which are presented onto the internet. Transactional websites are not as vulnerable as any other website but because transactional websites store customer’s information such as date of births, credit card information’s and addresses. Most websites provide such security to protect the user information but however you can always find holes in such security to then exploit and perhaps use the data for whatever agendas they have.
In this piece I will write about:‐ ‐ Why is it important to protect user data? ‐ What sort of data do different companies collect? ‐ What potential threats are there and the solutions? ‐ What legislation is in place to protect data? ‐ Carrying out risk assessments ‐ How they present this data to the use.
Why is it important to protect user data? User data is worth a lot of money, its internet gold. Many companies rely on having this customers user data to gain new customers, keep them interested and having these statistics. Leaking data is also bad for business, customers rely on you having a good hold on your data and you entrust it because this data is your livelihood these are your personal details. Securing data is good for business it makes strong relationship of trust between the user and the store itself because at the end of the day they’re what makes the money come in and loosing their trust and potentially upsetting the customer which will then knock onto them not making future purchases will make your income lower. Also as seen in the past it can create very bad news regarding your business. An example of this would be in 2011 where Sonys data was breached which led to many controversy and partial damage to their business.
What sort of data does different companies collect? To make transactions through a website you need several pieces of information from the customer to complete a transaction. Everything simple to their name and telephone number then the more valuable information such as their bank account or credit card number and other various details related to that. Of course some other data is collected such as the browser which the made the transaction on and what operating system they use. Another piec e of information is collected that most users aren’t aware of the potential consequences is their IP address which gives an exact representation of where the computer is based. Plus individual companies make keep additional information such previous purchases, product ratings and items which they’ve viewed. What all this information combines to is a solid foundation where the company knows you and then can make suggestions to future purchases in the future and
Section C – Security Kasey Moore
get in touch with you. It also means that there has to be an element of trust surrounding the entire operation and company which the customer is dealing with.
What potential threats are there and the solutions? There are several different threats which could lead to breaches at both ends of the transaction with the customer and online store itself. On the store side which I’ll cover there are many ways that the store could be breached which could potentially lead to the store having to close temporarily or could mean a loss in customer information, which as explained earlier could be very damaging to the company. So firstly there are human errors which can cause either a hole in the security or loss in data for the company. Firstly it could be a simple human error as in deleting a file by mistake which could be transaction record for a customer which means that will result in problems when finding the record which could mean a complaint of sorts. A good solution would be to create regular back‐ups perhaps daily which contains all the different purchases throughout the day which will include all the data in‐ case of a missing piece. Another part of human error would be not processing an order correctly. For example if a company was to receive an order for a brand new computer but when going to the processing of the order stages it could be a different product which is sent or it’s printed out wrong to then send to a different address which again is all human error and unfortunetely there isn’t much you can do to prevent this other than thorough checking of the different stages which could mean employing additional supervisors. There are also other threats to the data and security which includes some physical threats which are those that are harder to avoid and normally out of many peoples control including the weather. An example of a physical threat would be a fire which is hard to predict when it’ll happen. Obviously some precautions can be taken to prevent fires. A way to avoid loss of data would be keeping backups a long way from where the fire took place. Another physical threat could be from a lightning strike on the building thus causing damage to electricity supply which may turn off all the equipment or worse frying them. This would mean damage to the systems. Similar to the fire solution back‐ups would mean you could restore the lost data. Another solution to this problem would be to install lighting proof sockets which will turn everything off. Finally we move to the other sources of breaches and threats which are more intential. The first way of being breached beyond what I’ve mentioned earlier is rogue employees. These are employees that are leaving the company or have a general hatred for the company as such deleting files or worse destorying equipment which can be costly for the company. A way to combat this is to increase your employee background checks with regular interviews which you can then kind of recognise if there’s a lack of respect from an employee. Plus as mentioned regular back‐ups will help secure the system. Of course there’s always the possibility that an employee after they’ve gone can cause damage. This can be fixed by individual log ins and regularly changing passwords.
Section C – Security Kasey Moore
Of course there also external threats out there from hackers and viruses alike. These are what can cripple a system as hackers and viruses will not be able to destory records as all the threats above but will also be able to manipulate and steal the records for their own personal goals. One way that could be inflitrated is holes in the operating system which everything relies on. This could be holes that can easily be inflitrated. To over come any holes in systems which could cause a possible hack would be to ensure that the firewall is correctly configured. A firewall is a piece of software which has two functions. One which allows an oncoming connection and can also stop connections in. Not having this configured correctly could mean the wrong person could log into the system which can cause problems for the company and online store. Another way that it can be compromised is by viruses which could be uploaded by the user or gained by other ways. Since viruses are created every day and becoming more complex which requires constant virus database updates which are able to track and delete any viruses which are currently infecting the system.
What other methods are there to protect an online retail store? There are several more methods to protect a website to help protect the integrity of the website. One way of protecting is having user ID assigned to both the users and the any employees. This way everything can be tracked by each user so you can see each action and have enough information to have against anyone. This way they can also associate any information about the account name and number. Another method which is very effective is also another good way to tell if a website is legitimate or not. This will show any padlocks on the website itself and will appear on a list of trusted website that can operate safely having knowing that this is a safe and secure way of finishing your shop. This is called SSL and part of a encryption band which is very well known nowadays.
What legislation is in place to protect people’s data? Since the beginning of The Information Age new legislation has to come in to protect people from these new technologies and the threats they create. Two which currently exist is ‘The Data Protection Act’ and ‘The Computer Misuse Act’. The Data Protection Act is an act that passed in 1982 and updated in 1998. The primary main focus of the data protection act was to protect against data being held or passed around between companies. The legislation arises because of the mishandling of data which many companies took. It especially protects customer’s personal data such as names and addresses. One of the underlying factors of this law is that ‘Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.’ The second pass of legislation which passed in 1990 is called The Computer Misuse Act which primary goal is to prevent and is against hacking. It includes unauthorised access to computer material, unauthorised access with intent to commit further offences and unauthorised modification of computer material. All of which is now fully enforced to this day and age.
Section C – Security Kasey Moore
Risk Assessment To check for dangers and set up necessary protection to prevent any of the issues I mentioned above correct risk assessment must be taken on. It is also a necessary that many banks will require you to carry out a risk assessment to ensure its safe to do business with you. Some of the items you’ll be assessed on are: the average transaction size, amount of business you’ll be completing, security in place and how long they’ve been operating. Finally any risk assessment will follow with close price of insurance coverage will it required.
Conclusion To conclude, everything that’s included in this report and the advice given will be helpful for any new start up online stores coming into the market. Many companies have these protections in place and will display a security and privacy page on their website addressing all their actions which are in place to prevent any damage to the security of their data when collecting for a customer. Overall security is a very important part of any websites structure regardless of whether they’re an online shop or not and to provide the best service to their customers we recommend that every site has this protection in place which does mean that expenditure must be taken first and will be quite costly but when put into hindsight it’ll of course be less money spent at the beginning rather than fixing your damaged reputation.