In the last posting here at Obu, we wrote about the proliferation of data in the Internet Age. In this entry we will outline what a small business needs to know in order to make sure the “bases are covered” for their data and the data they collect from their customers.
The data tide is turning, and President Obama has announced the creation of a new post of “Cybersecurity Czar.” While we hope that you do not have anything of national security on your personal or business computers, we have all heard of breaches in security that have left thousands of people, with their data exposed like a viral video of a pinup queen, not to mention that only a small fraction of the breaches even get published. Perhaps you too have received a surprise notice in the mail from your credit card company that you are being issued a new credit card due to a compromise in your identity.
Want to know just how many happen? Stop by privacyrights.org, a nonprofit consumer information and advocacy organization. They have been keeping a record of privacy breaches since 2005, and the list includes universities, banks, government institutions, and hospitals. It is a frightening litany of an Internet that leaks data like a sieve.
Things to know about data security:
1) There isn’t a gap in the armor, the internet is mostly gaps with some armor surrounding it.
When Defense Advanced Research Projects Agency (DARPA) was developing the first instances of what we now call the internet, security was never a functional requirement. It wasn’t until it became mainstream when the need for security manifested, and subsequently there has been band-aid after band-aid placed upon the Internet in attempt to provide the confidence needed to ensure protection of the eCommerce and operational application markets.
Because of this, always assume someone is listening on that free wifi network you are plugged into at a quaint café, or at Jet Blue’s terminal within JFK International. In addition, your identity has a high probability of eventually being stolen, and that your hard-drive will eventually die with all your data that you meant to back up for the past 6 months.
2) Assess your level of risk
As this topic extends beyond Obu’s expertise in web design or internet marketing, we interviewed Information Assurance expert Scott Pack of Prodigeo Corp., who audits the security integrity of the IT Assets deployed by the US military, to get some insight about what goes into an Internet Security plan. Every business has unique needs depending upon the type of information they need to protect. In most companies, it is up to the Chief Information Officer/Chief Technology Officer to find the fine line between his System Administrator, who will tell him/her to open up everything to make it easier for him/her to manage, and his in-house or outside security consultant who will claim that everything needs to be locked down to ensure risk is minimized. The important thing is that those two parties are separate so that no conflict of interest is present. The fiscal baseline equation, for the decision maker should be based on: the probability of a breach based upon how sweet of a target one would be (if you have credit card information or other sensitive data that can be sold), versus one’s current security architecture and configuration of the financial cost of compromise (including client trust/goodwill/cost of damage control) = fiscal responsibility.
Many have already been exploited and just don’t know it. It’s difficult to catch a well-installed “trojan horse” or “bot” and the time that the average system to be breached is 5 minutes once a new vulnerability is found and disseminated among like-minded hackers.
The end result is that most companies will need a tiered system based on levels of threats. Mr. Pack was kind enough to describe it in layperson’s terms (and we love analogies), “In a castle, the first drawbridge, and moat, will protect the peasants (non mission critical information), a second wall and gate fortify the aristocrats and nobles (mission essential), and the last tower and guards protects the royalty (mission critical).” The drawbridges, moats, castle walls, and soldiers are your:
- Internal detection/protection systems
- Antivirus programs
- Virtual Private Networks
- and Host-Based Security Systems.
But it is not enough to just turn on these systems on in your network, they must be configured to optimize the level of confidentiality (protection from information disclosure), data integrity (protection from changes to data or unauthorized data present like bots/virus’), and availability (certainty that the system will function when needed).
3) Internal risks
While your Web site is being built, it is prudent to hire an Information Assurance expert, but he or she will not be there if a laptop is stolen or if security is breached from inside your business. Having a good quality IT person, training, policies for protecting sensitive information, forensic procedures and other standard security measures outlined for your employees who have laptops is very important. There are many emerging technologies making security more affordable for small business utilizing encryption packages, login features, and new developments in using wireless technology to track laptops geographically if they are stolen or lost.
4) Laws that pertain to security breaches
In 2003, the California Civil Code Sections 1798.29 and 1798.82 were enacted, which according to the Privacy Rights Clearinghouse covers, “State government agencies as well as companies and nonprofit organizations regardless of geographic location must notify California customers if personal information maintained in computerized data files have been compromised by unauthorized access.” California has an Office of Information Security and Privacy Protection with many useful guidelines that can be viewed here.
In addition, The Federal Trade Commission has also outlined a guide for business owners on how to deal with a potential breach in security via their Web site:
Murphy’s Law is alive and well even in the data age – “anything that can go wrong will go wrong” – so it is always best to be prepared and informed. Still, Internet policy and laws have a difficult time reaching abroad to pursue the bulk of the threats today. Everyone is vulnerable, but to allow your business to be low hanging fruit directly affects Errors & Omissions premiums and damage control expenditures. The king needs his guards, and in the end it becomes an issue of weighing the threat versus the level of protection. But fortunately, with large and small business owners becoming informed, it is much harder for malicious hackers to steal data through corporate espionage.
While not every business may need a detailed security analyst, being aware is part of being prepared. Keep this in mind as your business’s website adds functions or contact form fields which may carry sensitive data.
Erin Jourdan is a guest blogger for Obu Interactive who has worked extensively in print and interactive.
I happen to know a thing or two about identity fraud. My wifes identity was stolen in the past year and she was issued 10’s of fraudulent credit cards, new bank accounts, new cars, she even went to the hospital apparently. Well the crook did at least. The thief also deemed it easy enough to walk into the dmv and get an official drivers license complete with her picture and my wifes information. You would think the DMV is secure, it’s not, you would think Wells Fargo is secure, it’s not. Like Scott points out there are lots of holes in the systems and we should all be held accountable.
If your building a website you should definitely take into consideration situations like mine and make sure your server is PCI compliant. As far as I understand that’s the most common guidelines for creating secure transactions. Important to note, compliance takes time to bring to life so hiring a person like Scott is worth the money.