There are critical business security issues that need to be handled sooner than later. Just last week, I discovered that we’d gone to bed and forgotten to lock the rarely-used back door to our house. In fact, it wasn’t just unlocked – it was slightly ajar.
And it had been that way for at least three days.
Fortunately, we weren’t burglarized or killed in our sleep so the story had a happy ending. In fact, given that there were no consequences, I figured I’d just leave the door open and unlocked indefinitely. I mean, why not? I’m a busy guy – I have other important things to do.
Don’t get me wrong, I’m not an idiot. I WILL close it eventually. But we’ve got by with it open thus far, so there’s no rush.
(By now, you see this is a metaphor, right?)
Getting a Round Tuit
A friend of mine use to have a plate on his wall that was labelled, “A Round Tuit.” His wife used to complain that when she asked him to do a job around the house, he’d say that he’d do it when he “got around to it.” So, she figured if she bought him one, then stuff might start getting done.
Is securing your online business (or reviewing the security you already have in place) one of those jobs that you figure you’ll sort out when you get around to it?
Maybe you read about SSL certificates and decided you’ll get around to getting one eventually. Or you know that your Privacy Policy hasn’t been updated or even reviewed in five years, but it’s on your “to-do” list – somewhere.
That’s not a great position to be in because, potentially, your back door is not just unlocked but it’s also slightly ajar. Just because no one has – so far – tunneled into your online business and set fire to everything doesn’t mean you can keep putting these things off.
It isn’t just your profits and your customers’ privacy that is at risk. Negligence leading to a serious breach could result in fines or even prison time.
So think of this article as your personal Round Tuit when it comes to security issues in your business. Here are five areas of your online business that you should review and lock down ASAP.
Please know that none of this is legal advice – I’m a writer not a lawyer. Most of the information in this article came from people in our business who understand this stuff way better than I do, so it’s solid advice. But still… it’s up to you to do your due diligence and research what your business needs to be compliant with the law.
-
Purchase an SSL Certificate
A Secure Sockets Layer (SSL) certificate is proof that your business has a tough layer of security protecting the connection between your website and your customers’ computers.
If you need to know more about the specifics of the technology there are some good explanatory videos on YouTube but all you really need to know is that it’s inexpensive to purchase and it’s ESSENTIAL if you collect any kind of data from your visitors.
Whether it’s names, email address, physical addresses, credit card numbers, bank details… it doesn’t matter. If that bit of data identifies your visitors in some way, it should be encrypted and SSL is the simplest, fastest means of accomplishing that.
Genesis Digital (Genndi) has a company-level SSL certificate that verifies and protects all of our websites. To obtain certification at that level is not cheap but, if you’re a small business with a single website, you can purchase an SSL certificate for just a few dollars a month.
And here’s the thing about investing in security for your business…
When your customers can SEE that you take online security seriously – both yours AND theirs – this feeds into their positive perception of your business and builds trust.
Money spent in securing your business doesn’t just pay for itself. In the long run, it increases your profits.
ACTION: Google “SSL Certificate” and purchase from a reputable provider (which may be your current website hosting company).
-
Create (or Review) Your Privacy Policy
There are legal requirements for your company’s Privacy Policy and I’m not even going to pretend that this stuff isn’t complicated. But the good news is that this stuff scales.
If you’re a large company, you should seek legal advice. If you’re a small business or a solopreneur, purchasing an inexpensive Privacy Policy template and customizing it for your business may suffice.
Before you get to the stage of thinking about statutory compliance, it’s good to come up with an ACTUAL Privacy Policy for your business. For example, Genndi’s policy is this:
Find out what protects the most people and implement it.
It’s a simple concept but it encompasses our determination to stay on top of security, and our decision to choose the best security options, regardless of cost or complexity.
Yes, this is an ethical decision but it’s also a business one. We hold firmly to the belief that what is in the best interest of our customers is also in our best interest. Tight security costs more but the trust it earns us increases our sales and our bottom line.
This means security for Genndi is…
- Doing our research.
- Watching for changes in policies and adapting as required.
- Considering the legal requirements in ALL geographic areas where are customers reside.
- Writing a formal Privacy Policy document that reflects the above.
This also led us to decisions such as using Cloudflare, becoming EU (European Union) privacy shield compliant and using reputable third-party payment processors so that we don’t store customer credit card information.
If you’re a small business, start by googling “Privacy Policy generator.” A basic template is inexpensive and easy to customize. If you’re a large business (or once you start to grow in that direction), seek professional advice and be willing to invest in systems that protect your customers.
ACTION: Create a Privacy Policy document and add it to your website (or review your existing document).
-
Prepare for a Breach
Here’s the bad news…
When it comes to a breach of your servers, it’s not so much “if” but “when.”
The good news is that breaches come in a variety of forms and don’t necessarily have to involve ne’er-do-wells breaking into your server and stealing stuff. A Distributed Denial of Service (DDoS) attack, for instance, is usually performed with the goal of bringing your site down rather than pilfering your digital data. It’s still a headache but not as big a problem as losing sensitive customer data.
Genndi, fortunately, has never experienced any kind of customer data breach but we’re well aware that, as our company grows and becomes more visible, it is logical to assume that we’ll increasingly become a target.
The trick is to prepare in advance so that, if the worst happens, you have a clear plan of what to do and how to respond. If you wait until a breach takes place, you’ll be too stressed to think clearly so now’s the time to determine your action plan.
Consider doing some or all of the following:
- Ensure your servers are backed up frequently, and test a recent back-up to ensure your system is working correctly.
- Speak to your server hosts about the security they employ and consider moving to a dedicated server.
- Make sure you always update your software as soon as an update is released in case it contains a patch for a security flaw.
- Create an action plan for evaluating your assets if a breach occurs so that you can properly assess what has and hasn’t been compromised.
- Decide, in advance, what your PR (public relations) response is going to be.
The last item in this list is the one that tends to be ignored in favor of a “let’s wait and see” attitude. This is a mistake because it creates the temptation to try and gloss over the breach and hope that no one notices.
If you publicly announce that you’ve experienced a breach, you’re going to take a hit – that can’t be helped – but it’s much, much worse if you’re breached AND you’re accused of trying to cover it up.
Data breaches are forgotten surprisingly quickly (remember eBay in 2014 or Sony PlayStation in 2011 or MailChimp in 2018?) but they tend to linger in the news when details emerge of poor responses or attempted cover-ups.
It can be a hard nugget to swallow but honesty is ALWAYS the best policy. Rest assured that if Genndi ever experiences an “event” you’ll hear about it from us, not from CNN.
ACTION: Review your server security and backup system, and proactively plan your response to a breach.
-
Protect Yourself from Ransomware
Ransomware is a type of malware that encrypts your hard drive data and then attempts to extort money from you in exchange for releasing your content. This deeply unpleasant scenario is terrible enough when it hits an individual machine but, when it hits a network of computers, the impact can throttle your business.
If you’re unfortunate enough to have your computer affected, take the following steps:
- If you’re on a network, disconnect immediately (either pull the plug or turn your Wi-Fi off).
- Take photos of your screen.
- Check that it’s a real infection and not just a pop-up pretending to be ransomware.
- Use an uninfected device to search for workarounds or fixes (even some of the nastier encryption-based varieties have patches for safely removing the malware and restoring your data).
- Your insurance may cover you for any damages so file a police report (this is where your photos come in handy).
Paying the crooks who infected you should be an absolute last resort and, even then, you’re usually better off cutting your losses. Giving money to con men rarely works out well and, in the best-case scenario, helps to perpetuate the problem.
Of course, prevention is always better than the cure. You can reduce the risk of contracting ransomware and mitigate the damage caused if you do experience an infection with the following precautions.
Don’t open email attachments or click links in emails unless you’re 100% sure it’s from a trusted source. Even if you recognize the name and address in the “from” field, beware if the content sounds odd. It’s not impossible for email headers to be spoofed so that it looks like the email is from someone you know.
Stay off movie, TV and software download sites. If you REALLY want to watch the new season of Stranger Things, fork out a few bucks for a Netflix subscription instead.
Install antivirus software. Yes, they can slow down your system and get in the way, but it’s better than the alternative.
Have a back-up system for all your local content. If you contract ransomware that can’t be nuked, you’ll always have the option of formatting your computer and restoring everything from a back-up. If you hate the idea of buying back-up drives, try one of the online services that runs in the background and continually backs up to the cloud.
ACTION: Install a back-up system and take caution with websites you visit and the emails you open.
- Be Aware of Social Engineering
As digital security gets better, criminal hackers are increasingly looking to manipulate flaws in human systems. Why go to the trouble of trying to hack a secure system when you can ring a call-center and trick them into giving up personal information.
This is more common than you might think. When you call your doctor’s office to make an appointment, the receptionist asks for your name and, once you say it, they usually respond with, “Is your address 15 Juniper Lane?”. This is just one example of how easy it makes it for stalkers to get your home address.
Even well-drilled call-center operators can slip up and unintentionally give out sensitive information when the right buttons are pushed, such as a baby crying in the background.
Not to freak you out but the biggest security weakness in your business might be internal – not from unethical employees but just from nice people being naïve.
Your first point of action should be to limit the flow of internal information. The fewer the number of people who have access to company money or customer information, the fewer vulnerabilities available to criminals.
At Genndi, very few people have access to critical systems, and gatekeepers are all high-level employees. For added security, we also ensure that no individual system is entirely managed by one person. Generally, we aim to have two people with access to sensitive data who can review each other’s actions.
The appropriate security system for your business will depend on the structure of your business. If you’re a solopreneur, you might be the only gatekeeper in your business. But even a small business with only a handful of employees should still periodically review who has access to what.
After that, it’s chiefly about training your employees to follow security protocols, use complex passwords that are changed regularly and have the courage to refuse to give out information if the recipient hasn’t completed security checks (no matter how angry or upset they get).
ACTION: Review who in your business has access to sensitive information, and periodically refresh your employees on security protocols.
Simpler is Safer
There’s a fair chance that you’re thinking, “This is great advice, I should bookmark this article and review it again soon.”
Please don’t do that.
Instead, open your calendar and clear at least one (preferably two) days to take action on everything in this article. If you’re concerned about the cost, the time required to put security in place or the complexity of following through on some of these recommendations, here is a final tip that will simplify your requirements…
Use reputable third-party agencies to handle sensitive data.
Here’s an example of how that works…
If you sell a product on your website and you take credit card payments, there are generally two approaches:
- The customer enters their credit card details into a form on your site. You then send that information to your payment processor.
Or…
- You send your customer to your payment processor (like Paypal) and that company takes the credit card information directly.
From the customer’s point of view, these two methods are virtually the same. But from your perspective, there is a HUGE difference. The first approach means you must take full responsibility for encrypting and securing your customers’ credit card information whereas with the second, you’re allowing your payment processor to take full ownership of the security.
Removing your business from the credit card-collecting part of the procedure is not abdicating your responsibility. Instead, it’s an acknowledgment that your payment processor SPECIALIZES in securely collecting that information.
By taking yourself out of the process, you’re providing crooks with fewer opportunities to intercept the transaction.
This concept is equally true of things like autoresponders and web hosting. Handle it in-house and you have a LOT of security and privacy issues to contend with but, if you instead assign the job to a reputable agency who specializes in looking after this data, you provide a safer experience for your customers and save yourself a lot of unnecessary stress.
This is actually one of the philosophies behind our Kartra software. When our customers use Kartra to securely handle multiple elements of their business (autoresponders, webpage hosting, helpdesk, membership portal, shopping cart, affiliate management, etc.), they also relieve themselves of the stress of having to lock the down security for all these different elements.
And because all these elements of our customers’ business are secured within one system, it also limits the number of entrances for hackers to attack.
***
It probably goes without saying, but I’m going to say it anyway…
This isn’t an exhaustive list of security issues that your business needs to consider. But these represent the best places to start.
The big key is to get started. Forget soon, later, next week and ‘round-tuits’ – book some time in your schedule now.
This is not just about avoiding pain or even building trust with your customers – it’s about your bottom line. Take care of your customers’ security and they’ll feel confident to purchase your products and services with trust.