Security is something that traditional media is finally starting to take seriously. From the now infamous Snowden leaks to a major retailer like Target getting their credit card information stolen, to Lenovo and other companies caught installing Superfish, a potentially dangerous form of ad-ware, it seems like a new data breach is the story lead almost every week.
For webmasters and eCommerce owners, there’s never been a better time to re-asses how your company handles data privacy. If you don’t, your company might be the next in a security headline, and contrary to what you might hear there IS such a thing as bad press. While it’s impossible to make any site completely secure, there are a few steps that every business should consider when it comes to user privacy.
Consider Moving To HTTPS
Google recently announced that they would give a small ranking boost to websites that boasted secure connections over those that relied on the older unsecured standard of traditional HTTP. While current data suggests that this is still a minor signal giving almost no impact, the search giant could make this much more important in the future.
HTTPS creates a secure connection between your customers computer and the server hosting the page they are viewing (source: www.collectiveray.com). One of the reasons Google initiated their HTTPS ranking signal was as a response to the Snowden leaks because a secure connection, while not perfect, is much harder to eavesdrop on than an unsecured one.
Initiatives like the EFF’s Let’s Encrypt hope to streamline the process and costs associated with securing your website, making it feasible for even part time bloggers to consider investing in. Thanks to the new HTTP/2 standard, secured websites will also load noticeably faster than they have in the past, meaning that a secure connection’s impact on site speed is no longer a significant factor. These boosts would allow Google to make the argument that, since the cost to switch over is greatly diminished, they can increase the weight site security impacts page rank without unfairly punishing new websites.
Securing your website using HTTPS, particularly if you have a large eCommerce site, can be time consuming but ultimately worth it. Not only will it help you prevent potential malicious attacks, but securing your site can earn good will from your users.
Limit What Data You Store
The typical user will leave a lot of potentially useful data on your website. Even if they don’t purchase anything, you’ll still have information about where they’re from, their browser information, and depending on what advertising service you use you could have detailed information about their browsing habits before they landed on your site. If they log in, you have the ability to tie that information to their name, address and credit card information.
All of this is data can give you a wealth of potentially useful information but this same data is also one of the things that will make your website a tempting target for would be attackers as well. While this data is useful to your business, it can be harmful to your users in the wrong hands. Thankfully, there are a few steps you can take to protect your users without sacrificing useful analysis.
First, carefully consider what data information you really need to store. Unless you’re a commercial powerhouse, it’s likely that you use a third party (such as PayPal, Amazon, or Square) to manage your credit card processing. Not only is this a relatively simple solution, but it’s also a more secure one as well. These companies invest a lot of money in keeping their payment servers up to date and if there is a breach, it will be someone attacking their servers and not your own. If you utilize a secondary payment system, make sure that this personal financial information is not stored on your servers.
Another popular option is using data anonymization to keep your user’s identities secure. If someone visits your site without registering, that data should be anonymized. Services like Google Analytics do this already, but other tracking software may not. Anonymous traffic will give you useful statistical data, but it prevents anyone from using that information maliciously against your users. Once a user logs in, however, their browsing and purchasing habits are linked to their account.
If you allow customers to register on your site, make sure that the server storing that information is as secure as you can make it, and limit who has access to it. Most of the tips we offered concerning social media security apply to user data as well. The fewer people who have access, the better. Explaining how you lost a customer’s purchasing history is an easier conversation than letting them know that someone stole it from you.
Choose Your Partners Wisely
Lenovo didn’t put Superfish on their laptops because they wanted to put their customers at risk. Instead, the company offered them money to pre-install the software on their computers and then promised a portion of future ad revenue. The company that designed the Superfish code likely didn’t intend to put the users at risk either. Instead, they saw a potential opportunity to make money off of relevant ads and implemented a way to do it before understanding how their workaround could be used maliciously.
Online advertising and analytics are two quickly developing fields. Google is the largest player in both fields but there’s always a dozen new companies offering solutions that they say can provide more useful information or greater revenue to their clients. They could be right. Remember, at one point Adwords was the new entrant, so it’s worth considering these alternatives from time to time.
If you do decide to go with a new company, however, it’s important that you get an understanding about how their services work. Superfish was a poorly implemented exploit that hijacked a computers SSL certification program. This forced a browser to accept the ads served by Superfish as coming from a secure connection, even though they weren’t. Security experts were quickly able to use the same code to trick a browser into accepting a fake Bank of America site as a valid one.
If a program promises unrealistic revenues or appears to do something you thought was impossible, it’s alright to ask for clarification. Lenovo is in hot water, not just because of how dangerous this exploit was, but because no one bothered to think about how easily this “innovation” could be used maliciously in the wrong hands. Remember that customer trust is a lot harder to earn once you’ve broken it and it’s something you can’t put a price tag on.
A Secure Site Is Best For Your Users
In the end, making user security a priority is good business. Not only will it reduce your risk of a malicious attack, but it will help build good will with your customers. With security breaches from big companies making the news, the average customer is more aware about things like secure browsing than they have been in years past.
The internet gives businesses an unprecedented opportunity to tailor their message uniquely for each customers. But as the data webmasters have available to them increases so does the responsibility they have to their clients over how that data is treated. If you never paid a lot of attention to web security previously, 2015 is a great year to start.
Check out OceanTech.com for more information.