It can be a daunting task to consider security in your website build. But it is absolutely imperative to protect your users’ data, and the flood of data leaks by major corporations should demonstrate that no one is immune to attack.
It isn’t always the number of compromised accounts that is important, either. The type of data is also important. The Equifax leak is much worse than the Yahoo leak, even though only 150 million Social Security numbers were stolen versus three billion accounts. The reason? Social security numbers are lifelong, unalterable pieces of information, while passwords can easily be reset.
So how can you protect your users from data leaks or further compromise if you do get hacked?
If you are storing your data, encrypt it. This is the most important item on this list. It is not difficult to encrypt hard disks, and there are plenty of commercial grade encryption kits available for ease of use. Encryption protects against further compromise. Even if your systems are hacked, the data the attackers receive will be utterly useless. It does add some computational overhead to the system to check against encrypted data. However, it is worth the overhead to protect users. And the encryption algorithms are now efficient enough that employees won’t notice any slowdown in programs after the encryption is completed.
It is not even necessary for your company to be targeted for encryption to prove beneficial. If your employees routinely carry mobile devices (smartphones or laptops) with confidential data, you should be encrypting those devices.
This is useful for passwords and usernames, but it is vital if you store things like Social Security numbers, credit card numbers, or other long-shelf-life items. Leaving unencrypted customer data on internet connected servers is irresponsible and a disservice to your customers.
On the topic customer service, you should inform them of what you collect. This will assist them in making an informed decision when deciding on how much information they want to give you. If you break their trust by surreptitiously collecting data, customers will be outraged once a leak occurs. Not just because their data was leaked, but because you collected more than they intended to willingly hand over.
If you are operating a website that rates local restaurants, you don’t need to collect the birthdates of your users. It may seem useful to collect it, and there may even be legitimate reasons to do i. For example, knowing which demographics frequent which areas. But it is not necessary to have exact birthdates. This piece of information is often used to verify a user for financial transactions, so it is sensitive. Moreover, it is completely unalterable.
Analyze your policy. Is there a better way than birthdates? What about age? That would help you determine the demographics to within a year, but it does not give away the most sensitive parts (the exact day, month, and year). [click_to_tweet tweet="Try to reduce what customer data you collect and try to refine your collections so that you are not responsible for guarding additional sensitive information needlessly." quote="Try to reduce what customer data you collect and try to refine your collections so that you are not responsible for guarding additional sensitive information needlessly."]
One of the best ways to protect your customers is to educate them. They are their own best first-line of defense. If users know what a phishing website looks like, or how easy it is to steal credit card numbers, they will be much more proactive in protecting their own data. Coupled with your limited and transparent data collection policy, your encrypted customer data, even if the encryption key is compromised, will yield little information for hackers.
It is not an option to ignore IT security. It may seem unnecessarily expensive for small businesses, but using built-in tools for encryption and following simple strategies will go a long way in protecting your customers.
Please enable pop-ups to receive the download.