Protecting the privacy of your customers has become an important mission for every internet businesses. Daily news reports on security breaches and data loss are so common, we hardly pay attention to them. Big companies will make headlines, but in this day and age everyone’s a target. Here are some tips to ensure your business doesn’t end up in a news article.
The small business misconception
It’s not because you run a local reatail shop on the internet that no-one is interested in your data. You have customer data, active email adresses that can be used for spam purposes. Maybe you run a local travel agency and you store your customers’ home details and their travel arrangements. Interesting information for burglars. It could also be that one of your customers is the spouse of an important CEO that might be a target for hackers. They will be using your business for spear fishing attacks as you’re considered a “trusted source”.
Even if this is not applying to your online business, just having access to your web server is of great value to anyone who wants to hide their tracks. And as a small company, you don’t have the budget or even the consideration to protect your online business against hackers, virusses and all other nasty things that are floating around on the Internet.
The moment you move your physical business to the Internet, you’re becoming a target for people with bad intentions. It’s that simple. In real life, when you start your physical business you take things like a fire alarm, security cameras and a vault as your primary security necessities. The same basic security measures are also required in cyberspace: strong passwords is the fence in front of your window store, data encryption is the security officer at the front desk and your monitoring tools should act as your security cameras.
Privacy and personal data
In Europe, a huge time and effort has been made to protect the individual and their right for privacy. You probably have heared about the European Data Protection Directive, also described on WikiPedia which is a directive to protect and honour the privacy of individuals and their personal data. The concept is simple: all information that can link to a single person is personal information and should be protected.
Of course there is the EC’s infamous “Cookie Law“. It was one of the directives that impacted any website interacting with individuals from EU. Now, everywhere you see this request to accept cookies if you surf from within the EU.
But a lesser known directive is about the protection of personal data your visitors have provided. Again, personal data is about linking information to an individual person. In other words, if you have a company email like email@example.com it is not linking directly to an individual so all transactions that are linked to this email address are not considered personal data. Unless the company is a one-man business! Once you deal with email addresses, home addresses, birthdates and -places, hobbies and so on, you’re entering the “personal data realm” and you must do what is technically possible to protect this information.
One way is to store this data encrypted in databases, maybe even have separate databases for personal and common data (email and home address versus zip, city and country). The goal is to ensure that whenever this data is being made public intentionally or unintentionally, you must ensure the privacy of your customers is guaranteed. And there are plenty of examples on the internet where the protection of privacy sensitive data was abused or not taken into consideration at all.
Examples in the news
5 tips to improve privacy protection
Here are a few tips we can offer you to protect personal data of your customers and make you less “interesting” for hackers to break into your system.
Tip 1: Get a professional
It seems silly, but I still run into business owners that have their 8 year old daughter or 14 year old nephew design and maintain their business website. It’s great to have them involved and I can only applaud the fact that you do so. But besides making a web site look shiny and responsive, you also need to protect it. Hire a professional web agency, they understand the risks of the internet very well and are able not to produce a fancy design but also a secure web application.
Tip 2: Only ask the bare minimum
Unless you’re actually giving a present to your customer on their birthday or have an age related business, there’s no need to ask your customers for their birthday information. Knowing where they grew up or what’s their first pet’s name is totally irrelevant for security, it’s only interesting information for people who want to steal identities. A good, strong password with unlimited characters will be more than sufficient.
Tip 3: Encrypt the personal data you store
If you store personal information encrypted in your database, the only way to access this information is through a management panel. This approach will make it more complicated for people to steal this data, even if there’s a backup file on a laptop that might get stolen. Make sure this management panel or admin dashboard is restricted in access (e.g. only from within the company), so access to it is limited and controlled.
Tip 4: Monitor unusual access
If your business operates during normal office hours (e.g. 9am to 5pm), any activity on the management dashboard beyond this timeframe should be considered sucpicious and trigger an alarm, just like the alarm in your physical business building.
Tip 5: Keep your software up-to-date
It seems like the most obvious solution of them all, but there are many servers on the internet that don’t run the latest, greatest versions of the software they run. The moment a flaw in the software is detected, software vendors are scrambling to fix this loophole as quickly as possible to ensure their customers are protected. On the other side hackers are analysing the exploit and use automated scanners to find servers that have this flaw so they can exploit it and break into the system. And don’t expose version numbers of your software (like Apache and PHP headers). It’s not going to stop hackers, but at least it makes it a bit more difficult to figure out what applications and versions you run.
Privacy is a fundamental human right and should be protected. We at in2it care much about the regulations and guidelines given by the European Commission and we’re always happy to advise you to ensure the protection of your customer’s personal data.