The Secure Economy is growing, but what is the “Secure Economy” and how does it affect your business? Simply put the “Secure Economy” are those businesses who are ensuring not only their own operation’s security online but also the security of their customers and the data that they gather from their online activities. Security is increasingly becoming a vital part of any business operation and whilst a sensible approach to the risk each business must assess the threat level according to their own niche, business operations and current technical development.
Our research shows that many business, both large and small, are simply ignoring the problem or worse, are oblivious to it and this not only represents a big threat to the business but a missed opportunity to take part in the growing “Secure Economy”.
We hope to address and outline the issues, offer some insights as to what can be done and give some answers to how best to ensure your business’s security and the security of those who do business with you.
The White Paper looks in depth at the topic of the “Secure Economy” in depth and gives you practical steps to take to improve the online security for your business and ensure you do not lose out. Is your business secure and how does it compare to the competition online? The White Paper is a thought provoking piece that helps you prepare for the rise of the Secure Economy.
Chapter 1 – The Rise of the Secure Economy
The move that Google recently made with their Chrome browser to highlight website not using HTTPS to gather personal and sensitive financial data is the start of something much bigger online. Whilst we have documented this move in a previous blog here, the “HTTPS Everywhere” movement is beginning to have a very real impact upon the online marketplace and the start of the “Secure Economy” is evident. Recent reports by the Uk Government and security analysts show that the threat of attack for small business is very real and should be taken seriously.
The Big Change that Affects YOU!
Security and safety of your personal data has always been a wise step, even in a pre-internet world. With the Internet comes a whole new series of problems and technical issues that could end up “leaking” your data to individuals or organisations who will misuse it.
With the rise of eCommerce data security and the data security of your customers is becoming increasingly important as even small businesses are finding themselves the target of the Internet criminals, exploiting smaller businesses lack of security or understanding of the problems.
The Internet gives unprecedented levels of access to people, their lives and their data and whilst a single piece of personal information may not be the worst data breach you may experience, criminals are increasingly building up profiles of net users to target just like the marketers who use your information to target you with products. It may be very easy to find out someone’s Mother’s maiden name with only a cursory review of their social media, add that to a tweet from them about their bank’s incompetence and a back-check of their Facebook profile for date of birth and you can suddenly start to see how simple data leaks can become a problem.
Whilst over-sharing of personal details that lead to security breaches is a matter for each individual, business will increasingly find themselves the target of the criminals and hackers as they are repositories for multiple users information, payment records and other usable pieces of data. Add to this a slightly lax view of internet security by small businesses and an increasingly complex technological trading environment and you have a recipe for big problems for small business.
In 2016 the UK Government’s Information Commissioner’s Office issued a report about online and cyber security, business attitudes to security and online data sharing and the findings for business are quite worrying.
The report shows the vast majority of UK businesses employ online services in some form, from simple information services supplied via websites to full eCommerce and personal data transactions. This report looks at all business sizes, the vast majority of which have business email addresses, websites or pages on multiple social media sites, and many have online enabled bank accounts or payment processing facilities. The report clearly shows that the UK has a connected business world and organisations of all sizes from micro and start up business to international corporations are taking full advantage of the technological advances and time, infrastructure and staff cost savings the Internet brings. However many are simply bnot taking basic precautions to protect themselves and as this in depth article shows this can not only affect the bottom line, it can affect the viability of the business itself.
The Secure Economy Begins
As the report shows the rise in the use of the Internet for core business services does not seem to be matched by the rise in security on many levels, there needs to be significant improvements in attitudes towards data security and generally safer security practices being enforced by business of all sizes whenever they become available.
There could be several reasons for the gap between tightening security and the perceived threat, such as:
- lack awareness
- technical literacy issues
- perceived cost implications
- staff training.
All of these problems can be overcome and the perceived cost barrier is usually a lot less than businesses might expect and the cost of preventing data loss and unwanted intrusions will be significantly less than the cost of any remedial work to restore normal services. However, the biggest issue is not cost but customer data security issues surfacing and damaging customers confidence in a business’s ability to manage users personal details securely. The loss of trust and goodwill can have much longer term consequences than the initial work to restore the security breach and subsequent damage.
Chapter 2 – There’ll Be Winners and Losers in the Secure Economy
According to the US’ National Cyber Security Alliance 60% of small companies are unable to sustain their business within six months of a cyber crime attack. Let that sink in; Sixty Percent of business that are compromised fail, and whilst there could be many reasons why the repercussions for these breaches cause the business to fail, the figure is still worryingly high.
Looking back at previous research from 2011 we see the trend has not changed much with a survey of U.S. small businesses sponsored by Symantec and the National Cyber Security Alliance and conducted by Zogby International, showed that more than 8 in 10 U.S. small businesses believe their firms safe from cyber threats yet almost 80% have no formal security policies in place.
In 2011 the report showed that in respondents 40% of all targeted cyber attacks were directed at companies with less than 500 employees (Symantec data http://bit.ly/njTeMU). In 2010, the average annual cost of cyber attacks to small and medium sized business was $188,242 and roughly 60% of small businesses will close up within six months of a cyber attack (http://www.businessinsider.com/the-challenges-in-defending-against-malware-2011-9).
In six years, nothing much has changed it would seem, almost 6 years later and the trend has not reversed or significantly changed.
Ask yourself these two questions…
Most small business just have a website and whilst this may not be mission critical it does represent an investment in time and money, so ask yourself.
- Do YOU have a recent backup of your website? (weekly or daily)
- Does your business have access to it immediately?
If you cannot answer yes to those two questions then you should plan to lose your website entirely. It doesn’t take much of something to go wrong, web servers are only computers after all, and how often do you get glitches, issues and crashes on your computer? Now, imagine your computer was being accessed 24/7 by anyone in the world. Can you see how the risk of something going wrong increases?
The biggest winners in the “Secure Economy” will be business that have policies in place that support their customer’s security, take advantage of increased data collection security at all stages and look for ways to improve their current security policies.
The biggest losers will be business who ignore the opportunity to improve their security and risk not only their online presence, their reputation and their customer’s data but as previous examples show they risk the entire business by not taking security seriously.
Chapter 3 – The Myth of Total Security
There is no such thing as total security; it’s a myth up there with the Loch Ness Monster and Bigfoot, a determined hacker with the right skills and patience can find an “attack vector” n(way in). As most vulnerabilities are caused by the human element, errors caused by staff, it can be very difficult to totally erase any risk, however with your technology the model to adopt is the “most secure house on the street” model.
My House is Safer Than Your House
When you secure your home there are many tactics to adopt, you could have a dog, an alarm, a security guard, fences, razor wire, circling drones and all manner of CCTV and monitoring sensors. However, in reality you only need more security than your neighbours. A dog and CCTV or an intruder alarm. Burglars (hackers) may cruise your neighbourhood (server) and scan your house (website) for ways to gain access but ultimately if your neighbour’s house is easier to gain access to then the bad guys may look to find their way into a easier target. Like all things, don’t just have good security, you should also live in a more secure community! Don’t just secure your website, make sure your entire server is secure. You don’t have to go overboard, you just need to ensure peace of mind with a good “Plan A” and make a “Plan B” should your security fail.
Plan A – pro-active security ideas
Some questions to ask when securing your business online. Much will depend on the services you use and offer but the areas to review are usually quite obvious and relatively speaking, simple to think about securing.
- Website logins – are you using HTTP with login forms?
- Website forms – do you request customer name/email?
- Have you removed your website set up files? Often overlooked.
- Payment & shopping basket, are customers protected?
- Are server control panel logins restricted?
- Are FTP logins secured and locked down?
- Are email accounts using secure passwords?
- Do you have a policy to update passwords regularly?
- Do you send/receive passwords via email? (unsafe!)
- When did you last review your website logins/users/admins?
Many attacks happen from ex-employees leaving and their login details remain on systems and websites, make sure you review all your current staff access details regularly and remove all ex-employees, consultants and other test accounts as well as updating and employing very secure passwords. Google offers this advice for generating passwords:
- Use a unique password for different accounts
- Use a mix of letters, numbers, and symbols
- Don’t use personal information or common “dictionary” words
- Ensure backup password options are up-to-date and secure
- Keep your passwords secure at all times
Passwords are more secure when using
numbers = 1,2,3,4,5,6,7,8,9,0
symbols = $£^&*#@”!
UPPER & lower case characters
Longer is better, use over 12 characters
A good password (and no we do not use this anywhere) would be
Yes that is not very memorable BUT it is SECURE and if you make it hard for someone to guess your password or “brute force” crack it (brute force uses software to work through every conceivable permutation). You then need some kind of password manager, and then a policy to ensure regular updates. Even with just a handful of accounts, and a handful of employees it can get messy quickly, so make sure you work through the policy and evolve it as you require to do so.
Plan B – “aah Crapola…” for when it goes wrong
What happens when your best efforts are not good enough, what do you do now? Here are some questions to help you think about planning for the unthinkable.
- Do you have access to a recent backup?
- Do you have technical support to help you?
- Can you recover within 24 hours?
- Do you backup emails?
- Do you have backups of your cloud files?
- Do SaaS service providers have a recovery policy?
- What is that SaaS recovery policy?
- Do you own your own domain name?
- What happens of your web host goes out of business?
- Do you have a suitable technician on hand to fix everything?
Points to Address When Creating a Security Policy
To ensure you are suitably protected against the worse case scenario here is some questions to think about when creating your own security policy to future proof and secure your business online.
- Appoint someone to create a security policy.
- Ensure you review all aspects of data security, that includes who “touches” all customer records and why.
- If using online services make sure you are connecting to them using HTTPS, a green padlock should appear in your browser address bar.
- Your website should be hosted securely and use HTTPS to secure and future proof customer sessions.
- Backup your website at least once a week, better still once a day.
- Check the “uptime”” of your website – any downtime could indicate a hack or attempted hack.
- Record load speed, significant slow-down could indicate start of Ddos attack or injection of malware into your database.
- Clean and archive old data from your database, including old customer records and post revisions, deactivated plugins and other unused code. It could compromise the site, look at the example of TalkTalk above.
- Become vigilant of the global threat level: here is a real-time “attack map” for you to review – http://map.norsecorp.com
- Ensure your web host regularly updates their server software and uses firewalls and malware protection.
- Who else shares your server? Many people do not know that they share server space with thousands of other website, many of whom could be targets for hackers. We recently scanned a server on behalf of a Church and discovered that it shared hosting with a Thai Lady-Boy bar and a Manchester “massage parlor”. Whilst the traffic doesn’t overlap hackers may attempt to gain access to these other sites for many reasons and either take the server down or try to hack other website’s to gain control of the server.
It is paramount that you have a security policy and recovery plan and if you are trading online then it is clear that your web hosts form an important part of your overall security plan otherwise you cannot truly participate in the “secure economy” with peace of mind.
How to Choose the Right Website Host?
Review your web hosting, you need a website that delivers your business activities and is secure, reliable and online 24/7, it has to also take ongoing security updates seriously and it should be overt in its implementation of secure practices for customer peace of mind, but hide the specifics of any internal policies. Backups of your data should be accessible, local as well as online and the recovery plan should be known to you and your team as well as any third part providers. Plus it has to be fast and consider the geo-location of the servers, the closer to your target audience the quicker (in theory) the web server responds to requests for your website.
Winners in the secure economy will not shy away from moving fast, moving early and taking steps to implement fixes the moment they discover a need for the security update. Winners will also partner with others who can advise and guide them and become trusted partners.
Chapter 4 – A Bright Shiny Future
The Secure Economy is here, whether you are prepared for it or not, it is clear that those who are early adopters are not only future-proofing and securing themselves from the rising threats online but these companies are also benefiting financially right now from increased trust in the market place and because many of the changes suggested previously can be implemented very quickly with the right choice of partner there is really no excuse no matter what size business you are.
Web hosting is one area that many business are totally oblivious to, and simply have whatever hosting their web developer or web designer has shoved them on with no thought as to how that affects them online.
What is the Best Web Hosting?
Reseller hosting is the dominant hosting platform used by developers and designers, why? It is a stack-it-high and sell-it-cheap model where web hosts offer devs and designers packages that promise “unlimited” hosting for less than a hundred pound a month. Now any serious business realises that this sales tactic requires volume to succeed and indeed the resellers do push through a lot of volume, but as stated it is not uncommon for 1000+ websites to exists side-by-side on a server. Not good for security, speed or future growth.
The best hosting is dedicated servers, which are expensive for a business to consider for a single, simple website. However it does offer unique advantages, with customisation and more flexibility for your business as well as fewer websites sucking up server resources. The drawbacks are not only the cost but you also may require a member of staff to ensure this server is maintained. All of this is a costly prospect for a small business with one website, however having the best does cost.
There are also Virtual Private Servers (VPS), which are an intermediate step but these too can be costly to run and use and with recent improvements in server technology and costs dropping it is almost as cost-effective to run a full dedicated server vs a VPS server depending on various factors.
Mister Metric has decided on a hybrid model, a dedicated server with limited number of websites hosted on it, monitoring resources and balancing loads to accommodate the individual requirements. We then carry the IT staffing overhead and infrastructure costs and our customers get top quality, secure hosting that can be tuned and tweaked to their needs without the overall cost impact and time drain.
With such a model you get the right resources delivered with secure support and scalable infrastructure for your business as it’s needs change online as well as security updates and advise on what your business should do to secure customers online and we see this as the best model moving forward.
If you wish to get the full White Paper and see the final Chapter 5 then Click Here and download “What is the Secure Economy & How Does it Affect Your Business?” on our Learning Library The full White Paper PDF has much more detail on the topic of online security for your business.
There is a lot above to think about and take in, but if you have any questions about your website hosting and being a part of the secure economy then please do get in touch, try our simple website test on the homepage www.mistermetric.com and assess the fundamental elements of your hosting, site speed and website security that need reviewing. If there is anything in the above information you need help with then please contact us we’re here to help feel free to call us and discuss your issues 01420 398080
And if you wish to peruse our hosting packages then please click here for Business Class Website Hosting