By Ken Pang // 14 January 2009 // Related Categories: Security

Recently we discussed some of the risks that small businesses face when they open up their business to the Internet. These risks included being defrauded, blackmailed, and having sensitive data stolen.

Fortunately, small businesses don't require bank or defence force security to ensure they are not victims of such attacks. With a few simple precautions, a small business can substantially increase their protection against these attacks, hopefully sending the hackers to easier targets. These preventative measures do not require security specialists to implement, but may require some level of technical expertise.

As a small business owner connected to the Internet, you might want to consider whether your company has taken these few basic steps:

1. Get a firewall and make sure you create your own password (don't use the password set by the firewall manufacturer and don't make it easy to guess - like your company name!). A firewall ensures that anyone outside your network can only access the data and applications you allow them to access. If your website exists somewhere other than your own computer network (e.g. it is ‘hosted' by another company) contact them and tell them that you only want web and mail services available to the Internet and ask them to confirm that all other management services and databases are accessible only to you (or your nominated web developer). Some hosting companies do not secure your website at all which may allow hackers to read your customer information. In one known case the hosting company left the password blank allowing full access to both read and change the customer's website.
2. Ensure that your operating systems (e.g. Windows) and anti-virus software (e.g. Norton) are kept up-to-date. This is a very simple security precaution but it prevents most security attacks. All viruses are designed to take advantage of known loopholes (called vulnerabilities) and they prey on users who have not had enough time to update their system with the latest patches. Ensure that your Windows update is set to automatic - Windows XP and Vista will keep reminding you every time you start your computer if you don't do this - don't ignore their warnings! It's important to know the difference between real warnings and fake warnings. Attackers are now taking advantage of people's genuine concern with security to try to pass off viruses and spyware as "security patches" thus creating fake security warnings. With attackers getting more sophisticated it is getting increasingly difficult to determine which security warnings are real. Some tips:
   • Genuine warnings will generally not require you to download anything from a webpage. Windows and most anti-virus updates happen invisibly in the background after asking for simple permission to do so.
   • Fake warnings will generally appear when you either first visit, or leave a website, whereas genuine warnings will occur when you first turn on your computer - before you open up your web browser.
   • Genuine warnings generally appear in the bottom right hand corner of your screen, linked with one of the icons you see regularly, and will generally be non-intrusive or fade with time. Genuine warnings will generally allow you to "postpone or "delay" the update action. Fake warnings generally appear right in the middle of your screen insisting that you cannot proceed without taking action.
3. Do not retain your customer's credit card details if you do not have to. It is much safer to let your bank do the work instead of processing the credit card payment yourself. The process is simple, and any competent web developer should be able to integrate it with your eCommerce site. Put simply you send an order number and a dollar value to the bank, the bank then takes the customer's credit card details, processes the order and sends you back your order number and a statement of whether payment was successful. You never see the credit card number and you're not at risk of having it stolen. It's not possible to steal information you're not keeping and this is one method of ensuring your customer's credit card details can't be stolen.
4. Test your eCommerce software regularly. If you bought a custom system you may have to pay for a custom security test as well. Many reputable security software vendors also have ethical hackers to test your custom software. However if you used customised off the shelf software it is simple to search for known vulnerabilities via Google. For example, if you set up your shopping cart software using "Acart", searching for "Acart Vulnerabilities" will bring up a list of known vulnerabilities for that software. You can then check if your eCommerce site may be affected by the vulnerability. As a bonus quite often the vulnerability advisories also inform you how to fix the problem.
5. Strengthen manual processes. When all other technological measures fail it is still possible to catch attacks through rigorous manual processes. For example, ensure that the packing slip or invoice is printed and includes the amount paid and manually check this number before the package is shipped. Also ensure that every order can be matched with a payment to ensure your payment system hasn't been compromised. This can be as simple as writing the order number on the box then crossing it out in the morning when the payments have been confirmed. With most electronic payments systems confirming successful and irreversible payment overnight this extra step shouldn't affect the speed your deliveries are made.
6. Ensure that client details are managed on a "need to know" basis. Approximately 70% of all identity thefts from retailers are by employees (Michigan State University Study, 2007). By ensuring that only those people who absolutely need to know about your client's personal details can get hold of them you can help protect your client and yourself from embarrassing confidentiality breaches.

 With these simple but effective security controls you'll be putting your company ahead of the competition and sending attackers looking elsewhere for easier eCommerce targets. Happy and safe selling!