Secure Your Data

How secure is your data? With the recent spate of Anonymous hacking more and more companies are asking this question. It seems important, but many companies treat data security as an afterthought. Companies appear to spend a lot of time securing their systems but not much time securing their data. Web based solutions generally require users to login and have password requirements, but many of those passwords are stored in plain text in a database. Is data security just too expensive for small businesses? Is it too hard?

I have worked on projects for many companies over the years. We would spend months on requirements, months on user flow and months on user interfaces. When I would bring up security eyes would glaze over and people would act like it was some annoying technical detail not worthy of their time. When your business is on the web your most valuable asset is data! You use data to bill, acquire, service, and market to customers. Protecting it should be as important as what your website looks like and how a user will get from point A to B.

Securing your user data is not overly complex or expensive. It is far less expensive than buying credit protection for all the customer’s whose data got stolen when your database gets hacked. There are a couple of easy things that your small business can do to step up security and make it much harder for hackers to get access to your customers’ data. If your business is not doing these things then contact us today for a free consultation and learn how to get started.

• Do not store passwords in plain text.

If your business is storing passwords in plain text then you have already lost. The rest of these recommendations probably won’t matter. Encryption or hashing is a must for password data.

• Do not store credit card data.

Most professional credit card clearing companies will provide services so that you do not have to store credit card data. Payment profiles and recurring transaction codes will allow the payment gateway to securely store credit card information so you don’t have to. Customers can still have payment information on file and your business is not responsible for securing that data. The best of both worlds.

If you absolutely must store credit card information then encryption and hashing is a must. Hashing is simply not enough. It takes under a minute to crack an industry standard hash using any of the hundreds of programs available by Googling hash cracker.

• Use separate database user accounts and secure connection strings.

Many applications use a single database user (the account that the application uses to access that database). In many cases this user is an administrator with full access to the database. A database administrator can select all data, delete data and wreak havoc on your database. A better solution would be to use a specific user account that has limited permissions to access your database.

Many connection strings are stored in plain text on the server. This is just lazy. In .NET there are simple utilities to encrypt and secure these connection strings. Other languages have similar utilities. Plain text is fine for development but production strings should be secured.

These are just the baseline things that your business can do. More advanced security options are available and can be implemented with minimum cost and effort. Security may not be the driving factor in acquiring clients but a lapse in security will make it impossible to keep the clients you have. There is no such thing as 100% secure. Anything can be hacked with enough effort and time. That doesn’t mean your business should be an easy target. DataFive can help secure your data and prevent you from becoming a headline.