LAYER YOUR SECURITY

A website needs a total security architecture, i.e. security that exists in a number of layers — from the web server, to the applications, to the database, and to the extensions to other subsystems. Most brick-and-mortar businesses will have some kind of security program already installed, but, in all probability, it is not up to date. And if any part of the security architecture is not working as planned, then your whole security set-up is vulnerable.

Unfortunately, some e-commerce businesses mistakenly use security tools, techniques, and strategies that cannot withstand sophisticated security attacks. Their websites are open invitations to hackers to break into their networks (many times without the business owner even being aware that there was a break in). Once inside hackers can steal money (from the business’s merchant account), products (by placing fraudulent orders), and sensitive information including customer identities (by obtaining access to the business’s databases). Once inside your network, cybercriminals also can commit crimes against other merchants by using the hacked network as their launching pad. But you can minimize your risk, by implementing some of the many security solutions available that provide efficient data sharing without compromising confidentiality, availability, and integrity of the data.

Limit outside access. This is the first line of defense for any website. Some methods for accomplishing this are:

• Firewalls.
• User account security.
• Software security.
• Additional protection for sensitive data.

Protect your web server. The second line of defense is optimizing your web server so that it can resist most hacker attacks. For instance you must install antivirus software.

Implement monitoring and analysis solutions. The next line of defense is putting into place routine monitoring and, if your budget allows, analysis systems so that you know who and what is connecting to your systems, and interacting with your servers. At minimum, you should install log analysis software (see Chapter 8) that will allow you to monitor system logs and network traffic for anomalies. Simple log analysis software allows you to identify attempted security breaches and possibly to track their origin.

Better yet, if your budget allows, get a good monitoring system that enables you to analyze internal and external firewall activity and identify attempted security breaches. There are high-end security monitoring solutions available that can detect and resolve security vulnerabilities in your web-based business’ systems either on demand or at regularly scheduled intervals. Look at www.webtrends.com and www.pgp.com to give you an idea of what is available in the way of security suites.

Encryption. Then follow through with the next line of defense — encryption. This refers to a system that uses encoding algorithms to construct an overall mechanism for sharing sensitive data. Encryption is the security cornerstone for most e-commerce sites.

Use a Web-hosting Service. The last line of defense is to consider using a web-hosting service — a good hosting service will have the financial means to provide the resources for truly effective website security. These businesses provide a professional staff that has the skill and wherewithal to keep abreast of the latest news and technology updates as well as the ability to implement fixes and upgrades at a moment’s notice.