If there is one myth about
cybersecurity that we hear regularly and that absolutely needs to be busted, it
is this one. “Why would anyone attack us? We’re too small, too young,
no one knows us, we have nothing online… We’re not interesting to hack.”
Christmas is right around the corner and winter sales are arriving too. Online shopping is planned. Your banners, packaging and special offers are ready, but did you think of your website’s security? We won’t remember you to update and install patches or to watch suspicious operations (what you are already doing), but we concentrate on three elements to protect your client data and to reassure them about your security level.
1/ HTTPS certificate
Using HTTPS is indispensable for an e-commerce website. Users expect to see the well-known padlock on pages where they give their information. Many people only rely on an URL starting with HTTPS and the padlock to judge the reliability of a website.
However, malicious hackers do know it too. Now they create websites with an HTTPS certificate to deceive users. A study from Phishlabs estimates that in the 3rd quarter 2018, 49% of phishing websites are using an HTTPS certificate.
(We detail here how to identify suspicious emails to avoid phishing attacks, which can be tricky even for experienced users.)
Digital technologies offer great possibilities for the everyday life and for businesses. Websites, emails, applications, connected devices…
But, if business people are enjoying digital tools as an opportunity for their activities, can you imagine how happier are malicious hackers?
Direct attacks, phishing, intercepting information, stealing data… So many possibilities from their point of view, as the growing use of digital technologies is making the attack surface growing too.
What can you do to protect your activity from malicious hackers’ attacks? Do you know ethical hacking?
Security is now part of procurement checklists within companies (especially large ones) when buying a software solution.
What security commitment can be given to them ? How to promote a software security process?
Achieving a certification is a must to show the level of cyber security of a software company. There are plenty of standards : ISO 27001 (for information security management), PCI-DSS (for payment data security)… Each one is more or less appropriate to a specific industry or a specific geographical area.
Starting a certification process is quite a heavy and long-term project. It is also worth noting that the impact on your products can be important. If there is no compulsory security certification for running a business in your industry (unlike the payment industry), starting such a process depends on your company’s maturity: it is recommended for mature companies rather than startups.
Furthermore, reaching a partial compliance with a standard can be a viable alternative to a full compliance. This is a compromise to value security efforts, even if it does not result in certification. Security professionals (like Vaadata) can assist you in that kind of process.
Big Data has a huge impact on marketing with powerful technologies for collecting, organizing and processing huge amounts of data. It allows online advertising to become more friendly and personal for digital consumers. But it also increases the responsibility of companies towards the security of the massively collected data.
Marketing teams are usually in charge of processing these data, while IT departments are responsible for security related topics. However, can Marketers working on sensitive data unintentionally put their own companies at risk?
If you have a website, you have probably heard of HTTPS. It is a data exchange protocol on the Internet. Is this necessary for your website? Please read the following lines and make your own judgement.
How does HTTPS work?
HTTPS provides authentication of the website and associated web server that one is communicating with, which protects against man-in-the-middle attacks (a common type of cyber attack).
HTTPS also provides bidirectional encryption of communications between a client and server, which ensures that the contents of communications between the user and site cannot be read by any third party.
Here is a simple example for a traveller who is using an online hotel booking website with a login and password:
If the website does not use HTTPS, the login and password are not encrypted. If the traveller uses a public internet connexion (such as a wifi hotspot) the data can be intercepted and re-used by malicious persons.
But if the website uses HTTPS, the login and password are encrypted, which means that they cannot be read by people who would intercept the data.
Just as food or car buyers do, digital consumers need reassurance about the security of products they use.
Displaying the “country of origin”, especially for meat, has become a quality standard in many restaurants. Not labelling food can make clients run away, afraid by the lack of transparency.
There is a similar trend on the Internet, focusing this time on personal and banking data. With all the scandals that recently came to light about hacking, data stolen and resold on black markets, security on the Internet has become a criterion of trust and success.
Communicating on security
As soon as a web application (website or mobile app) processes data, users are looking for signs of security, showing that the application is trustworthy.
This quest for signs of security is more or less conscious but, in any case, a lack of confidence results in shopping or subscription dropouts.
When purchasing services from a digital agency, customers are obviously looking for a return on investment.
Normal expectations are on strategy, creativity, performance, return on investment. Whether it is about promoting a new product, increasing loyalty, or attracting new consumers, the client is looking for real and measurable results.
Data collection is always as important as before, and much bigger. We can see this with the “big data” trend, collected data has a very high value, since it helps big brands developing new consumer profiles and studying behaviors.
Risks are increasingly being taken into account
The first thing web security makes people think about is this big amount of data being collected without any limit, from the simple email address to the complex qualification questionnaire. This data is an easy and very profitable target for people selling them on the black market. An of course privacy is a big concern for consumers.
Big FMCG companies (like Kelloggs’s, Nestlé, J&J, General Mills…) have a really huge amount of consumers data, and the multiple websites they possess are as many potential threats to that data.
Considering the competition between brands and the number of organizations trying to damage them, for various reasons, FMCG companies also face a big brand protection challenge (maybe bigger than the consumers’ data protection one).
In addition, many of these companies – if not all – outsource the development of their websites to multiple external technical agencies, making the quality and security controls a bit more complex to handle than if everything was home-made.
Googles makes a lot of companies aware of web security in a snap.
How? By making HTTPS a ranking criterion!
“HTTPS, what is it? How does it work?”
Looking at the reaction to Google’s announcement, we quickly notice a lack of knowledge of web security basics among web professionals and website owners. Pretty scary when you know the threats and sensitivity of information transmitted over the Internet.
Google had the key to bring some aspects of web security to the forefront
The top priorities for webmasters, digital agencies and website owners are always the same: those with which a clear return on investment can be quantified or perceived. Egonomics, design, SEO, ads… investing in security is a bit like buying an insurance policy, you don’t always see the result once the investment done, so you often put it aside.
By including HTTPS in the ranking criteria, web security (or at least HTTPS…) becomes a subject of growing concern for many people.