If there is one myth about
cybersecurity that we hear regularly and that absolutely needs to be busted, it
is this one. “Why would anyone attack us? We’re too small, too young,
no one knows us, we have nothing online… We’re not interesting to hack.”
Christmas is right around the corner and winter sales are arriving too. Online shopping is planned. Your banners, packaging and special offers are ready, but did you think of your website’s security? We won’t remember you to update and install patches or to watch suspicious operations (what you are already doing), but we concentrate on three elements to protect your client data and to reassure them about your security level.
1/ HTTPS certificate
Using HTTPS is indispensable for an e-commerce website. Users expect to see the well-known padlock on pages where they give their information. Many people only rely on an URL starting with HTTPS and the padlock to judge the reliability of a website.
However, malicious hackers do know it too. Now they create websites with an HTTPS certificate to deceive users. A study from Phishlabs estimates that in the 3rd quarter 2018, 49% of phishing websites are using an HTTPS certificate.
(We detail here how to identify suspicious emails to avoid phishing attacks, which can be tricky even for experienced users.)
Digital technologies offer great possibilities for the everyday life and for businesses. Websites, emails, applications, connected devices…
But, if business people are enjoying digital tools as an opportunity for their activities, can you imagine how happier are malicious hackers?
Direct attacks, phishing, intercepting information, stealing data… So many possibilities from their point of view, as the growing use of digital technologies is making the attack surface growing too.
What can you do to protect your activity from malicious hackers’ attacks? Do you know ethical hacking?
Companies’ digitalisation, a buzzword or a real opportunity? According to the European Commission, 62% of the French population buys on the internet whereas only 16% of the French companies have online sale activity (1). This figure clearly underlines the “digital” opportunity that French company have. Whether it is a showcase website, an online sales platform, or local marketing, each option is an opportunity and does represent a competitive advantage over other companies that do not dare to digitalise their businesses.
Digital marketing agencies, freelances specialized in e-commerce, CMS, there are many different offers to facilitate the creation of a website. The competition on this market is fierce and prices often comes as a decisive factor for SMBs wishing to have their own sales platform. However, if the delivered website meets the expectations of the customers in terms of functionalities or design, it shouldn’t stop there, as hacking risks of a website are high (even for “small” websites”.)
What about cybersecurity?
For companies that decide to work with external web professionals (either freelances or agencies), it is necessary to understand what preparation and construction implies the creation of a website worthy of the name. This means setting up a budget to invest in the website’s construction. Its “size”, functionalities, design, maintenance fees (meaning the necessary updates on the website) and also cybersecurity will have an impact on the overall budget. Cybersecurity is too often ignored to offer cheaper prices, and yet it is a major issue.
It is crucial to understand that being a web developer, as good as one can be, does not necessarily means being an expert in cybersecurity. The two distinct jobs correspond to very different skills. It is fundamental to understand this distinction to be ready to question your developers on the topic. What security guarantees can they provide? Have they planned to run security audits? Who will be liable if the website gets hacked? This is where the issue lies: if there is no mention of security in the technical specifications or in the maintenance contract, then it is your responsibility when you get hacked.
Security is now part of procurement checklists within companies (especially large ones) when buying a software solution.
What security commitment can be given to them ? How to promote a software security process?
Achieving a certification is a must to show the level of cyber security of a software company. There are plenty of standards : ISO 27001 (for information security management), PCI-DSS (for payment data security)… Each one is more or less appropriate to a specific industry or a specific geographical area.
Starting a certification process is quite a heavy and long-term project. It is also worth noting that the impact on your products can be important. If there is no compulsory security certification for running a business in your industry (unlike the payment industry), starting such a process depends on your company’s maturity: it is recommended for mature companies rather than startups.
Furthermore, reaching a partial compliance with a standard can be a viable alternative to a full compliance. This is a compromise to value security efforts, even if it does not result in certification. Security professionals (like Vaadata) can assist you in that kind of process.
Big Data has a huge impact on marketing with powerful technologies for collecting, organizing and processing huge amounts of data. It allows online advertising to become more friendly and personal for digital consumers. But it also increases the responsibility of companies towards the security of the massively collected data.
Marketing teams are usually in charge of processing these data, while IT departments are responsible for security related topics. However, can Marketers working on sensitive data unintentionally put their own companies at risk?
If you have a website, you have probably heard of HTTPS. It is a data exchange protocol on the Internet. Is this necessary for your website? Please read the following lines and make your own judgement.
How does HTTPS work?
HTTPS provides authentication of the website and associated web server that one is communicating with, which protects against man-in-the-middle attacks (a common type of cyber attack).
HTTPS also provides bidirectional encryption of communications between a client and server, which ensures that the contents of communications between the user and site cannot be read by any third party.
Here is a simple example for a traveller who is using an online hotel booking website with a login and password:
If the website does not use HTTPS, the login and password are not encrypted. If the traveller uses a public internet connexion (such as a wifi hotspot) the data can be intercepted and re-used by malicious persons.
But if the website uses HTTPS, the login and password are encrypted, which means that they cannot be read by people who would intercept the data.
Just as food or car buyers do, digital consumers need reassurance about the security of products they use.
Displaying the “country of origin”, especially for meat, has become a quality standard in many restaurants. Not labelling food can make clients run away, afraid by the lack of transparency.
There is a similar trend on the Internet, focusing this time on personal and banking data. With all the scandals that recently came to light about hacking, data stolen and resold on black markets, security on the Internet has become a criterion of trust and success.
Communicating on security
As soon as a web application (website or mobile app) processes data, users are looking for signs of security, showing that the application is trustworthy.
This quest for signs of security is more or less conscious but, in any case, a lack of confidence results in shopping or subscription dropouts.
When purchasing services from a digital agency, customers are obviously looking for a return on investment.
Normal expectations are on strategy, creativity, performance, return on investment. Whether it is about promoting a new product, increasing loyalty, or attracting new consumers, the client is looking for real and measurable results.
Data collection is always as important as before, and much bigger. We can see this with the “big data” trend, collected data has a very high value, since it helps big brands developing new consumer profiles and studying behaviors.
Risks are increasingly being taken into account
The first thing web security makes people think about is this big amount of data being collected without any limit, from the simple email address to the complex qualification questionnaire. This data is an easy and very profitable target for people selling them on the black market. An of course privacy is a big concern for consumers.
Big FMCG companies (like Kelloggs’s, Nestlé, J&J, General Mills…) have a really huge amount of consumers data, and the multiple websites they possess are as many potential threats to that data.
Considering the competition between brands and the number of organizations trying to damage them, for various reasons, FMCG companies also face a big brand protection challenge (maybe bigger than the consumers’ data protection one).
In addition, many of these companies – if not all – outsource the development of their websites to multiple external technical agencies, making the quality and security controls a bit more complex to handle than if everything was home-made.