Jamie Stallwood, Security Specialist, comments on the importance of IT security to online business

When it comes to doing business online, you can never be 100 per cent secure all of the time but there are simple things that companies can do to help manage the threat to their data. All businesses should be working towards this basic security model in order to limit the extensive damage that can occur if there is a security breach.

When setting up a website that will hold customer information or carry out ecommerce, businesses need to strike a fine balance between usability and exposure threats. The focus tends to be on developing a useable and customer friendly site. However, from a security perspective, this means that more data would be exposed to a hacker, increasing the opportunity for identity theft – not to mention the possible damage to the company’s reputation if the site is hijacked.

For SMEs whose card payment processing is done externally, the main way to reduce the risk is by keeping the information that is accessible online to a minimum. This can be achieved by asking customers to provide just enough detail to identify and authenticate them – a robust username and password should be sufficient. The more detailed and sensitive data is then stored separately, only accessible internally rather than on the web.

Any business that processes card transactions online or through chip and pin is at further risk of fraudulent activity, whether it be local authorities taking direct debit payments, hotels taking bookings online or an ecommerce website. Businesses, such as these, need to realise that if their customers are subject to id theft or data invasions, the problem now lies with them as the merchant. Previously credit card companies and banks were responsible for data protection and dealing with id fraud, but changes introduced in June 2007 mean merchants are now accountable.

“There has been a 50% increase in attacks to online payment sites in the last two years”

One way that businesses can relieve themselves of some of this responsibility is to comply with the Payment Card Industry Data Security Standards (PCI DSS). The industry has been crying out for standards such as these in response to the alarming increase in the number of attacks during the past two years.

However, compliance is more than getting a tick in the box – there is investment involved in identifying the potential vulnerabilities and then successfully implementing appropriate IT security measures to mitigate the risk; but the benefits far outweigh the costs, and with legislation clamping down it will soon be unavoidable.

Although the main cost to businesses affected by web hacking is clearly the loss of customer information, such as through unencrypted credit card details and PIN numbers, companies must also understand the costs associated with brand damage.  Many Hackers could take full control of a site and alter its content, which is not only highly embarrassing for the business but also extremely detrimental to the brand and stakeholder relationships. For example, the reputation of major high street retailers recently named and shamed in the press are likely to be remembered for all the wrong reasons for a while to come.

Organisations need to adopt IT security as part of a strategic and planned investment for the whole business and not as a distress purchase after the event, as by then it can be too late.