You’d have to be living under a rock to remain unaware of the many threats modern companies face due to online operations. Certainly there is a lot to be gained from setting up a business website complete with an online store, not to mention social media accounts, but there are also many risks associated with forays into the virtual world.
Keeping your business secure used to mean installing locks, an alarm system, surveillance cameras, and possibly a robust safe, just in case. While these measures still apply to companies with brick-and-mortar locations, many businesses now have the added worry of protecting a secondary operation in the online arena.
You’ll hear plenty of people say that the worldwide web is a modern Wild West. Although controls are constantly evolving and will continue to advance, the truth is that hackers often seem to be a step ahead. However, this could have something to do with the vast number of businesses that are tremendously under-protected.
Whether you’re just starting your online operation and attempting to learn about web security along the way or you’ve been at it for a while and you’re in need of a refresher, there are several security basics every business should be aware of. Here’s a crash course in web security to get you started.
There are two main types of controls inherent to web security: technical and operational. Technical controls consist of any measures automatically implemented by your technology, including your hardware, software, and firmware.
There are a broad range of technical controls to consider when planning your security strategy. Most businesses start with firewalls for both their internal systems and their online operations (i.e. web application firewall). The next step is implementing software that recognizes and stops viruses, spyware, malware, and so on.
Technical controls could also include password protection software, encryption software, third-party monitoring and maintenance, and system backups. This last one is technically a recovery feature rather than a security measure, but it’s worth mentioning because without it a hack that results in data loss could halt operations.
Of course, you can’t rely entirely on technical controls to keep your company’s online operations safe. In addition to the many programs designed to protect you from hackers, your users (employees, customers, etc.) also must to behave in a safe and responsible manner in order to ensure the highest level of security. Tools are only as good as their users, and this is where operational controls enter the picture.
Operational security measures include any actions performed by people, as opposed to machines, but these two systems of control often work hand-in-hand. For example, you no doubt have a login system that includes username and password requirements.
The system itself is a form of technical control, but users are responsible for making and using passwords appropriately. If employees allow others to access their passwords and accounts, they could be responsible for breaches that your technical controls would otherwise have protected against.
Another example of technical and operational controls working together would be software that warns users when they’re about to access dangerous websites (those that contain potentially harmful code). If users are properly trained, they should navigate away instead of putting your network at risk.
Of course, this marriage of technical and operational control relies on a tertiary system: management control. The policies and procedures you create have an impact on how well these systems all work together to protect your online operations.
With comprehensive training and implementation of security systems you can ensure that both technical and operational controls work toward the common goal of keeping your company secure against breaches.
Proper internet security begins by assessing your website from the hacker’s point of view. What are the weaknesses hackers are most likely to exploit? Perhaps your password protocols aren’t very robust or your antivirus software is out of date.
Maybe your employees have a penchant for visiting dangerous websites, opening suspicious emails, or clicking dubious links. Maybe you don’t take advantage of monitoring services that could provide you with early warning of breaches.
Risk management revolves around understanding the threats you’re facing and performing an honest assessment of your vulnerabilities. When you do this you have the information needed to implement suitable security controls.