Web Security 101

web security mouseYou’d have to be living under a rock to remain unaware of the many threats modern companies face due to online operations. Certainly there is a lot to be gained from setting up a business website complete with an online store, not to mention social media accounts, but there are also many risks associated with forays into the virtual world.

Keeping your business secure used to mean installing locks, an alarm system, surveillance cameras, and possibly a robust safe, just in case. While these measures still apply to companies with brick-and-mortar locations, many businesses now have the added worry of protecting a secondary operation in the online arena.

You’ll hear plenty of people say that the worldwide web is a modern Wild West. Although controls are constantly evolving and will continue to advance, the truth is that hackers often seem to be a step ahead. However, this could have something to do with the vast number of businesses that are tremendously under-protected.

Whether you’re just starting your online operation and attempting to learn about web security along the way or you’ve been at it for a while and you’re in need of a refresher, there are several security basics every business should be aware of. Here’s a crash course in web security to get you started.

Technical Controls

There are two main types of controls inherent to web security: technical and operational. Technical controls consist of any measures automatically implemented by your technology, including your hardware, software, and firmware.

There are a broad range of technical controls to consider when planning your security strategy. Most businesses start with firewalls for both their internal systems and their online operations (i.e. web application firewall). The next step is implementing software that recognizes and stops viruses, spyware, malware, and so on.

Technical controls could also include password protection software, encryption software, third-party monitoring and maintenance, and system backups. This last one is technically a recovery feature rather than a security measure, but it’s worth mentioning because without it a hack that results in data loss could halt operations.

Of course, you can’t rely entirely on technical controls to keep your company’s online operations safe. In addition to the many programs designed to protect you from hackers, your users (employees, customers, etc.) also must to behave in a safe and responsible manner in order to ensure the highest level of security. Tools are only as good as their users, and this is where operational controls enter the picture.

Operational Controls

Operational security measures include any actions performed by people, as opposed to machines, but these two systems of control often work hand-in-hand. For example, you no doubt have a login system that includes username and password requirements.

The system itself is a form of technical control, but users are responsible for making and using passwords appropriately. If employees allow others to access their passwords and accounts, they could be responsible for breaches that your technical controls would otherwise have protected against.

Another example of technical and operational controls working together would be software that warns users when they’re about to access dangerous websites (those that contain potentially harmful code). If users are properly trained, they should navigate away instead of putting your network at risk.

Of course, this marriage of technical and operational control relies on a tertiary system: management control. The policies and procedures you create have an impact on how well these systems all work together to protect your online operations.

With comprehensive training and implementation of security systems you can ensure that both technical and operational controls work toward the common goal of keeping your company secure against breaches.

Risk Management

Proper internet security begins by assessing your website from the hacker’s point of view. What are the weaknesses hackers are most likely to exploit? Perhaps your password protocols aren’t very robust or your antivirus software is out of date.

Maybe your employees have a penchant for visiting dangerous websites, opening suspicious emails, or clicking dubious links. Maybe you don’t take advantage of monitoring services that could provide you with early warning of breaches.

Risk management revolves around understanding the threats you’re facing and performing an honest assessment of your vulnerabilities. When you do this you have the information needed to implement suitable security controls.

Looking Ahead – Emerging Trends in Web Security for 2016

Thanks to the advent of the Information Age, our lives have been made a lot easier when it comes to compiling, aggregating, and analyzing data. Unfortunately, with that great privilege comes the great responsibility of ensuring that information systems are secure enough to withstand an attack from unethical hackers who seek to cause mayhem, steal data, and/or commit industrial espionage.

In 2016, there will be noticeable trends emerging in web security. Here are a few of them.

Mobile Security Will Gain More Focus

Thanks to the Bring Your Own Device (BYOD) concept, many employers are allowing employees to connect their own mobile devices to company servers. That makes life easier for the employee, because one device can be used for everything. It also boosts the company’s bottom line because it reduces expenses related to equipment purchases.

However, there’s a trade-off with BYOD. Many people don’t secure their mobile devices as well as they should. As a result, people who gain access to an employee’s mobile device might also gain access to company resources.

In 2016, look for the emergence of companies that specialize in BYOD security for businesses. It’s likely that many of those companies are going to set financial records in the new year.

Multi-Factor Authentication Will Gain Traction

Although your password might be very secure because it’s 14 characters long, includes three symbols, two numbers, and a mix of upper- and lower-case characters, your employer might still not be satisfied. That’s especially true if you work remote.

In 2016, expect to see an increased adoption of multi-factor authentication. That’s a method of logging on to secure systems that requires not just a password, but also some other security measure.

For example, some mutli-factor logons require a digital token to be used in addition to the password. A digital token is typically a number generated by a device that fits on your key chain. You press the button and it gives you a number that expires in 30 seconds or so. You’ll need to use that number in addition to your password to logon to the system. That way, a hacker who has your password can’t logon unless he or she has the token generator from your key chain.

Some multi-factor logins will go the extra mile from there and require biometric identification in addition to the other two factors. We’ve officially become a science fiction movie.

Concerns About Outsourced Code

With the threat of data breaches becoming ever more prevalent, some CIOs might start to consider the possibility that some custom-made software has a back door that can be exploited for hacking purposes.

Remember, companies often outsource their development efforts to save money. However, those outsourced companies could employ unscrupulous individuals as easily as any home-grown shop. The problem is even worse when outsourced contractors have produced software with thousands or tens of thousands of lines of code.

Look for IT management to recommend an “overview” of outsourced code in 2016 to ensure, as much as possible, that it’s free of back door threats.

Big Data Is a Big Headache

IT professionals everywhere love the concept of “big data.” That’s an industry buzz-phrase for a huge database that’s holds massive amounts of data and is used for decision making purposes.

Unfortunately, all that data is a treasure trove of information for unethical hackers. It was unsettling to a lot of American consumers when a hacker gained access to Anthem’s database and the information it held on as many as 80 million Americans. That data repository is what hackers would call a “target-rich environment.”

Look for CIOs to pay special attention to big data security in 2016 as they attempt to minimize threats of a data breach.

A High Demand for Information Security Professionals

If you’re contemplating a career change in IT, give serious thought to becoming an information security professional. It’s very likely that the demand for people who know how to minimize IT risks and put in place proactive measures to offset attacks will be in high demand in 2016 and the years following.

Data security will continue to be a high priority item for upper management in 2016. Too many companies have received bad press because they allowed hackers to gain access to their systems. Now, executives realize that cyber security is just one of many costs of doing business.