The high ROI of e-commerce makes it one of the safest bets going. Yet before joining any e-commerce platform, you should balance the benefits against the risks. Sure, you want to please your customers, but protecting your data is just as important.
By vetting the security of any e-commerce solution you adopt—and taking steps to reduce or eliminate areas where breaches could occur—you can build your e-commerce offerings without jeopardizing what matters most to your business. The following 10 strategies can help.
1. Incorporate security from day one. “When you’re trying to get your business off the ground, it’s natural to be more concerned about execution than security,” says security manager Joseph Gomez of the Ariba IT Security & Risk Office. “But you have to include it from the very beginning, because once the company starts becoming successful, someone could decide they’re going to leave and take what they can on their way out.” Protect yourself with legally binding agreements that clearly define data confidentiality, intellectual property ownership, and procedures for removing e-commerce account access when employees depart.
2. Ask the right questions. The nature of security risks varies with the e-commerce solution(s) you adopt, so weigh the pros and cons carefully before signing on the dotted line. Any e-commerce provider should be able to supply the following:
- Documentation of compliance with national and international security standards plus regular audits by an independent third-party agency (you can review Ariba’s security practices here).
- A clearly outlined disaster recovery strategy that includes detailed information about data backup along with evidence that backup practices are tested regularly.
3. Keep users front and center. “Security is really all about managing people,” Joseph says, noting that the simplest approach usually works best. “When you create a security-related policy or procedure, make sure it’s not overly bureaucratic; if it is, people will find a way to work around it.” By considering user needs and job functionality as you design security measures, you can sidestep such problems and make it easy for everyone to comply. “You can’t develop these rules in a vacuum,” Joseph notes. “You have to engender security in a way that advances and supports your business model.”
4. Train and maintain. Educate users about practices they should follow to optimize e-commerce security, then monitor adherence over time. The payoff can be huge: Aberdeen research shows that investing in awareness and training for end-users correlates directly to best-in-class performance, reducing security-related risks by about 60% (see figure 2).[i] Yet many companies still fall short in this area, investing far more in security technologies than user education—perhaps due to difficulty in demonstrating its ROI (this report outlines a way to do so).
5. Define, assign, and refine roles and responsibilities. Aligning e-commerce roles and permissions with your existing business hierarchy helps protect sensitive information by limiting access to only those who should see it. It also ensures the right people make decisions about key responsibility areas, which can prevent problems when changes occur. “We’ve seen situations within companies where someone tries to take over the account because a person leaves or there’s an internal dispute,” Joseph says. “Having e-commerce roles and responsibilities appropriately assigned can keep those types of things from becoming legal issues rather than negotiation issues.” (For details about managing Ariba user roles and permissions, log into your account, click “Help,” and enter https://uex.ariba.com/node/322 in the Ariba Exchange User Community search field.)
6. Keep account information current. Keeping account roles and contacts up to date supports e-commerce security in two key ways: 1) it ensures that notices regarding required security-related actions go to those best able to respond, and 2) it enables a faster, more effective response when a breach or incident occurs. “Our job is to secure and defend the customer’s information, but if their contact information is wrong, it takes longer to reach the right person if a problem arises,” Joseph says.
7. Classify and encrypt sensitive information. Before using any e-commerce solution, classify and sort your data according to what’s valuable to your business, what’s confidential, and what needs to be protected. And no matter how much you trust your e-commerce provider or how secure the platform is, always encrypt sensitive data before uploading or transmitting it through the solution. “Encrypting your data protects it, and then you can share the decryption key with just the buyer you’re doing business with,” Joseph says. “That maintains security without exposing it to anyone else, even if the data is stored in the solution.”
8. Add anti-virus and anti-malware. Skipping anti-virus and anti-malware in your security approach is like padlocking all your doors but leaving your back window wide open. “A regimen of anti-virus and anti-malware is probably one of the most essential aspects of security, and it has to almost be religion,” Joseph says. “You need to put it in place and make sure it’s running, because there’s always somebody willing to do things illegally to get your money and your information.”
9. Check up the backup. A casual approach to backup is a big gotcha for smaller businesses, which tend to run more hand-to mouth—making the loss of critical data devastating. “Even if it’s just two people in that company, you still have to define who’s responsible to get backups done, and have a secure means of storing that data away from your business location,” Joseph says. “Then if you’re broken into or there’s a fire, you have the protection that allows you to live for another day.” Scrutinize archival and backup procedures for e-commerce data as well, and maintain your own copy of any information you can’t afford to lose.
10. Align over time. “One of the biggest problems in e-commerce security is a ‘one and done’ attitude,” Joseph notes. “If there are changes in your business processes or the solutions you use, you have to adjust security practices in each of those areas accordingly.” For example, if your e-commerce provider develops a new mobile app that can make your salesforce more productive, great—but be sure to check for security holes before jumping in. Have they performed a third-party audit on it? Has their data protection and security policy been revised to cover it? Will you allow salespeople to load the app on their own devices, and if so, how will you safeguard data in this new realm? By asking such questions up front—before the app is out in the field—you can prevent a host of serious problems later on.
[i] Derek E. Brink, “The Last Mile in IT Security: Changing User Behaviors,” Aberdeen Group, 24 November 2014.