Security Procrastination...
I had a whole other topic to discuss today, but when I got a phone call from a consultant for an online store I just had to postpone original discussions. After all, security is a priority...
The store in question is running an outdated version of its shopping cart, on an outdated (I'm talking years outdated) version of the server software, thus making it prone to hacks and viruses that have been in the books for some time. Couple this with the lack of maintenance (more than 100,000 abandoned cart records), and online storage of thousands of orders (with credit card numbers). My head was kinda spinning.
The consultant said the particular reason for calling has been an issue for the company for nearly two years--a missing snippet of a license that prevented the web team from performing long overdue front-end updates.
Now, the call and complaint itself wasn't that unique. I often hear from Mom-n-Pop shops experiencing problems because, unbeknownst to the store owner, there's a security issue interrupting the store's functionality. As much as I hate it, I understand that many indy store owners simply don't research or obtain the correct guidance when it comes to security. My job, in this respect, is to get the store on track and provide the training necessary to protect data as much as possible.
In today's case, however, they should already know what to do, and more so, take every step to "lock down" the server and the store. After all, they are in the security market. They cater to those needing to safeguard homes, vehicles, safes and just about anything else that locks and can be alarmed. The organization is prominent in its field, so I was baffled...
With today's higher risk of loss, frequently created hacks and viruses, and frequent updates being released to further protect data, alerts to run update scripts and software shouldn't be ignored. This goes for all site software, too, as any scripts that run can be vulnerable, including the ever-popular Word Press blog scripts.
Taking the time to research (yes, read the changelogs and determine if any other scripts will be affected), and introduce updates and upgrades is a necessary part of business. Waiting a day or two so you can run them when less shoppers are online usually isn't a problem, but when those days grow into months... and years even, it makes me wonder if security is even a priority for such sites. I certainly won't shop them, and yet, most of the time, the customers don't even know their information is being put at the considerable risk.
3 Comments
Bryan Johnson says:
I agree, it's challenging and costly for smaller organizations without a dedicated IT staff to always be up to date with security threats and vulnerabilies. It's challenging enough for firms with a dedicated staff.
There are, however, solutions in the market place that eliminate the handling, processing and storage of credit card data. With this approach, no sensitive data is ever present in the merchant environment to be stolen. Merchants should obviously always maintain good security practices but whenever sensitive data can be removed and compliance scope limited, it should be considered.
Bryan Johnson Braintree
LexiConn says:
If you're a small business and run an online store, make sure you choose a web host that understands security, offers managed hosting (i.e. handles server security issues) and if possible, choose an e-commerce application that the host fully supports (so the host can easily upgrade it).
I see too many merchants choose an open source application, add a bunch of unsupported modifications and code changes, and choose a low cost host where security and PCI issues are not a priority. The merchant then fails a PCI scan, has no ability to seamlessly upgrade their ecommerce cart, and the host will not help them resolve PCI issues.
If you look at your web host as your security and PCI partner as opposed to a commodity where the lowest price wins, managing this complex web of security issues is much more manageable.
Rob LexiConn
iPhone Application Development says:
Hi Pamela! You have talked on very interesting topic. Definitely introducing the customer about a bit updates and upgrades of your business is really profitable initiation. If not, then customers remain unaware from your new launched products and services and this will lead you losing of customers and also affect your business. Thank you for sharing subjective post.
Connect with us