From B2B Insights, June 2004.
by Iacovos Zachariades, President, Global Reach Internet Productions
Back in the infancy days of the Internet, most websites were nothing more than an electronic brochure of an organization's products and services. Today, websites are doing much more. People are communicating with each other electronically, buying and selling things, even relying on web-based solutions to run their business. As the level of sophistication rises, so must the level of security needed to protect these vital systems.
Build a firewall
A firewall is your first line of defense against intruders. These hardware devices typically sit at the entrance of a computer network's connection to the Internet. Its job is to filter through all of the information coming into the network, preventing suspicious or malicious activity from passing through. If your servers are not behind a firewall, then chances are if you haven't already been attacked, you will be. Just as you wouldn't build an office building and not put locks on the doors, you shouldn't put up a website without a firewall.
Use a digital certificate
Each time someone visits your website, the information passing back and forth from your web server to the customer's computer may pass between a dozen or more other computers as it travels along the Internet. At each stop, people with less than noble intentions could monitor and steal this information.
If you're in the business of conducting e-commerce transactions or collecting personal information, this is probably data you would prefer to keep between you and the customer. A digital certificate, such as an SSL certificate, encrypts this information as it is sent from the customer's browser to your server.
A properly installed SSL certificate gives you the little golden padlock icon at the bottom of your browser window. This tells your customers the information they submit to you will be encrypted - it's also something they've been trained to look for.
If your website is not secure - yet it claims it is - you're sitting on a ticking time bomb, just waiting to go off.
Encrypt sensitive data
Even though you may already be using an SSL certificate to encrypt sensitive data across the Internet, what are you doing with that credit card number once you get it? If it's going into a database or order fulfillment system as clear text, you've got a problem. Credit card numbers, along with other data of highly sensitive nature, should be encrypted if they are going to be stored for any reason.
Remember Bob Smith? He helped you setup and launch your online store a few years ago. He also hasn't worked for you since last July. Does he still have access to your website? Do you even know? If an employee leaves, make sure that person's access is terminated the day he/she leaves.
Choose good passwords
Since your password is essentially a key into your secure systems, you should never have a password that someone can guess. All too often, people use their spouse's name, a pet's name, a birthday, etc. The best passwords are ones that are eight characters or longer, and are a mixture of letters, numbers, and symbols. Stay away from any words in the dictionary, and never write them down - especially on a sticky note attached to your monitor!