If you run a website, there's a good chance that you store data that you wouldn't want falling into the wrong hands. At the same time, there's also a good chance that you're increasing the odds of that happening by not following basic security best practices.
Unfortunately, the cost of data breaches is growing every year. A new study released by the PGP Corporation and the Ponemon Institute, the average cost of a data breach incident in 2009 was 6.75 million compared to 6.65 million in 2008. The largest data breach in 2009 cost just under $31m to clean up.
Fortunately, there are a lot of common sense ways to mitigate the risk of a data breach. Here are ten of them:
- Don't store sensitive data in plaintext. Web development 101: passwords and other sensitive data should never be stored in plaintext.
- Don't store sensitive data unnecessarily. A lot of sensitive data is stored when it doesn't need to be. Take for instance, credit card numbers. Oftentimes, website owners will store them even though they don't need to and despite the fact that in many cases they're not supposed to in the first place.
- Be mindful of permissions. Managing permissions on your servers properly is an easy way to help prevent unauthorized access to data.
- Filter input, escape output. Your web applications should never ever trust any data that is provided by users. All data that is input by users should be filtered, and all data output should be escaped. Sites that do neither are far more vulnerable to the cross-site scripting (XSS) attacks that are so popular with hackers.
- Use a firewall. While many businesses can't afford hardware firewalls, every server should at least have a software firewall as a first line of defense.
- Manage users. You may love the people who work for you but they're security risks. A disgruntled employee or an employee with administrator access and a lazy password are equally dangerous. That's why it's so important to actively manage user accounts, and their permissions.
- Use SSL where appropriate. While you might think the use of SSL is overkill for transactions not involving payments or transfers of confidential personal information, it's an easy way to ensure that transmissions of data such as logins and passwords aren't done in plaintext. And because ultra-cheap SSL certificates are widely available, using an SSL certificate is worth some consideration even if you're not accepting payments or handling ultra-sensitive data.
- Look at your infrastructure. How you set up your infrastructure can play a big role in your security. If you have dedicated servers for databases, for instance, you may want to keep them off the public network (the internet) and make them accessible only through a local private network.
- Stay on top of security releases. Third party software can be a hacker's best friend. That's because a lot of people don't bother to update the third party software they use on a regular basis, making it easy to search for and exploit vulnerabilities. By maintaining a list of the third party software you've installed and keeping track of new releases and security reports, you can avoid falling victim to a known exploit that has been patched.
- Treat security as an ongoing activity. New security threats are always emerging, which means you can't treat your security as a 'do it once and forget about it' task. From staying knowledgeable about security-related issues to regular audits, security should be top-of-mind on a daily basis.
Photo credit: CarbonNYC via Flickr.