{{ searchResult.published_at | date:'d MMMM yyyy' }}

Loading ...
Loading ...

Enter a search term such as “mobile analytics” or browse our content using the filters above.

No_results

That’s not only a poor Scrabble score but we also couldn’t find any results matching “”.
Check your spelling or try broadening your search.

Logo_distressed

Sorry about this, there is a problem with our search at the moment.
Please try again later.

If you run a website, there's a good chance that you store data that you wouldn't want falling into the wrong hands. At the same time, there's also a good chance that you're increasing the odds of that happening by not following basic security best practices.

Unfortunately, the cost of data breaches is growing every year. A new study released by the PGP Corporation and the Ponemon Institute, the average cost of a data breach incident in 2009 was 6.75 million compared to 6.65 million in 2008. The largest data breach in 2009 cost just under $31m to clean up.

Fortunately, there are a lot of common sense ways to mitigate the risk of a data breach. Here are ten of them:

  • Don't store sensitive data in plaintext. Web development 101: passwords and other sensitive data should never be stored in plaintext.
  • Don't store sensitive data unnecessarily. A lot of sensitive data is stored when it doesn't need to be. Take for instance, credit card numbers. Oftentimes, website owners will store them even though they don't need to and despite the fact that in many cases they're not supposed to in the first place.
  • Be mindful of permissions. Managing permissions on your servers properly is an easy way to help prevent unauthorized access to data.
  • Filter input, escape output. Your web applications should never ever trust any data that is provided by users. All data that is input by users should be filtered, and all data output should be escaped. Sites that do neither are far more vulnerable to the cross-site scripting (XSS) attacks that are so popular with hackers.
  • Use a firewall. While many businesses can't afford hardware firewalls, every server should at least have a software firewall as a first line of defense.
  • Manage users. You may love the people who work for you but they're security risks. A disgruntled employee or an employee with administrator access and a lazy password are equally dangerous. That's why it's so important to actively manage user accounts, and their permissions.
  • Use SSL where appropriate. While you might think the use of SSL is overkill for transactions not involving payments or transfers of confidential personal information, it's an easy way to ensure that transmissions of data such as logins and passwords aren't done in plaintext. And because ultra-cheap SSL certificates are widely available, using an SSL certificate is worth some consideration even if you're not accepting payments or handling ultra-sensitive data.
  • Look at your infrastructure. How you set up your infrastructure can play a big role in your security. If you have dedicated servers for databases, for instance, you may want to keep them off the public network (the internet) and make them accessible only through a local private network.
  • Stay on top of security releases. Third party software can be a hacker's best friend. That's because a lot of people don't bother to update the third party software they use on a regular basis, making it easy to search for and exploit vulnerabilities. By maintaining a list of the third party software you've installed and keeping track of new releases and security reports, you can avoid falling victim to a known exploit that has been patched.
  • Treat security as an ongoing activity. New security threats are always emerging, which means you can't treat your security as a 'do it once and forget about it' task. From staying knowledgeable about security-related issues to regular audits, security should be top-of-mind on a daily basis.

Photo credit: CarbonNYC via Flickr.

Patricio Robles

Published 27 January, 2010 by Patricio Robles

Patricio Robles is a tech reporter at Econsultancy. Follow him on Twitter.

2392 more posts from this author

Comments (8)

Comment
No-profile-pic
Save or Cancel
Avatar-blank-50x50

GeekyClown

Great set of tips.  Out of curiosity, outside of a user's password, what other information would you suggest hashing instead of just using encryption?  

over 6 years ago

Avatar-blank-50x50

Bharath Reddy

Third party software can be a hacker's best friend. That's because a lot of people don't bother to update the third party software they use on a regular basis, making it easy to search for and exploit vulnerabilities.

I'm one among the people who use to update with the third party software..Thank you soo much!! Good set of tips..

over 6 years ago

Patricio Robles

Patricio Robles, Tech Reporter at Econsultancy

GeekyClown,

Passwords are most common, but you can use hashing to deal with any data that you don't need to redisplay to the user. Hashing obviously doesn't work well for anything you need to redisplay since it's one-way.

over 6 years ago

Avatar-blank-50x50

Steve Nice, Tech Director at ForLinux Ltd

Hi,

Another point worth mentioning is to clean up old scripts and test data from your server. Too often I have performed ethical hacking on site and discovered test areas where passwords are in plain text. On one client I discover a mysql username and password and an installation of PHPmyAdmin. With this information I uncovered 150,000 email addresses. Too many developers use the live infrasture for testing and staging. There's no reason why they should be using, for example, a XEN virtual environment or AWS.

Steve

www.forlinux.co.uk

over 6 years ago

Avatar-blank-50x50

Clerkendweller

These are a great starting point—impose these requirements on your design agencies, software development houses and all other suppliers who have any form of access to personal data.  Then look at your other confidential information and do the same.

over 6 years ago

Avatar-blank-50x50

Radhika Nagi

ya we should use SSL whereever required for any secure transaction, like login to email account or any other banking transaction like transfer money or bill payments etc.

Thank you

Radhika Nagi

http://www.sslindia.co.in

over 6 years ago

Avatar-blank-50x50

computer recycling

Firewalls need not be expensive, we used to run a linux based firewall, iptables firewall and did the job well, and was cheap to implement!

over 6 years ago

Avatar-blank-50x50

computer recycling and disposal

You should have mentioned to ensure all systems are anti-virus protected (if the systems need further security they could be deep freeze protected). Another forgotten security measure relates to the VDU's themselves. Most VDU's transmit a signal that can be intercepted from some distance away and thus present a security risk. Finally, ensure your wireless connections are fully protected.

almost 6 years ago

Comment
No-profile-pic
Save or Cancel
Daily_pulse_signup_wide

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Daily Pulse newsletter. Each weekday, you ll receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.