Every single day, more of our activities become digital and take with them huge reams of personal data that can easily be exploited for profit and influence by those with the willingness and inclination to cross ethical boundaries. Cyber Security is the system of protecting that personal data that is kept digitally.
You might think that your business has no need to be concerned about cyber security. After all, what are the chances that your website in particular will be targeted? You’re probably not among
the biggest companies in the world, so you’re protected by anonymity, right?
Well, even if the chance of your company being targeted for a cyber security attack is remote, the chance is still there— and with the potential consequences being incredibly dire, it isn’t a
chance you can afford to take.
Here’s why cyber security needs to be near the top of your priorities:
Customer Data is Very Sensitive
If someone makes regular purchases through a website with sophisticated user tracking and data collection software, the business will be able to form an uncomfortably accurate assessment of that person’s life— when they eat, what they’re allergic to, what their viewing habits are like, when they get engaged, when they get divorced, when they’re vulnerable, etc.
In the ecommerce world, that data is used ruthlessly (but only questionably unethically) to drive sales. Promote diapers to new parents, expensive gifts to couples approaching anniversaries, things like that. It can come across rather creepy and intrusive (I often think back to the case of Target’s “pregnancy prediction” causing a stir), but it can be ignored, for the most part. Trying to be persuasive isn’t the worst thing in the world.
But when customer data is exposed through a security vulnerability, it immediately becomes infinitely more dangerous. Blackmailers can threaten to release it to the public unless the business pays them extortion money, or use it to squeeze payments directly from the affected customers.
And no matter what happens with the data, the fact that it was leaked at all will cause incredible harm to the company’s reputation. Who will want to continue buying goods or services from a business that requested their data only to fail to keep it safe? Once you lose the trust of your customers, you might as well be radioactive.
Regulations Are Getting Stricter
In the European Union (EU), the General Data Protection Regulation (GDPR) took effect on May 25th of 2018, setting a broad standard for what is expected of EU businesses. While there is no such sweeping legislation on the immediate horizon in the United States, there are a couple of big reasons to be extremely cautious anyway.
Firstly, the Federal Trade Commission (FTC) has the powers under Section 5(a) of the Federal Trade Commission Act to prohibit ““unfair or deceptive acts or practices in or affecting commerce”, and their resources give them the freedom to act as the de facto protector of customer data.
Secondly, regardless of what is currently lined up, data protection issues are not going anywhere, and while the law may move slowly, it will eventually catch up. Since it’s difficult to know for sure when it will happen (and what might apply retroactively, because that possibility can’t be taken off the table), it makes sense to take care right away.
Exposed Vulnerability Encourages Further Cyber Security Attack
There are different forms of security vulnerability. There’s the architectural kind, involving the software and protocols being used, and including things like compliance with the PCI (Payment Card Industry) standard for credit card transactions, the use of SSL (Secure Sockets Layer) certificates to demonstrate website authenticity, and the implementation of two-factor authentication to protect user accounts.
Cyber Security Services
This type of security can be reinforced through the use of a cyber security service like Securi (it also has free and paid WordPress extensions, though there are other formidable options on that particular platform (such as Wordfence or iThemes). This is one option that can help to mitigate the risks caused by outdated software or architectural issues.
Then there’s the procedural kind, involving the steps the business in question takes to operate in a secure manner on a daily basis, and including things like the use of secure passwords, the vetting of employees, the physical guarding of data storage solutions, and the use of protection against viruses, bots, malware, and malicious network intrusions.
Any business that uses a security-compliant hosting solution won’t generally have to worry too much about the former, because top platforms invest heavily in security. Anyone using WordPress, though, definitely needs to invest in a robust security system to help combat the platform’s open-source vulnerabilities. Plugins can be particularly vulnerable to attack.
But being backed by a robust platform won’t make it any less possible for weak passwords to be cracked, and support teams can’t take the blame for someone finding out the CEO’s mother’s middle name and using it to gain administrative access to the whole site. And something like that will rightly cause people to question the professional rigor of the upper brass.
When sharks smell blood in the water, they recognize the presence of weakness, and move in for the easy pickings. The business world isn’t quite as violent as that, but the same principle applies— if people see that your security has been breached, they’ll quite sensibly wonder if it can be done again, and that will elevate the threat you face.
Operations are Increasingly Cloud-Based
When the internet first came along and expanded opportunities for businesses, it gave rise to hybrid operational modes: physical premises were linked to digital presences (a typical business would have an office, or even multiple offices, and a website to push people towards visiting).
This mitigated the damage of cyber intrusions. After all, an online attack can’t majorly compromise the security of a physical store with on-site locks and guards (outside Hollywood movies, at least). But this has changed greatly in recent years (also at the legal level), driven largely by the immense growth of the ecommerce industry.
Today, it’s not only viable but commonplace to run a business that has no meaningful physical presence (no office, and perhaps not even any material goods) and the concept of company location has become fuzzier. For instance, when you check business listings in San Diego, you’re essentially looking at stores that are simply registered in California and thus subject to its sales tax rate. They don’t have San Diego headquarters, or even any headquarters.
And with entire businesses existing (for all practical purposes) purely in the cloud, everything can be compromised through the internet. Given the right malicious attack, an entire company infrastructure can collapse in a second and blink out of existence. Your business may still be office-based, but it’s important to be aware of the way things are moving.
For the reasons we’ve examined, and many more, it’s never rationally justified to allow your operation to be vulnerable online. It doesn’t matter if your business is relatively small and/or unknown — the risks outweigh the costs of implementing safeguards.