Platt Perspective on Business and Technology

Online store, online market space – part 15 and online security – 1: setting good standards

Posted in startups, strategy and planning by Timothy Platt on July 19, 2010

This is my 15th installment in an ongoing series on building an online store as a startup (see Startups and Early Stage Businesses, postings 20 through 33), and it deals with issues of security and risk assessment and management. Together, these form a complex and varied enough topic so that when I approach something like them I am never at least initially sure how many postings I am going to need to add to sufficiently cover them and even just for the limited context intended. This posting sets out to address some general issues that cut across this complex of topics for any business, and with one crucial take home lesson I would want to share above all else.

Effective security and risk assessment and management cannot effectively be understood or handled with a set, standardized solution. And even when you exercise a measure of ongoing diligence, no single focus settled solution can be relied upon long term to provide reliable ongoing coverage.

Two incidents I have seen and been involved in come to mind as I write this, and I include them here both because they highlight this point, and because they involve systems and process failure in an area that people setting up online businesses often fail to consider – physical security.

• Before I switched to working in information technology and online I had a career in basic biomedical and clinical research, and that had me working with hospitals and hospital systems. I was working at a hospital center as their director for clinical research and had an office in one of their two hospitals, though my job kept me busy at both, among other places. I had a laptop computer and I did carry it around a lot because of my job-mandated mobility, if for no other reason. But there were times when I knew I would want to leave it at my office. I had a locked closet there that I wanted to be able to safely store it in, and to be on the safe side I told the locksmith who worked at this facility that I wanted the lock to that closet to be off-master – be protected with a lock that could not be opened using the standard master keys that custodians and others all carried around. I was assured that the lock installed was off-master and that all master keys were accounted for anyway. And my computer was stolen, and I then found that contrary to what I had formally, officially requested and contrary to what I was told the lock installed had been on-master. And Security there knew that several – some unknown number, but several or low count many copies of the master key to all doors at that hospital facility were floating around as stolen or as illegally copied. Fortunately, I had everything important backed up and I did not keep confidential information on that machine but the loss was still significant.
• I have worked since then in a number of businesses, including ones with risk management offices where the biometric scanners and other security measures to stop the unauthorized were carefully selected and expensive to maintain – and where employees propped open the doors to the server rooms and other supposedly secure facilities with trash cans because that was the only practical way to get in and out while carrying necessary equipment in the performance of their jobs.

Organizations should have security systems that are standardized, systematized and enforced, but these systems also have to make sense in the context of real world work flow and employee requirements, or more effort will go into finding ways to bypass them than even went into developing them. And this applies to physical security, information technology security and access control, and to web and online security. And all of these should be coordinated and maintained on an ongoing basis and both because of employee turnover, and because technologies and risk potentials associated with them are always changing.

You may have a small business with your online store, but the information you gather, work with and maintain in your systems is crucial to the customers who provide it and it does create liability issues for you and even just for simply doing routine business. Bottom line, my goal here in this posting is to convey an attitude and a general approach to security and to risk identification and remediation to help you limit surprises and to help limit impact where surprises do happen anyway.

A big part of this is in striving to limit the likelihood that people will cut corners in doing their day to day jobs. The first example I cited above happened because a locksmith was too lazy to go and get a lock that actually was off-master when he had one in hand that was on-master and vulnerable. He had both, but the off-master locks were themselves locked away in a different building and using one called for extra paperwork. So avoiding an extra trip and perhaps fifteen minutes of filling out forms cost over $1000 for the computer alone plus a lot more for the inconvenience and this could have cost much, much more if I had not been backing everything up. I have not even considered the potential costs of loss of confidential information here.

Plan for people to cut corners when they are avoidably inconvenienced by intended processes and not out of maliciousness but simply to save time and make things simpler in the immediate here and now. And strive to identify and implement processes that in themselves make performing tasks correctly easy – easy enough to limit the corner cutting that can undermine even the most comprehensive security and risk remediation program with failures to execute securely.

As a final thought here, I stated in my 14th installment in this series on building an online store: Business Ethics and Good Business Citizenship that when a business’ good name and reputation are damaged this is almost always self-inflicted, and I add here that this includes damage stemming from security breaches and loss of consumer confidence too. Most data theft and loss of control of confidential information is from the inside too. I add that most of that is made possible more from carelessness and breach of what should be established policy and practice, than it is from calculated breach of trust and well planned theft.

Good systems and business security and risk management should be based on a solid understanding of human nature and behavior and on finding ways to make the secure and intended the approach people will want to use, and every time and even when rushed. That is a goal that can only be strived towards, but the effort is worth it.

The next posting in this series will look into some of the specific details and issues of computer system and online security and will offer some best practices resources for addressing them, and for performing due diligence in selecting security-aware third party web site and ecommerce solution providers.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: