E-Commerce Website Security Issues

Running Head: SECURITY ISSUES OF SMALL E-COMMERCE WEBSITES

E-commerce Website Security Issues

March 26, 2008

Abstract

The research topic I have chosen for this CIS666 final paper is focused on recognition and evaluation of e-commerce website security issues for a small company that lacks the technical and human resources to fully cover all aspects of running a website. How can a small company protect its e-commerce website against all the security threats endangering company’s assets and operations? With the list of security issues I covered in this paper, my recommendation is, that a small company with limited resources should outsource running of its e-commerce website to a credible web-hosting company with enough IT resources to better deal with common security issues.

Any company trying to get in any business should conduct an extensive research of its ability to succeed in the increasingly challenging environment, thoroughly evaluating its situation, business opportunities, challenges and risks, carefully weighting all of its options before deciding how to implement its business plan. The same applies to a company that wants to successfully launch an e-commerce website. A detail research and solid planning will significantly affect the outcome. While there are many challenges of building an e-commerce website, I would like to focus only on one, but major aspect of running an e-commerce website, and that is: security. Security is one of the most important issues that must be resolved to ensure the success of e-commerce. With so many well publicized security failures that often embarrass even sizable companies, small businesses must seriously question if they will ever be able to completely defend their websites, when even some big companies occasionally fail to defend themselves against all the security threats awaiting on the Internet to be tested by hackers and scammers and possibly risking all their business future. Of course, to reach the global markets and more customers, even a small company will have to implement an e-commerce website, but the question each small company should be asking is: should the website be developed and run in-house, or should it be outsourced? And one of the most important decision-making arguments should be the level of security needed. Will a small company be able to defend its e-commerce website, its hardware, software, data, and protect its customers against system failures, hackers, fraught and data theft? To answer these questions, I would like to cover in this paper several major e-commerce security issues that have to be considered, before making a final decision about an in-house development and in-house implementation of the website, or outsourcing either the development or running of the website, or some combination of the two options.

I would like to start with some statistic provided by the U.S Department of Labor: Forty percent of businesses never reopen after catastrophic data loss. Fifty percent of all businesses will fail within three years if they cannot recover lost data within 24 hours. Ninety-three percent of businesses fail if data is lost for ten days or more. Over forty percent of small businesses experience challenges when it comes to data backup. (U. S. Department of Labor вЂ" Information Security, 2008). Protecting business data is crucial, and the recent statistics support the sense of urgency. Every company should have a disaster recovery plan that covers not only natural disasters like earthquake, flooding, hurricane, tornado, and other weather-related disasters, but also man-made disasters like fire, loss of power, hardware failure and loss of data, including a cyber-attack, and even a terrorist attack. Any potential risk should be addressed, evaluated for the magnitude of the harm, and a proper response should be developed. While the company’s data might be the most valuable assets, the proper response needs to be developed also for any major systems and their software, hardware, and networking components, including backup personnel sufficiently capable of operating these systems. That might require additional staffing, extra training and also opening access to the systems to more people and that creates additional security issues. A critical hardware must be duplicated, periodically tested and updated to insure continuous operations. The best practice is to have at least two geographical locations to prevent a disruption of operations due to a local disaster. The same applies for data. There must be a sufficient data backup that is occasionally tested for consistency and there should be several geographical locations for back-up data storage, but easy and fast access in case of emergency. And that in turn creates again some additional security issues, because the back-up data must be as secure as the original data to insure full data security.

Successful security plans include evaluation of data sensitivity, integrity, confidentiality, and date availability. System confidentiality assures that all data in the system is protected from disclosure to unauthorized processes, people, or devices. System integrity insures that company’s data is protected from unanticipated/unauthorized, or unintentional destruction (or modification). System availability provides assurance that data, services, and IT system resources are accessible to all system-related processes and authorized users on a reliable and timely basis, while protected from denial of service (Assessing the Security of Federal IT Systems, 2007).

Creating disaster recovery plans is very challenging and time-consuming task, given the fact that the Internet environment is constantly evolving, so even a great security plan might get outdated fast, if no one is constantly watching for new developments, recent trends and new security threats. Quick developments of proper responses to those changes and constant re-evaluation of the plans is crucial for the un-interrupted business operations. While the big companies have dedicated IT staff just for this purpose, it might prove to be very challenging task for a small business with limited resources (financial and staffing) to promptly response to any emerging security threat.

Another major security issue to be addressed by the e-commerce website owners is privacy protection. A privacy protection is a personal and fundamental right of company’s customers and employees as well as a requirement of law. Among the most basic of customers and employees’ rights is an expectation that their company will protect the confidentiality of personal and financial information. (U. S. Department of Labor вЂ"