2017 was a bad year for data security. High-profile breaches such as Yahoo, Equifax and AA were in the news throughout 2017 and are becoming greater, not just in frequency but in scale as well. The Yahoo hack was calculated to have affected 3 billion user accounts, and the Equifax breach affected around 143 million customers.
With this in mind, it may be time to review data security and what can be done by any organisation to reduce the likelihood of breaches.
One simple change that almost all online businesses that handle user data can implement is to switch any HTTP site with HTTPS URLs. But before we explain the benefits of HTTPS for data security in transit, a quick overview of what is meant by HTTPS.
What is HTTPS?
‘HTTPS’ stands for HyperText Transfer Protocol Secure and defines the communication that takes place between a browser and a web server. The ‘Secure’ differentiates this from HTTP by adding encryption to communications between browser and web server so that any information you share with the site is secured against any third party.
HTTP and HTTPS is simply the way that information is transmitted and received across the internet. Both systems present a webpage to end-users, but HTTP does not try to secure the information as it is sent across the Internet.
You will notice that a site that uses HTTPS has a padlock or green ‘secure’ symbol in the URL to indicate that any personal information you submit to the site is safe from malicious hackers. Any site that does not have this is always at risk of leaking personal information to third parties because any connection is not encrypted, and therefore not secure.
Creating a More Secure Data Highway
The main benefit of HTTPS and the most obvious is security. The added encryption to connections to HTTPS means that anybody using your site to log personal information or financial information is safe from attempts to steal that information from external sources, such as in Man in the Middle (MITM) attacks.
A MITM attack refers to an interception of data as it is transported from one system to another. Any online communication can be targeted for eavesdropping or the stealing of Personal information. For more information about MITM attacks, click here.
The extra level of security of HTTPS over traditional HTTP comes from the implementation of the Secure Sockets Layer (SSL), or more recently Transport Layer Security (TLS) – read this for the difference between SSL and TLS. This works with HTTPS to secure any information being passed between the browser and the web server.
The use of the SSL or TLS is what creates the security because it is this layer that encrypts the data being sent between the server and your browser.
Any site that relies on the transference of personal data, and the implicit level of trust a customer must display, needs to build trust. Customers look for an indication that their financial information is safe while browsing your site, and without that, they are not likely to input bank details to be stolen by a third party.
This means that any HTTP site that deals with confidential information will need to switch to a HTTPS site to protect customer data.
However, HTTPS should not be seen as the key to data security. It is an important step, but HTTPS alone does not guarantee that customer data cannot be stolen.
A More Holistic Approach to Data Security
With the new General Data Protection Regulation (GDPR) legislation coming into force in May, businesses are under more pressure to demonstrate secure data practices. Ensuring your website is secure builds trust and reliability with search engines such as Google, who recommends the switch to HTTPS. The limitation of HTTPS to internet security is that it only secures the flow of data. What about all the stored data at rest, held by an organisation?
To get a full understanding of customer data, an organisation should perform a data audit. A true data audit will discover what data an organisation holds, how that data is collected and stored and the retention and deletion protocols in place.
When an organisation knows what data it holds, including the nature of the data (such as, personal, sensitive or a child’s data), it should start to gather the permissions used to gather the data. If these permissions are out of date, there needs to be some sort of process for deleting and removing the data safely and securely.
An organisation must also note how data is stored. A list of the systems that hold data should be made and the processing of data documented to prove compliance with regulation. This may be a challenge for organisations built on multiple ‘antique’ legacy systems, that each hold customer data in different ways. A solution is Master Data Management.
A data audit also highlights how long an organisation holds historic data, and what the process for deleting that data is. Another constraint with legacy systems is that the data for one user may be held across multiple systems. To comply with regulations an organisation must ensure that the data associated with a user is completely removed from all these systems.
With GDPR approaching and high-profile examples of data breaches from the top companies, it is more necessary than ever to ensure maximum security with regards to customer data. There are several steps any organisation can take to improve on the web security and the protection of customer data.
Whether your organisation uses a site to inform, gather customer information or buy products, HTTPS is a vital investment that will ensure personal and sensitive data is secure when being communicated to your site. The takeaway from this is that HTTPS is a more secure system for running your website than HTTP. The limitations of HTTPS mean that it is a good start to data security, but not the only step.
True data security requires a commitment to auditing your data for an understanding of the current and necessary steps to secure customer and business data. With the insights that a data auditing brings, you will be in a stronger position to make decisions about the security of data and the solutions that may be necessary to comply with regulations.
For more information on Data Clarity’s data management services, call +44 (0)3333 1111 00 to speak to a data expert.