Every year, businesses suffer devastating losses due to weak data security. Millions of dollars in fines, loss of consumer trust, and, in many cases, even business shut down. And it’s not just naive businesses either. Tech giants like LinkedIn, Myspace, Netflix, Youtube—they’ve all fallen victim to some easy-to-prevent data security vulnerabilities.

And these are just the noteworthy survivors. Thousands of businesses fall victim to security breaches every year. Many of them forced to close doors as a result of not taking IT security compliance and data protection seriously.

• In 2023, Verizon’s 2023 Data Breach Investigations Report (DBIR) found that more than 5,000 data breaches occured in 2022 alone
• IBM's Cost of a Data Breach Report found that the global average cost of a data breach was 4.88M USD
• In 2023, the FBI's IC3 (Internet Crime Report) had 880,418 complaints with estimated losses exceeding 12.5B USD

In our last post, we highlighted many potential areas of concern for growing businesses looking to expand or refine their IT solutions. We discussed regulatory matters like GDPR and CCPA, and expanded on many of the consequences both from failure to comply with regulations, as well as negative impacts on public image resulting from poor data practices.

This post will outline a variety of actionable considerations that your business can make to ensure that your organization is taking good care of your customers’ data-driven experiences, ensuring growth and prosperity through your technology-driven efforts.

Minimizing Data Collection

When it comes to data collection, the idea that more is better often feels like the intuitive approach. After all, data storage is cheap, so you’d might as well accumulate as much as you can and figure out what to do with it later.

But this approach can carry massive consequences for businesses that don’t have the resources or knowhow to sufficiently secure that data from bad actors. IT security compliance is hard, and bad actors know this. They look for the weakest links with the highest payouts. And while we’ll talk more about how to strengthen those links, we’re first going to touch on how to reduce the threat of being a target. The solution? Reducing data volume.

Whenever you embark on implementing a new technology solution, it’s critical to establish what you are truly trying to achieve. Consider the following example:

Ted’s Construction Goods is building a software platform to educate customers on how to use their products for DIY home renovations. During the planning phase, they decide that it would be great to collect information on their users to curate a better experience. They are considering:

• Collecting phone numbers and emails for better marketing reach via push notifications
• Collecting demographic data like age, gender, and ethnicity to curate experiences for different segments of users
• Storing credit card information to ease integrated product suggestion purchases

This all sounds great. After all, this is what the big players in this space do, and Ted’s Construction Goods intends to be a big player one day. And all of this data would be a huge benefit to their growth efforts long-term.

This example illustrates how a business might end up with too much data. They’re a construction goods company and looking to expand into the education space. There’s nothing wrong with that. But what they aren’t is a communications firm, a marketing agency, and a credit processing provider.

More data isn’t to be avoided at all costs, but it should be collected and used on an as needed basis. A better strategy for Ted’s Construction Goods might be to focus on building out their education platform, marketing it through familiar channels and linking to their existing e-commerce platform.

If, after the successful development of their platform, they decided to expand their marketing efforts, it might start to make sense to ethically collect emails and phone numbers, where adequate focus can be placed on security and risk-mitigation.

So, what are these security and risk-mitigation strategies? First and foremost is securing data in transit and at rest.

Securing Data in Transit and At Rest

The most dangerous vulnerability to a customer’s personal data is the moment it leaves their computer. And while there are risks even when users haven’t submitted their data yet (discussed below in protecting against browser attacks), network vulnerabilities and poor storage practices can leave users vulnerable to unintended exposure. This is where encryption becomes critical.

In 2012, LinkedIn experienced a data breach resulting in over 100 million users having their emails, passwords, and other personal information exposed. This breach illustrates how even massive, completely technology focused companies can fall victim to simple oversights in security practices. And all they needed was a little bit more salt.

Yes, that’s right, salt, more on that shortly. The key to successful security in transit and at rest is encryption. There are two methods of encryption that are important here: bi-directional encryption and uni-directional encryption.

Bi-Directional Encryption (Security in Transit)

Bi-directional encryption is how you secure data in transit, securing it from network vulnerabilities. This is most commonly accomplished through what’s known as SSL encryption. Most major browsers have a little lock icon in the URL bar that shows when a website is SSL encrypted.

SSL is like a handshake between your computer and the receiving server. When a user connects to a website, the server acknowledges the user and provides them with an encryption key. This key scrambles the user's data before it leaves their computer, and allows the end server to unscramble it upon receipt. This prevents anybody from intercepting the data, because they won’t have the means to unscramble it. If you’d like to learn more about SSL encryption, Cloudflare has a nice and brief explanation on the topic.

Uni-Directional Encryption (Security at Rest)

Unlike Bi-directional encryption, Uni-Directional encryption can’t be unscrambled. This is often referred to as hashing, and is a key strategy for securing data at rest. This strategy is often why businesses don’t allow you to view your existing password. Not just for security reasons, but because they genuinely don’t know it.

Hashing works by using one of many common hashing strategies. If I enter my password

SoftwareExpert11

The hashing algorithm will spit out some unintelligible string of characters like

Sdf89uwefjjlksjdfo32

The key to hashing is that the algorithm will produce the same output for the same input every time. So when I log in to a service that stores my password as a hash, they run my password through their algorithm and check the result against my stored hashed password.

In LinkedIn’s case, their efforts stopped here. And as I mentioned, hashing uses commonly known algorithms. So, when their database of 100+ million passwords was leaked, yes they were hashed, but a bad actor just had to check a few hashing algorithms against a known hashed password, figure out which one produced the result, and then brute force hundreds of millions or billions of password combinations to match them up with their resulting hashes.

So this is where the final missing piece comes in: salt. Salting a password is where you add a predetermined set of additional characters to it. So, consider my password

SoftwareExpert11

When you salt a password, you first convert it prior to hashing. So my salted password might become

Softa9lware35Expedfdrt11ff

The bolded characters were added to my password as salt. Now this is hashed and the resulting hashed password is stored.

Unlike hashing, salting can be a completely proprietary technique. This makes it so that even if a bad actor got ahold of a list of hashed passwords, brute forcing them into their salted form wouldn’t yield any fruitful results, because they still wouldn’t know what the original password was.

And while encrypting, hashing, and salting data in transit and at rest is important, we mentioned that there are still risks to users’ data before it leaves their computer. This leads us into browser attacks.

Protecting Against Browser Attacks

Browser attacks are a common security threat that strive to go right to the source: the user themselves. Browser attacks work by taking advantage of vulnerabilities directly on a user’s device, leaving them exposed to some highly repercussive dangers without even realizing. The good news? Your business can take action to protect your users, allowing you to rest assured that your customers are in good hands.

The two biggest vulnerabilities on a user’s browser session are XSS attacks and CSRF attacks. XSS, also known as Cross Site Scripting, enables bad actors to execute malicious code directly on the user’s device from your website or web application. CSRF attacks, also known as Cross Site Request Forgery, can give bad actors the ability to impersonate users to interact with your services on their behalf. We’re going to break these concepts down so you can understand what these attacks are, how they work, and how you can protect your customers.

Cross Site Scripting (XSS)

Cross Site Scripting attacks occur most commonly when input fields like forms and URL bars are not properly sanitized to remove malicious code. When this happens, bad actors can execute scripts on a user’s behalf directly from their device. But how do these scripts get there to begin with?

Consider an example where a website takes input and displays it to other users. This might be a comments section, product review, or a profile bio. An attacker might post a comment that contains a malicious script. If not properly sanitized, this script gets saved to the database, and any user that loads that page with the infected comment is attacked.

One of the most famous examples of an XSS attack occurred on MySpace back in 2005. A script was embedded in a user’s bio, and when visitors viewed the page the script would activate, added itself to the impacted users bio. This replication effect spread like wildfire, leading to over 1 million impacted profiles in just 20 hours. You can read more about the attack, known as Samy Worm, here.

And while the web has come a long way since 2005, websites and web applications that don’t take proper precautions by sanitizing inputs can still find themselves vulnerable to these age-old attacks.

Cross Site Request Forgery (CSRF)

CSRF attacks are a bit more tricky than XSS attacks, as they don’t require any malicious code to be installed on the users device or an insecure database. In a CSRF attack, a bad actor makes a request to a server on behalf of an authenticated user. This attack takes advantage of user sessions and how they are stored with cookies.

Before we lay out an example, lets establish how session tokens work for users authenticated on a site. Let’s say a user logs into bank.com. When they log in, their browser automatically stores what’s called a token in its memory. This token is used to authenticate the user, so as they browse between pages they don’t have to log back in every time. Since the token exists in the browsers memory, it gets deleted once the user closes their web browser.

Because this cookie is managed automatically by the browser, the browser associates it with any request to bank.com. And since the session is stored in the browser, it’s available anywhere. Consider the example that the user opens another browser tab—They remain authenticated and don’t have to log in a separate time. This is a token cookie at work.

Now, when it comes to a CSRF attack, bad actors are exploiting exactly this vulnerability. If a user is authenticated on bank.com, the bad actor might get them to also open a tab and visit evilwebsite.com. This website has access to that very token authenticating the user. And from here, all the evil website has to do is make a request to bank.com with their intended action. For a simple example, this might be

bank.com/transfer?to=attacker&amount=5000

But banks aren’t the only target. Netflix, Youtube, ING Direct, and (ironically) the antivirus platform McAfee have all been victims of CSRF attacks.

The key to protecting against CSRF attacks is what’s known as a csrf-token. A csrf-token is used to validate the user’s session. When they load a webpage, they receive this token from the server and it is stored outside of the shared browser memory that other websites can access. When a request is made, the server validates the csrf-token to ensure that the request came from a legitimate source.

At this point, we’ve covered many of the more technical internal practices for business security. If you’d like to read more on cookies and browser sessions, you can find more information here. But technical weak points aren’t the only place of concern. Untrained employees could leave your business vulnerable to social engineering.

Social Engineering Security

Social engineering is the practice of manipulating people into handing over private information. You’ve probably heard of phishing before—this is a classic example of social engineering.

Phishing is generally practiced by casting a wide net, hoping that someone snags. If your organization is large, you may be more susceptible to these practices. But even small businesses can fall victim to attacks like this. Spear Phishing is the practice of making a calculated attack on a given person.

In a spear phishing attempt, bad actors might gather information about a specific person. This might include a manager's name, a project status, maybe even some coworker information. This prepares the attacker to make a much more calculated attack. They might be aware that a critical project is approaching its deadline and reach out to an unsuspecting employee with something like:

“Hi Justin, this is Thomas reaching out from the advertising agency you are working with on your project. We’ve discovered that your account is underfunded by $5,650. We must freeze all ongoing work until this is rectified. Please wire the funds immediately otherwise we will have to escalate this to Mike (The victim employee’s manager)”

By including personal details, project knowledge, and adding pressure to the urgency of the situation, the attacker is betting that the targeted employee will break and just send the funds to cover themselves and not get in trouble or disrupt the project.

To protect your organization from phishing attacks, there are two core practices to consider. The first is awareness—by providing semi-regular trainings or info-sessions on phishing, you help your employees be prepared in the event that they are targeted by something like this.

The second practice is regular phishing testing. You might send out periodic emails to employees disguised as phishing links. This helps a business to evaluate their vulnerability to the matter. If employees consistently report these as phishing attempts, you can rest assured that your business is safe from these social attacks. But all of this is just internal. What do you do about data security practices handled by companies you depend on?

Vetting and Auditing Third-Party Service Compliance (SAAS Platforms)

Throughout this article, we have highlighted many occasions where even the largest of technology companies fail to properly handle the data and security of their customers with care. For this reason, it’s important for business owners to take some precautions when engaging with SAAS (Software As A Service) platform providers.

This might be a project management tool, a CRM, an inventory manager, or any other software service your business depends on that collects and stores data on your customers. When working with these providers, there are a few simple steps you can take to ensure that the service has adequate safeguards in place to protect your business.

1. Check for security compliance certificates
2. Check the company's Incident Response and Breach Notification Policy
3. Verify data security practices

Security Compliance Certificates

• SOC 2 Type II - In order to obtain this certificate, businesses must pass an audit report assessing the organization's security controls over time. SOC 2 Type I is still a valid certificate, but this audit only evaluates security controls at a single point in time, whereas type II requires ongoing evaluation, typically spanning months, to ensure their services are maximally secure.

• ISO 27001 - This certificate is derived from an international standard meant to help organizations manage information security. To obtain the certificate, businesses must have sufficient policies, procedures, training, monitoring, auditing, incidence response, and communication standards to protect user data.

These certificates are often displayed on the company’s security, compliance, trust-center, privacy, or similar page on their website. If you can’t find this, you can reach out to their customer service center and ask. If they don’t have a good answer, you may want to reconsider working with that provider.

Incident Response and Breach Notification policy

If the business you’re working with complies with GDPR (which they should), they are required to have a breach notification plan to inform impacted users within 72 hours of a breach discovery.

Businesses will typically elaborate on this in their privacy policy or terms of service. But again, you can always reach out to customer service to verify this.

Verify data security practices

If you’re still feeling a little unsure about whether or not a provider is right for your business, this article has laid out many of the questions you can ask about how they take steps to protect data. You can ask their customer service questions like

• “How do you protect data in transit and at rest?”
• “How do you protect against XSS and CSRF attacks?”
• “What safeguards do you have in place against social engineering attacks?”

By taking steps to verify that your third-party service provider is compliant and secure, you can move forward with confidence that your customers are in good hands and that your business is positioned for growth.

Conclusion

If you’ve made it this far, congratulations! Hopefully you’re now feeling much more confident in your business’ position on protecting yourself and your customers from cyber attacks.

We’ve discussed what considerations you can make to minimize data collection, how you can secure data in transit and at rest, threats like XSS and CSRF and how you can protect against them, social engineering—what it means for your business and what you can do, and lastly, how third party software providers are managing all of these very concepts.

At Boxhouse, we build secure, high-performance web solutions so you can focus on growing your business without worrying about data breaches. If you’re looking for expert guidance on top-of-the-line, secure custom software solutions, schedule a free consultation today and let’s build something great together.

Otherwise, thanks for reading. We wish you and your business nothing but success 🚀