There is an old saying that goess “first impressions last”. Which means that very often when we meet someone or visit somewhere for the first time we subconciously assess and judge that person or place within the first few seconds. This means that each relationship is built upon that initial first assessment. So if the assessment is a negative one the relationship will have a difficult time in growing.
Last night I was working late and happened to have the TV on at the same time. During one of the advert breaks I noticed an advertisement for a new cloud based service run by an Irish company. As someone with a keen interest in cloud services I decided to visit their website. However, when I arrived at the site I was dissappointed to see that while the site looked slick and promoted the company well I also saw a number of issues that raised some concerns over the site regarding its security.
The first issue was the webpage to register for their service was in plain HTTP, in other words not secure. Even though the page asked you to input a lot of personal details, including your password, the connection between the server and the client workstation was not encrypted using the SSL protocol. This means that anyone with access to the traffic between the server and the client workstation could eavesdrop on that traffic and find out what those personal details are.
Another issue that was evident was the lack of a privacy statement on their website. While the lack of a privacy statement will not lead to the site being compromised it is a requirement under the Irish Data Protection act. Therefore the abscense of such a statement, coupled with the lack of SSL protection on certain web pages, would indicate that those running the site may not fully understand their obligations under the Data Protection Act. This in turn, rightly or wrongly, may make the visitor wonder if there are other Data Protection issues not being fully addressed.
The website was hosted in the United States. Under the Irish Data Protection Act it is illegal to export the personal details of Irish and European citizens outside of the EU unless under specific conditions. One of those conditions is that if using a provider in the United States then that provider should be part of the US Safe Harbor Agreement. Having checked which companies are registered under that agreement I discovered that the hosting company in question was not listed and therefore not part of that program. Of course the Irish company could have built their data privacy and security requirements into their contract with the supplier, but given the other issues I somehow doubt that is the case.
The website did not have its company particulars prominently displayed as is required by the European Communities (Companies) (Amendment) Regulations 2007, which exposes the company to fines under these regulations. Again leading a visitor to the website to wonder if those managing their data fully understand their responsibilities when conducting business online.
After looking at this site I randomly visited a number of other Irish websites to see if the above website was unique. Unfortunately this was not the case. Many of the other Irish websites I looked at had many of the same issues. Some of them raised more concerns about their security, such as;
- Collecting credit card data from insecure webpages similar to that described above. One website did not have an online payment solution but asked those wishing to purchase from the site to send an email with their credit card information enclosed. This flies in the face of the PCI Data Security Standard (DSS) which requires that credit card information is collected, transmitted and stored securely.
- Two sites were hosting phishing pages aimed at clients of financial institutions in other countries. It appears criminals hacked into these sites and used them to host their phishing pages.
The Internet provides businesses with opportunities to increase their market reach and customer base in a very cost effective manner. A well built website that looks good can attract many new customers, but that is only half the battle. The other half is getting them to do business with you. One of the main concerns people have with buying goods and services online is security and the protection of their personal data. So while your site may look good, you need to ensure you can alleviate those security concerns. Remember all the above issues were identified simply by looking at the website. I did not do any security testing of the websites to see were there any technical or application security issues. If a simple browse of your website can expose a number of problems like those outlined then you may find many customers will not have the confidence to deal with you.
Good security is a cornerstone in building trust and confidence in your business and making sure simple issues have been addressed goes a long way in building that trust. In 2010 I worked with ENISA on developing the “How to Shop Safely Online” whitepaper which while aimed at the consumer on how to shop safely onine also has some good recommendations in it for companies to ensure they take the proper security measures.
Remember in business, whether it is in the physical world or the virtual world, first impressions last!