Entrepreneurs often have too little attention for IT security. Limited budgets, limited knowledge, counting on third parties… excuses are plentiful when things go wrong and the website or web shop goes down, gets hacked, or when data is lost. The problem became painfully clear at the most recent eTrade Summit by Safeshops.be. The track of presentations about security barely got any attention.
Data News corrects e-commerce companies
It made Kristof Van der Stadt, Chief Editor of IT-magazine Datanews, who gave a presentation with us about security for e-commerce, pick up his pen. The result is a sharp editorial on Datanews.be that I will quote some elements from to bring our own story.
“This month I was a guest at the eTrade Summit of Safeshops.be: a non-profit that promotes online shopping in Belgium that started with an initiative of some of the largest Belgian web shops. Three simultaneous tracks were on the program: how to expand your e-commerce business and let it grow, how to attract new customers and ‘conversion’, and finally: how to secure your business. You can have three guesses which track drew the smallest crowd.” (Kristof Van der Stadt)
Whose fault is bad security?
It does remain painful to see how little attention is given to security. Especially when you know that when it goes wrong, the (financial) damage can be substantial. At a time like that people are all too often
- angrily sticking their fists in the air
- helpless and out of their depth
The first because they are angry with their web shop builder and the hoster. They should have thought of security. Indeed, those are the two parties that can do something about it: developer and sysadmin together. But they’re not philanthropists: they do what they’re paid for and what they are told to do. Of course they will bring up the subject of security, but are usually stopped with the words “there’s no budget for that”.
The second emotion comes out of despair. They don’t know how big the damage is, what’s causing it, let alone how it can be remedied. There’s no plan for this scenario and so they have to start improvising on the spot.
No disaster recovery, not enough back-ups
“I’ve said it before, I kind of understand it: plenty of worries for the brave entrepreneur who dares to face the competition from the likes of Bol.com, Amazon or Coolblue. Let’s first make sure we have customers and then we’ll talk about security, redundancy, hosting, business continuity, DDoS-protection and disaster recovery. “Kristof, a starting e-commerce business really doesn’t understand what all those terms mean and won’t pay any attention to it at that moment. Getting this web shop in the air is his biggest concern and he will let himself be led by his gut feeling, or his personal network and contacts“, an e-commerce manager whispered to me during the first break. OK, but whoever wants to make a difference should take the time to look at the technical e-side of the matter. Because what’s the use of a web shop that gives customers a load of error messages or that isn’t performant enough because of a too-cheap hosting package?” (Kristof Van der Stadt)
At this point we couldn’t help but smile. Kristof says almost literally what we tell our customers so often. He clearly listened well and was shocked.
It goes beyond e-commerce alone. A recent investigation we made about hosting, downtime and business continuity showed us that even quite a lot of (big) companies don’t have a disaster recovery plan. Most companies are at that point of the learning curve where they realize that backups really are necessary. A part of them is now learning bit by bit that the next step is to test those backups regularly.
“We’ve never been hacked”
“Do you do pen-testing and do you work with ethical hackers?”, I asked another e-commerce manager during the second break. The look on his face spoke volumes. So did his answer, a mere second later: “No, wasted money. Besides, we’ve never been hacked before.” And with that my understanding had run out. For some time now the questions isn’t whether you will be the target of hacking, but rather when. But mostly: what are you going to do to avoid it and to fix it when some miscreant does succeed in breaking into your systems? Or when someone launches a DDoS attack on your web shop, rendering it inaccessible?” (Kristof Van der Stadt)
The reaction “we’ve never been hacked” will always trigger our response “as far as you know”. It’s not because the hackers don’t let you know, that they’ve never been in your systems. Not every hacker earns money by blackmailing you directly… Those who do get hacked, will rarely talk about it. That is why it seems like such a small issue: nobody talks about it. Entrepreneurs like to warn each other and like to share advice with starting entrepreneurs, but we rarely hear such advice about IT security. So no attention is given to it within the company.
“I’m here to update the network”
Our good acquaintance Jan Guldentops from Better Access often performs security audits for public institutions. His favorite way of getting in: just walking in and presenting himself as someone who was asked to perform updates to the network. Usually the receptionist is all he needs to gain access to the network and with a bit of social engineering he can usually get a hold of passwords as well. Hacking is sometimes easier than you think and it happens every day and everywhere.
How good is your IT security?
“100% availability of your website is a utopia, but that doesn’t mean you shouldn’t strive for maximum uptime. In fact, it should be a priority for e-commerce players. After all, the consequences are very clear right away. Is the web shop down due to technical failure or a hacking attack? That means your income was just reduced to zero: no customers, no revenue. On top of that your entire back-office is out of work and your logistical chain just went haywire. Not to mention the damage to your image.” (Kristof Van der Stadt)
No we didn’t pay Kristof to write that, but he clearly paid close attention to our presentation at the eTrade Summit.
Yes, security has to be a priority. Unfortunately, that saying all too often falls on deaf ears. Or like someone from the organization told us “yes, security gets too little attention. I expected this track to get the least amount of visitors.” Well, if you have an organization called Safeshops and you’re aware of this, why put these presentations in a separate track? Why not right in the main program? That would be a big step forward.
Avoid a total loss
Kristof is also right about the revenue and reputation damage. Entrepreneurs don’t know what it costs and that is the second reason why this subject gets so little attention and why there’s no money. Why make room for it in the budget when people aren’t aware how much money they save in the long run?
Our survey clearly shows that the acceptance threshold is much lower for those who have experienced downtime before. Alarm systems sell more easily to people who have been burgled before. And omnium insurance isn’t considered a cost to those who have had a total loss before.
That is why we’ve placed a downtime cost calculator on our website. Not an exact science that calculates down to the last euro what an hour of downtime costs, but still a handy tool that gives you an idea of what downtime can cost you and helps you make other people aware. There are of course our eBooks as well, that give clear and pragmatic tips on how to improve your security. Our eBook “How good security prevents downtime” is the ideal starter in that regard.
Take advantage of it and avoid a total loss!