Secure or Not Secure: Websites (Part 1, An Overview)

Secure or Not Secure?

(A Mini-Series)

Websites:  Part 1 (An Overview)

By: J. Paul Zimmerman, Esq.
Partner at Christian & Small, LLP
Birmingham, Alabama

Is this website safe?  It’s hard to imagine a broader question because that largely depends on security factors relating not only to the website itself, but also your connection to the internet, the devices you or your employees use, the network those devices are on, and the habits and practices of others using the devices and networks.

For the most part, the security threats presented by a website fall into one of three categories: (1) The intent and infrastructure of the website itself; (2) The degree to which it allows third-party website and companies to be involved; and (3) Its security from hackers once the website has your sensitive information.  While “100% safe” does not exist on the internet, simple steps can greatly reduce the hazards.

  1. The first potential hazard of a given website is the website itself and relates to the website’s intent to exploit users or their computer devices.
    1. Various factors – such as your company’s security systems, the type of device and browser used, and the content of the website’s privacy policy, cookies and malware placed on your company’s device by the website – can provide a website with substantial insight into your online activities across the internet.
    2. A website could be an imposter, made to look like a familiar website (such as your bank), thereby compromising login credentials.
    3. The data transmitted to a website anytime a device connects to it and requests data can have value to the website.

Scrutinize links, look for “HTTPS” before the web address (and a lock emblem nearby), buy from trusted suppliers, and maintain appropriate security settings.  The privacy policies of websites with which you conduct business should be reviewed.  A handful of certifying organizations allow websites to display their emblems if the website maintains the organization’s privacy or security policies, providing additional comfort to users.  Various ad blockers, tracker blockers, and some web browsers can also mitigate the risks from malicious or compromised websites.

  1. Even if the website is one you might ordinarily trust by reputation, many plugins and ads on the website can be hosted that originate from other sources, which may be less reputable.
    1. Banner ads, clickbait, and various tracking methods may originate from a source other than the website accessed by a user.
    2. Security vulnerabilities, such as through Flash (still often used for imbedded videos or other applications), can cause vulnerabilities in the exchange of data between the website and the requesting computer device.
    3. Another security weakness is cross site scripting, which allows an attacker to sneak malicious code into the data being delivered by the website in response to the user’s request.

Maintain current versions of properly updated web browsers, be leery of enticing videos, links, or applications imbedded in the website, even when conducting business with reputable sources. Again, pay attention to privacy policies. Using certain web browsers with stronger security and privacy functions than those commonly residing on devices can also help protect against the website’s vulnerabilities.  Learn how to recognize basic threats, and educate your employees on a periodic basis.

  1. Obviously, the threats to your company’s devices and your company’s (or customers’) information do not end when you log off of or surf away from a website. Numerous companies that obtain, use, and store the personal or proprietary information of users of their websites have been hacked and had user information stolen, leading to identity theft. Businesses are under more and more pressure to assess their own vendors, including online vendors, before transacting with any that could make the business’s own customers vulnerable. A company may not be relieved of liability for a breach of customer or employee data resulting from a vendor’s data breach if the company conducted inadequate due diligence on the vendor before turning over customer data.

Protecting a business, its employees, and its customers from online threats is not limited to maintaining physical, administrative, and technological safeguards and educational efforts such as good email hygiene.  Threats residing on websites are another route by which a business’s biggest data security threat—its own employees—can unknowingly bypass the business’s security precautions.  Give your employees the knowledge and the tools to help maintain the security you have invested in and implemented.

Listen to audio blog here.  Listen to podcast interview here.  Watch video interview here.

Listen to last week’s podcast, “Secure or Not Secure:  Public Wi-Fi (ePayments),” here.

Take a sneak peek at our next blog article, “Secure or Not Secure:  Websites (Part 2, ePayments)”, here.

Explore The Knowledge Center library here.