I had a bit of a scare once when a colleague asked me via text why my Steam account is showing me as playing Arkham Knight when he could clearly see that I’m still working on my desk just a couple of meters where he was sitting. I remember panicking a little bit before I remembered that my brother wasn’t working that day and he texted me that he was fooling around with my computer a little bit. I already have a couple hundred games on my Steam account by then so the thought of that account being hacked completely freaked me out.
It is an unavoidable fact that we’re now relying on digital transactions more than ever and that our personal data and financial information are stored online in the server of an e-commerce platform. It is also an unavoidable fact that data breaches are now more common than ever and that cybersecurity issues have taken on a much greater importance in the world of web development in the past few years. Cybersecurity is a complex and highly technical issue but businesses are required to have a basic understanding on this issue given how reliant we are on the internet to conduct our business.
Web security, simplified
To be perfectly honest with you, an in-depth technical breakdown of cybersecurity would typically require a 4-year education and a college degree and even that wouldn’t nearly be enough given how much cybersecurity changes on a daily basis. As cybersecurity experts close one security loophole, a team of hackers would simply another and this goes on and on for perpetuity as new types of hardware and software are introduced to the market. It is quite simply, a never-ending rat race and the pendulum constantly swing between one side and the other.
The gory technical details of web security aren’t meant to be public consumption, owing to their complexity, but for businesses that regularly handles online transaction and traffic on customers’ data, it’s important to ensure that sensitive information doesn’t fall into the wrong hands. The concept of web security can broadly be divided into two distinct categories, the security of transmitted data and the security of stored data. In the following section, we’re going to take a brief look on these two categories.
Encryption of transmitted data
In the 2014 film The Imitation Game, a dramatization of Alan Turing’s work during World War II, the highly respected mathematician worked with a number of colleagues in decrypting the Enigma machine that was used by the Nazis for wartime communication. In layman’s terms, the Enigma machine works by like an extremely advanced Morse code that encrypts a message so that even if the message was intercepted, the interceptors would have no idea how to read the message without another Enigma and the cipher, the algorithm that was used to encrypt the message.
This practice of encryption is what is now commonly used to encrypt sensitive data across the internet, such as credit card information, address, phone number, etc. Unlike the analog Enigma machine however, we now use Transport Layer Security (TLS) or its more commonly-known predecessor, Secure Sockets Layer (SSL). As with the Enigma machine, TLS works by encrypting certain information so that even if bad actors managed to listen in to your communication, they wouldn’t be able to make heads or tails of what the communication is about.
Even if your website doesn’t deal with financial transaction, as long as your business collects users’ and visitors’ information, you’re probably going to need a TLS/SSL certificate. Blogs that requires visitors to create an account to comment for example would still require a TLS/SSL certificate since personal data are being sent. The good thing about TLS/SSL certificates is that they’re as simple as buying them, usually on a yearly basis, from the plethora of certificate providers from around the world. The cost varies from couple hundred dollars/year to thousands depending on the level of security so you’re bound to find something that suits you perfectly.
Security of stored data
In popular culture, there are two kinds of bank jobs we regularly see. The first kind is the one you can see in the opening of the 1995 classic Heat. In that film, a group of criminals led by Robert De Niro steals millions of dollars in bonds from an armored car in transit. The second one is more in line with our imagination of a bank heist, such as the one portrayed in the 2006 film Inside Man, a personal favorite of mine, where a team led by Clive Owen performed a very elaborate heist to steal the contents of a safe deposit box inside a bank vault.
As an analogy, the former involves the security of transmitted data while the latter involves the security of stored data. In the past few years, whenever there’s a story on data breaches you see online, that story usually concerns the latter. It doesn’t matter if you spend enough money securing the transmission of data if your webserver lacks the proper security that allows hackers to get inside your server and steal the data stored inside that server. This is why you should take proper precaution when looking for a webhost provider as they’ll be instrumental in ensuring the security of your server.
On your side, you also have to ensure that the CMS you use to access your website is properly secured and configured and that the password you’re using for your administrator account is strong enough. If you want to be extra cautious, there are CMS that provides user with the option of two-factor authentication, which requires the use of a limited-time code during the sign-in process for an extra layer of security. Data breaches are more common because there are multiple vulnerable angles than can be taken advantage of and that you can never be too cautious when it comes to data storage.