Lock against code - WordPress security steps to take in 2018

Posted by & filed under List Posts.

Statistics garnered from analysis of tens of thousands of WordPress sites within the Alexa top 1 million suggest why hackers often choose WordPress to attack. Incredibly, the study from WP WhiteSecurity found that 70% of installations are vulnerable to hacking.

The researchers looked at the WordPress installation status and behavior of these WordPress sites in the four days following the release of WordPress 3.6.1 (replacing 3.6) on September 11, 2013. The researchers found that there were 74 different versions of the WordPress software being used. Four days following the release of WordPress 3.6.1, 30.95% of the websites (13,034 WordPress installations) were still running WP 3.6, which had known security flaws.

Five years later, many sites could still use help with security best practices. The below steps to harden WordPress in 2018 will discuss fast updating and other actions you can take to better protect your sensitive data.

Quickly update to new WP versions.

WordPress is open source, and it is frequently updated to patch security holes (as well as to fix bugs and add features). You typically do not need to worry about minor updates, because WordPress auto-installs them by default. However, when updates are classified as major versions, you will have to start the update process manually.

Beyond the core code, there are thousands of themes and plugins that you can attach to your site; these add-ons are developed by independent parties, and the most attractive ones are also updated regularly.

Updates are critical for your site’s security, as well as its stability. All components of your site should always reflect the most up-to-date version of the software.

Use a password manager, and strengthen your passwords.

If you know any of your passwords and have used them to log in to an account on another service, your password policy should be changed, noted Gerroald Barron of premium WP plugin firm iThemes. A strong password is long, unique (i.e., only used once), and randomly generated. If you are able to remember any of your passwords, they probably need to be strengthened. If you have a credible, well-maintained password manager, you can keep your account logins secure while also being able to choose random strings of characters (as you can do through Perfect Passwords).

A password manager can both generate passwords and securely store them via a browser extension. You then just need to know the master password for the password manager.

Utilize a web application firewall (WAF).  

Using a web application firewall will help stop unauthorized traffic prior to it accessing your site.

Switch your WP salts and keys routinely. 

Another important task brought up by Barron is regular replacement of salts and keys. WordPress stores data in your browser, as cookies, to verify anyone who uses the installation internally or places a comment. It is important that all the login data stored in these cookies is encrypted so no one can view it after the fact. WordPress achieves that encryption through authentication salts and keys stored in the configuration file (wp-config.php). Modify these on a regular basis. If you want, you can use a plugin to manage the process.

Disable file editing.

There is a code editor, built into WordPress, that enables the editing of themes and plugins with the admin page. This feature should be disabled, though, so that no one exploits it to insert malicious code.

To disable file editing, you need to insert a snippet of code yourself into the wp-config.php file:

// Disallow file edit

define( ‘DISALLOW_FILE_EDIT’, true ); 

Strengthen user and admin logins.

Go beyond the use of strong passwords. You certainly want to change the administrative account name from admin to something else. Actually, it is a good idea to create a new user and assign it with admin privileges. The admin account can then be removed or switched to having subscriber permissions.

Use two-factor authentication (2FA) for better security. When you use two-factor authentication, you are sent an additional token or code to a secondary device for an extra layer of authentication.

Change the default setting to limit the allowable login attempts. You can limit the number of login efforts through a plugin. Some plugins will additionally ban the IP address of the user and send you a notification about the incident.

Finally, switch to a custom login page. You can prevent the vast majority of brute-force attacks through taking greater care with your username and password, as well as changing the URL for login. Examples of changed URLs from Anushree Sen of Page Potato are as follows:

  • Change wp-login.php to my_new_login
  • Change wp_admin/ to my_new_admin
  • Change wp-login.php?action=register to my_new_registration.

Back up the WordPress database.

To improve your database security, create a backup at regular intervals. Backups may not seem to be security measures, but they are because they will ensure that you still have a clean copy of the data regardless if an attack were to succeed. Backing up will allow you to know that you can recover if a disaster occurs. Data should be backed up regularly – at least once per day. Secure cloud backup is a strong idea. Your hosting service could keep the backup safe and in a distant physical location, for additional disaster preparedness.

Change your database table prefix.

It makes it easier to conduct SQL injection attacks when the default prefix for your database table is retained. It should be changed to a challenging string of characters. The default prefix is wp_. You could change to wp_38sjR94_, for instance. Whatever you choose, do not go with your gomain name as the prefix. In order to change this prefix, update the wp-config.php file. You can only use numbers, letters, and underscores.

Here is the adjusted line in code:

$table_prefix  = ‘wp_38sjR94_’;

Now go to your database, via phpMyAdmin. There, modify the name of the table so it matches what you put in the configuration file. If you use cPanel, you will see phpMyAdmin within it, in the Databases section. Once you are in, run this SQL query from WPBeginner to change the names with one action:

RENAME table `wp_commentmeta` TO `wp_38sjR94_commentmeta`;

RENAME table `wp_comments` TO `wp_38sjR94_comments`;

RENAME table `wp_links` TO `wp_38sjR94_links`;

RENAME table `wp_options` TO `wp_38sjR94_options`;

RENAME table `wp_postmeta` TO `wp_38sjR94_postmeta`;

RENAME table `wp_posts` TO `wp_38sjR94_posts`;

RENAME table `wp_terms` TO `wp_38sjR94_terms`;

RENAME table `wp_termmeta` TO `wp_38sjR94_termmeta`;

RENAME table `wp_term_relationships` TO `wp_38sjR94_term_relationships`;

RENAME table `wp_term_taxonomy` TO `wp_38sjR94_term_taxonomy`;

RENAME table `wp_usermeta` TO `wp_38sjR94_usermeta`;

RENAME table `wp_users` TO `wp_38sjR94_users`;

You may also have to add a few lines related to any plugins since they will sometimes insert their own tables into the database. Your goal here is to adjust all of the table prefixes.

Choose a secure host.

According to Sen, your choice of a secure WordPress host is the most important one you will make related to data protection. Your account could be hacked if you use a low-end shared hosting service. “[C]hoos[e] a reputable and trusted web-hosting service provider… who understands the risks of cross-contamination, segregates the website accounts and configures the security permissions of each account present in their WordPress-optimised environment,” noted Sen.

Are you in need of a secure WordPress environment? Turning to an experienced WordPress hosting provider allows you to the leverage the niche expertise derived from focusing on IT infrastructure. At Total Server Solutions, our data center is PCI-DSS compliant and SSAE-16 audited. See our commitment to the security gold standard.

With growth of malware and ransomware, security is a top priority.

Posted by & filed under List Posts.

It is easy to develop blind spots in our thinking, particularly toward things that we see often, as if they become invisible to us after so much repetition. For instance, we may read so much about cyberattacks and how important security is that it may make it more difficult to logically consider the topic and strategize protection. After all, just about every type of system you can imagine has been hacked, from smart city technology and alarm systems to mobile bank apps, plane systems, and cars.

The seeming overabundance of attention on cyberattacks is actually a window into the reality that the threat landscape is increasingly complex and must be confronted to avoid huge losses. Spurred by various forces, companies know that cybersecurity deserves consideration – but they do not always move forward systematically. This article looks at drivers of cybersecurity as a top priority, evidence of failure to implement full security best practices, and steps you can take to fortify your posture.

3 forces driving the increasing importance of cybersecurity

According to a 2017 Fortinet poll of IT executives, three key reasons that cybersecurity is becoming a bigger priority in business boardrooms are:

Cloud migration proliferating – It is no secret that cloud is being utilized more broadly within business. With workloads being switched over to cloud, nearly three-quarters of IT security executives said that they think cloud security is becoming a greater concern. Just over three-quarters (77%) said that their boards were recognizing cloud security and a budget to ensure it as top points of focus. The actual implementation of cloud security solutions was not quite as high, though, with only half of those polled (50%) saying that they would adopt cloud security solutions in the upcoming 12 months.

Regulatory scrutiny growing – Greater prioritization of IT security is also fueled by additional regulations, cited by one-third of those polled (34%). Of particular interest is the General Data Protection Regulation (GDPR), which could bring fines, additional costs, and credibility concerns (since violations are posted publicly).

Cyberattacks and data breaches rising – The vast majority (85%) said that their organization had suffered a data breach. The most common form of attack was malware and ransomware, listed by nearly half of decision-makers surveyed (47%). There was progress in the right direction in making security a bigger focus following WannaCry and other prominent worldwide attacks. The scope and makeup of today’s attacks are making it a concern of boards rather than just IT leadership.

Concern with security does not always result in action

Agreeing with the above survey, another indicator of how critical security is to business comes from the UK’s Department for Culture, Media and Sport. When this agency polled more than 1500 UK-based businesses in 2017, nearly three-quarters (74%) said that digital security was a top priority for senior management, while two-thirds (67%) said that they had purchased cybersecurity systems or services in the previous year. Investment in cybersecurity was stronger with larger organizations: the survey found that 91% of those from large enterprises had spent on information security, while the number was 87% for midsize firms. The safeguarding of customer data was the #1 reason for cybersecurity investment, cited by 51% of those surveyed. Problematically, only one in three respondents said that their business had a formal cybersecurity policy in force (or had cybersecurity guidelines listed within audit documentation or a business continuity plan). The number was even lower for the implementation of cybersecurity incident management plans (i.e., the actions to take if you were to learn you were being attacked): just 11 percent of UK organizations polled had one enacted.

Perhaps the key point to take away from that survey is that businesses are generally prioritizing security – investing in security technologies, for instance – but do not comprehensively follow cybersecurity best practices. As George Ralph noted in Private Equity Wire, “It seems like the fear of attack has induced spend, but hasn’t extended to policies and procedures that could reduce the threat of attack, or ensure attacks were dealt with more effectively.”

Taking action for better cybersecurity

Here are 7 action steps you can take to improve your cybersecurity, from the International Council of E-Commerce Consultants (EC-Council), PricewaterhouseCoopers, and Deloitte:

#1 – Take a proactive approach to cybersecurity.

It is critical to develop some knowledge about common threats and understand essential ways that you can identify threats, noted Deloitte.

#2 – Go beyond risk avoidance to building resiliency.

PwC found that organizations that were creating a climate of risk resilience were seeing better long-term financial gains than those that were simply responding to problems as they arose. The PwC researchers gave the example of Japan following the tsunami in 2011, when businesses that had risk management programs with business continuity plans were able to get back up and running much more quickly than those that did not.

#3 – Test for the weakest link.

Seeing how well you handle mock situations can inform a much stronger approach, so use stress tests. These tests should incorporate all your interdependencies, so that you know what might go wrong with other systems on which your own systems rely.

#4 – Strengthen your defenses.

Develop a complete strategy for patching, secure software development, and a secure physical environment, said Deloitte.

#5 – Give special attention to threats that could alter or eliminate data.

While confidentiality now stands as the most critical objective of cybersecurity within the business world, integrity will take its place in the near future, per Dan Geer (cited by PwC), who specializes in risk management and IT security. A heightened focus on maintaining integrity will facilitate recovery from an attack. Blockchain is one technology that will assist organizations with integrity.

#6 – Maintain oversight and make updates.

Typically organizations detect vulnerabilities, create patches, and keep threats from becoming broader problems. At the same time, many businesses do not make sure that their disaster recovery plan is relevant to their circumstances or that their staff remains informed on key security concerns, per the EC-Council.

While it is critical to monitor your system and react to what you see, monitoring is not enough on its own. It is important, said the council, to change the way that you approach cybersecurity given the continuing growth and development of threats. The council suggests including these three strategies:

  • Establish an inventory that routinely scans your assets and rapidly locates vulnerabilities.
  • Fix vulnerabilities systematically through a mitigation process.
  • Organize and consolidate your threat intelligence in a central location.

#7 – Be aware of ransomware.

According to Panda Security, we were already clocking 230,000 new malware samples per day in 2015. Specifically, ransomware is on the rise. This type of attack occurred 36% more frequently in 2017 and is projected to become increasingly prevalent.

As the EC-Council puts it, what is now occurring in cybercrime is mass blackmail. Ransomware is a threat to the confidentiality of private information. Malicious parties access your personally identifiable information (PII), encrypt it, and also transfer out a copy of all the data from company devices – for leverage in blackmail efforts. The thieves then demand payment, which is sometimes collected in installments.

Your secure ecommerce platform

Do you need full-featured ecommerce software run on secure infrastructure? At Total Server Solutions, your data is hosted within our PCI-DSS and SSAE-16 compliant datacenter. See our comprehensive ecommerce solutions.

cloud infrastructure - deciding what to put in the public and private components

Posted by & filed under List Posts.

Public, private, and hybrid are the three primary forms of cloud in use by organizations. As its name suggests, hybrid is a blend of the private and public models. A company with a hybrid cloud is able to choose the public or private setting for each given scenario. Michael Moore notes that companies will typically use private cloud when they need the strongest security and public cloud for any systems that they want to be as mobile and scalable as possible. 

Hybrid cloud: it’s about choice

Anyone who is paying much attention to business IT knows that adoption of cloud is widespread. The extent to which cloud has become standard is mind-boggling, with infrastructure that incorporates numerous public and private clouds implemented in almost 95% of organizations in 31 nations, per IDC. This multicloud scenario is complicated, with Kentik reporting that more than a third of firms say cloud is the technology responsible for the greatest network complexity.

Given this challenge, organizations are increasingly turning to the hybrid cloud model to better manage the complexity. A hybrid cloud makes it possible for organizations to improve the agility of their systems, quickly develop and release apps, and run workloads in the settings that are best for specific situations.

Often organization will choose to run some of their less sensitive systems externally while keeping their more critical data within their own data center, noted Nick Ismail, concurring with Moore. Using a hybrid cloud also allows an organization, based on analysis of cost and capacity, to shift workloads between public and private systems. 

Deciding what to store in your private cloud

It is a matter of trust, really, that organizations want to handle certain data in their own private clouds. Oliver Rist and Juan Martinez noted that choosing to run systems yourself or to use the systems of an external provider is similar, in a way, to deciding whether you want your cash to be in your pocket or held by another person.

Rist and Martinez said that this idea of money being held by you or someone else is overly simplistic, though, since decisions to move data outside an organization often have to do with the resources available to the organization. To extend the analogy, if you have a sack of money, you might not have a secure location to store it. A credible person you know might work at Fort Knox and be able to store the cash there for you while allowing you access to it as needed. Going back to the issue of trust, it would certainly make sense to store the money in Fort Knox if you trust your friend who works there.

Most small and midsize businesses lack capital to be able to create a high-grade security system for themselves in-house, so public cloud is attractive even for more sensitive data. After all, public cloud has much better security than many people think, as discussed below. 

Deciding on your public cloud partner

Using an infrastructure-as-a-service (IaaS) company (i.e., a public cloud server provider) gives you access to their physical hardware, storage devices, and switches for the management of your data. The beauty of this setup is that you are not in charge of figuring out how and where to move your workloads if a server goes down.

Clouds that are set up in-house also do not give you the same in-the-moment flexibility as a public cloud. For instance, when you think that you will get a spike in hits to your site during a certain period (think the holidays), you can launch a public cloud machine just for that period of time, then shift off it once traffic is back at a normal level.

If you do use public cloud, you only need to fund the resources you use. If you use your own data center instead, it is necessary to buy additional servers so that your capacity meets demand during that short period. When the rush is over, suddenly you are grossly underutilizing your hardware.

Finding a public cloud provider is not as simple as looking at a list of technical parameters and determining the host that best meets them. Keep in mind that you should be on the same page as your provider, advised Rist and Martinez, who added that “[y]ou’ll truly be partnering with your vendor to ensure the performance and security of your business data.” 

Considering the security of public cloud

Hybrid cloud is essentially about dividing your workloads into public and private sides, and, as indicated above, security is often the primary consideration for these decisions. The basic notion is that your data center is secure, so the important data should go there; only unimportant systems should go to cloud. While that may seem reasonable, it really is not, as suggested by the Fort Knox analogy above and by various cloud thought-leaders.

Public cloud is a setting in which many infrastructure and data security experts are on staff, which leads to better all-around protection than is typically available through an on-premise datacenter. David Linthicum noted that IT professionals tend to think they are more adept at security than outsiders would be. However, he stressed that “public cloud is more secure than the typical data center.”

Linthicum argued that public cloud vendors have stronger security tools installed and pay more attention to vulnerabilities within their ecosystems than is true of most organizations. Consider that public cloud providers are exciting entities for hackers to attack since the data they hold and process is so extensive. The solutions that are deployed system-wide by IaaS vendors are typically cutting-edge, featuring artificial intelligence and pattern matching capabilities.

It only makes sense that cybercriminals would opt for simpler projects than cloud providers, which is why they instead go after on-premise data centers. That is backed up by an October 2016 analysis at the Infosec Institute, which found that most successful attacks on enterprises that have been covered in the news have been of in-house rather than cloud systems.

Quentin Hardy, deputy technology editor for the New York Times, agreed with that assessment, noting that the majority of headline-grabbing cyberattacks were not of public cloud but of traditional server setups. To go back to Fort Knox again, Hardy also compared data to money in these considerations, saying that a bank vault (an external location in which money from numerous people is held) is a better place to store money than within your dresser – because the former, said Hardy, has “got more protection from bad guys.”

Setting up the entire hybrid cloud with a hosting service

Given the protections that are standardly built into public cloud, many businesses decide to go “all-in” with public and skip private cloud entirely. That is true of many SMBs and startups, but it is also true of some major enterprises. The most prominent example is probably General Electric, which announced in 2014 that it was eliminating 90 percent of its internal data centers, moving the systems they supported to public cloud.

However, there is another option that gets the data out of your own data centers without having to place complete confidence in the public setting: third-party-hosted hybrid cloud. That scenario charges the web host with creating an architecture that couples their current public cloud with a private cloud (one for your exclusive use) on your behalf.

Your hybrid cloud partner

Whether it makes more sense to your organization to look to an outside environment for an entire hybrid deployment or just its public portion, it is critical to work with a company that you can trust. At Total Server Solutions, our infrastructure meets American Institute of Certified Public Accountants (AICPA) standards, and our cloud hosting boasts the highest levels of performance in the industry. See how we make our cloud so fast.

The ecommerce process -- reducing your shopping cart abandonment with a few simple strategies

Posted by & filed under List Posts.

Shopping cart abandonment is one of the biggest ongoing concerns of ecommerce companies. After all, you don’t want to expend energy and resources to attract visitors to your site only to lose them halfway through the buying process. Unfortunately for owners and managers of online stores, there is actually a higher likelihood that someone will abandon a cart than that they will go through with the purchase. An analysis that averaged statistics from 40 studies found that the average shopping cart abandonment rate is 69.89%.

A report from Business Insider mentions some bad news and good news related to this challenge, noting that it is extremely costly but also represents an opportunity to improve revenue. The analysis specifically looked at retailers, estimating that 63% of the $4 trillion they lose annually to abandonment could potentially be recovered. Plus, cart abandonment usually does not mean the loss of the sale or customer; in fact, three-quarters of those who leave behind their carts report that they are planning to either come back and make the purchase online or visit the same retailer’s local store. That is the good news. The bad news is that shopping cart abandonment is on the rise, in part because of the increase in mcommerce (shopping via mobile device). This report suggests that it may be worse than the above rate, with Barilliance calculating a 74% average abandonment rate in 2013.

What can you do about this issue? Here are a few strategies by ecommerce and conversion thought-leaders:

1.) Improve trust.

With an incredible 31.8 million consumers suffering from credit card fraud in 2014, it is no wonder that people are skeptical about giving their sensitive financial data to websites.

Trust logos are one common feature that is used to increase confidence in the buying process, noted SEMrush. Perhaps these seals are most important in terms of meeting expectations; one analysis found that 3 in 5 shoppers (61%) left a site because they did not see any trust seals.

These logos are typically tied into security products, so you will be getting actual technological improvements along with the ability to show off the seal. To show your customers that their data is safe, get a valid secure sockets layer (SSL) certificate and show its security logo, potentially along with other trust symbols (PayPal Verified, MasterCard SecureCode, TRUSTe, etc.), on your site.

2.) Install exit-intent popups.

Popups are a major cause of annoyance online, so many companies are hesitant to use them. However, exit-intent popups can give a major boost to your conversion, per OptinMonster. This type of popup, which can be implemented on checkout pages or anywhere else on your site, is driven by an algorithm that attempts to detect when a person is about to leave the site. The popup is geared toward keeping them on the site by introducing further information or giving them a special offer.

OptinMonster provides the example of a “Don’t Go” popup that offers 10% off with the coupon code DONTGO and has boxes for the user to enter their name and email for later order completion.

3.) Simplify checkout.

You are likelier to have someone abandon their cart if they experience any confusion along the way. Be careful about checkouts that involve numerous pages and forms, instead favoring express checkout.

Three elements suggested by Small Business Bonfire to make checkout easier for shoppers are the option to keep the address the same for billing and shipping, the use of auto-fill forms, and the implementation of single-click checkout.

4.) Make the cart visible throughout.

According to data from KISSmetrics, nearly a quarter of people (24%) said that they would prefer to save their cart for possible later purchase. Since so many customers are interested in completing a purchase at some point, it helps to keep the cart highly visible so they remember it, said OptinMonster. For instance, you could implement a cart icon in the corner of the page that automatically expands when you hover over it.

5.) Expand ways the customer can pay.

Having more payment options can complicate management and accounting, but it is important to make checkout as user-friendly as possible with multiple payment options, noted Small Business Bonfire. For instance, it can be a good idea to take both credit cards and PayPal.

6.) Incorporate cart abandonment emails.

When someone is abandoning their cart right at the end, that may seem frustrating – but, as SEMrush points out, it is actually positive because you have probably already collected their email address. A notification should be sent out immediately that they left items in their shopping cart, via autoresponder. You actually want that notification to be a series, with a couple more messages sent during the ensuing 24 hours.

7.) Implement guest checkout.

You do not want to drive shoppers away by making it necessary for them to have an account before they can buy. When they have to register prior to purchase, it complicates the process, and some people will leave, noted OptinMonster.

Think about it this way: by requiring an account, you are essentially demanding that the user enter their basic account information, confirm their email address, and then come back to the shopping cart to finalize the purchase. For people in a hurry, these extra steps can feel too inconvenient.

By allowing guest checkout, you get around the need for account registration. It is a better idea to try to turn guest purchasers into accountholders after the fact than it is to eliminate guest checkout entirely.

Strong ecommerce platforms make it simple to enable guest checkout. Users then have to option to create an account once the purchase has been completed.

8.) Don’t forget the human touch.

Autoresponders may make sense for some situations, but you will have greater success if you personally reach out to people right after the cart was abandoned to see if you can be of any assistance, explained SEMrush. The reason they left may be as simple as a payment or coupon code error. If you are able to help the person find the answer they need – to again make checkout simple for them – they may return and complete the transaction.

9.) Make all charges transparent.

People do not want to see the price rise substantially during the checkout process. Adding fees during checkout can prompt someone to leave their cart, noted Small Business Bonfire. Stating the full amount of the product as quickly as possible, with shipping and any other fees included, will let the shopper know exactly how much they will be charged.

10.) Include social proof.

Another thing that is impactful when a person is trying to decide whether to place an order is to show them that they are unlikely to experience buyer’s remorse. By presenting ways that your products have helped other people, social proof allows online shoppers to feel less worried that they will regret the purchase.

Here are a few methods, suggested by SEMrush, for adding social proof to an ecommerce site:

  • Put testimonials on landing pages and top reviews on product pages.
  • Send post-purchase messages to customers asking them to leave you a review.
  • Incorporate software such as Notify to let shoppers know others who are buying from you.

11.) Improve your speed.

One other key reason that people will leave a site is because your site is moving too slowly. While there are many tactics you can take with your site to make it faster, one of the key ones is to ensure your infrastructure is built for speed. At Total Server Solutions, we know what it takes to keep high-volume, high-quality shopping cart sites running strong. See our high-performance ecommerce hosting solutions.




HIPAA risk analysis - steps to achieve - doctor on laptop

Posted by & filed under List Posts.

As you consider your risk analysis and efforts to keep it HIPAA-compliant, it is helpful to understand that the notion of risk is inherently context-based. Whenever you think about risk, initial questions to ask yourself are:

  • What asset am I attempting to protect?
  • What are potential threats?
  • What must be defended?
  • How substantial is the risk?

To look at the notion of context and how importance it is to risk, Sarah Morris of KirkpatrickPrice suggested the analogy of a tire that has significant wear-and-tear. When you think of it in terms of driving, its condition is awful, and it represents great risk. If you took the tire off your car and instead used it as a tire swing, you would remove the friction of the roads and no longer have the risk. With that in mind, Morris recommends not jumping to conclusions when it comes to determining your amount of risk – since you need to completely understand the context. Once you are complete with the analysis, you will be able to gauge your risk using that specific information.

Moving forward with your risk analysis

To understand your context so that you have a sense of your risk, you must conduct a risk analysis. The steps for performing a HIPAA-compliant risk analysis are as follows: 

Step 1.) Know key terms.

Major terms that are important to understanding HIPAA law are:

  • covered entity – Under HIPAA, a covered entity is a healthcare provider, plan, or data clearinghouse.
  • business associate – When covered entities use third parties to handle their protected health information (PHI), that organization is called a business associate.
  • business associate agreement – This term refers to a contract signed between a covered entity and any third party handling its PHI, stipulating responsibilities related to its protection.
  • electronic protected health information (ePHI) – When medical information is digitized into electronic health records (EHR), the data contained within IT environments is called ePHI (although PHI can be used as a catchall).
  • protected health information (PHI) – Typically shortened to its acronym, this term refers to sensitive personally identifiable health data that is safeguarded by HIPAA law.
  • Security Rule – A key stipulation of HIPAA’s Title II, the Administrative Simplification Provisions, this rule provides guidelines for the protection of electronic health records.

Step 2.) Know basic requirements of HIPAA law.

Within the Security Rule is the Security Management Process standard, which states that HIPAA compliance requires procedures and policies that avoid, identify, limit, and remediate any security issues that violate healthcare law.

The part of HIPAA that discusses the need for risk analysis is 45 C.F.R. § 164.308(a)(1)(ii)(A). To summarize that section:

In order for any organization to achieve HIPAA compliance, it is necessary to extensively review any possible risks to the ePHI that might expose it, corrupt it, or make it unavailable.

A description of strong risk analysis questions is contained in NIST Special Publication (SP) 800-66. Here are the questions (which are not mandatory or all-inclusive but suggest possible directions that may apply to your situation):

  • Do you know where the electronic protected health information is within your system (accounting for all data you generate, store, send, or receive)?
  • How is your ePHI handled externally, as when service providers produce, store, send, or receive healthcare data?
  • What poses a risk to the ePHI within your data environment, including all environmental, natural, and human threats?

While a risk analysis has direct benefits in terms of understanding your risk, you will experience indirect benefits as well in guiding you toward better compliance with other standards of the law. For instance, while the Security Rule has certain guidelines for deployment that are labeled as “required,” others are labeled “addressable.” The HHS clarified that it is not your choice whether to comply with addressable items. Instead, the entity should look at the parameter in terms of how appropriate and reasonable they are, given the context.

Step 3.) Assess the scope of your analysis.

Examine all of the equipment and digital environments within your organization that generate, send, store, or receive ePHI with respect to the physical, administrative, and technical safeguards described within the law. Servers and computers are a clear place to start, but think broadly as you consider your technology, as noted by the American Medical Association (AMA). For instance, photocopiers will typically have hard drives within them that store images of everything that you scan. All mobile technology that handles ePHI should be included within your scope as well. Also at this point, create an asset list and write down a diagram or outline of the ePHI workflow.

Step 4.) Determine possible weaknesses and threats. 

When you look at the ways in which you might be vulnerable, you can benefit from the work you did in determining your scope so that you know the locations to look for weaknesses and threats. It is important to ask the same questions about your environment repeatedly so that you are considering all the potential problems that may arise in various segments of your system that handle sensitive health data. 

What you want to achieve at this point is a full picture of everything that might put your firm at risk. It is also when you can create an inventory of all the security methods that are currently implemented. Typically you will need to talk within your organization – with the office manager, for instance – as well as having discussions with knowledgeable outside parties related to the ePHI threat landscape and standard protections. 

Step 5.) Evaluate your risk. 

As stated above, risk is all about context. The nature of the systems you are protecting will lead to a reasonable understanding of how likely data breaches are to occur – and how devastating the outcomes would be.

An example negative situation that is a common HIPAA violation is the loss of an unencrypted laptop. Risk is different for different organizations related to laptop loss, though. For instance, a practice that visits patients in their homes could consider loss of laptops a high risk since it would be very possible to occur and because they might contain ePHI related to patient visits. By implementing laptop encryption, the risk is mitigated.

Also rank your risks during this process. You can determine your overall level of risk at this point as well.

Step 6.) Finalize your documentation.

Create a document that outlines the findings of your risk analysis (some of which is already composed). Make sure that this writeup includes the list of all your assets, weaknesses, threats, likelihood of occurrence, impact, controls that are now implemented, ranking of your controls, any residual risk you might have, and any advice that you have in terms of new controls to deploy.

Step 7.) Review and update your risk analysis process moving forward.

Risk analysis should be an ongoing project, of course. It should occur once a year, according to the AMA. Deciding how often to perform these assessments is context-based as well, though. As noted in Healthcare Informatics, “Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every three years) depending on circumstances of their environment.”

HIPAA-compliant hosting for your patient data

HIPAA is flexible and allows you to assess your security stance based on the context. To better understand your context, you perform a risk analysis. The above steps will help you in conducting your risk analysis. Probably you will find ways in which your systems could be improved, as with expertly engineered HIPAA-compliant hosting. At Total Server Solutions, our service is what sets us apart, and it’s our people that make our service great. See our approach.

data eminating outward from the individual, the key concern of the General Data Protection Regulation from the European Union

Posted by & filed under List Posts.

Bolstered consumer consent. The “right to be forgotten.” 72-hour breach reporting. Hefty fine schedules. These aspects of the General Data Protection Regulation from the European Union are now in effect, as of May 25, 2018. As the most significant change to data security law in Europe in two decades, this new set of rules is getting a huge amount of attention in security and compliance circles.

Companies that are based in the EU must abide by the law, as must multinational firms that do business in EU nations. US-based businesses that do not have any operations in the EU may think that they are not impacted by the GDPR, but that is actually not the case – as is true for any companies from other non-EU countries. No matter where you are on the planet, you have to be concerned with the issue of GDPR compliance if you have a website and collect user information, since you could at times be handling the data of EU citizens.

Do you really have to follow this EU law?

Some businesses may think that a regulation written across the ocean is insufficient for them to change the way they do business, instead taking their chances that they will not get a fine. However, companies that take this approach should be aware of the size of fines for noncompliance. While fines are in two tiers, both tiers involve substantial penalties: the most severe ones are at the higher amount of 20 million Euros (approximately 23.60 million US dollars) or 4% of yearly worldwide revenue, and the lower ones are at half of that, the higher amount of 10 million Euros (11.80 million USD) or 2% of annual global revenue. Breaches due to violations that the EU lawmakers determined were the most critical ones related to personal data security can get the maximum, higher-tier fine. The important provisions on data security as it relates to these two two tiers of fines are in Articles 5 and 32, as discussed in greater detail by international business law firm Pinsent Masons.

Beyond the fines, there are also numerous other costs associated with being fined – such as the impact of bad publicity and lawsuits. For businesses to be prudent and to ensure their ongoing stability, GDPR compliance is essential.

Organizations that are not within the European Union can look to the GDPR itself to verify their need for compliance. Within the regulation’s Article 3, it states that you have to meet the GDPR when your organization gathers behavioral or personal data from a citizen of a European Union nation. Article 3 stipulates that data subjects (protected individuals) must be in the EU when that data is gathered. Also, to be clear, no financial transaction must take place in order for protections to be needed. Collection of personally identifiable information (PII), which the GDPR calls personal data, necessitates protecting it per the regulation’s guidelines.

While it is clear that non-EU companies must follow the GDPR, the core point that currently remains unanswered is whether a similar data protection law might be passed in the United States. Despite the costs and frustrations that arise from a new form of compliance, some business leaders see the law as a sign of progress. FollowAnalytics CEO Samir Addamine called passage of the GDPR the “rare time that the EU is… in advance of the rest of the world.”

Basics of the GDPR

It is now necessary for organizations to get consent from EU citizens in order to gather their data. When getting the consent of these users, it is necessary for the contract to be straightforward and easy to access; also, the reason the data processing is taking place should be given within the consent terms. The way that the terms are written should be highly readable, and anyone who signs an agreement should be able to cancel it just as simply as they initiate it. It is also necessary to notify your EU users in a maximum of 72 hours if a data breach occurs that may have impacted their records.

Additionally, the GDPR gives every citizen of the EU the right to be forgotten – the right to ask that their information be cleared out of a business’s systems if the purpose for which it was gathered is no longer relevant or if the individual wants to take back their consent.

The broad applications of the GDPR are evident through a simple example from Jeremy Goldman of creative consultancy the Firebrand Group: if you closed a social media account, the company would have to remove all your data. There are exceptions to this rule: it is not your right to have the data removed if its preservation is for the public good, as when the nature of the data is somehow newsworthy. Another restriction to this aspect of the regulation is that you cannot get records removed when their removal threatens freedom of expression (the broader category that includes freedom of speech).

Where should I focus first?

When it comes to taking on new standards and implementing the parameters of new forms of compliance, it helps to have an initial point of focus. Otherwise the complexity of legislation can feel overwhelming and deter forward motion toward GDPR compliance by international companies (and again, that means all countries with websites that might collect the personal data of EU citizens).

Perhaps the best place to start is with the need (mentioned above) to get a clear, simply stated, and straightforward agreement from users in order to collect their information. Companies may wonder specifically what it means for consent to be clear or easily readable, since it is difficult to get completely away from legal terminology and concepts. Consent must “involve a conscious and informed act by the individual,” noted Compliancejunction. It is no longer acceptable in these situations to have a prechecked checkbox, for instance. The terms must note the data controller (the organization that will be responsible for the records) as well as any outside firms that will be handling the information. While consent has not required as much intentional transparency in the past, as of May 25, the obtaining of consent has to be achieved through an unambiguous action that is distinct from signing the general user agreement.

Within the General Data Protection Regulation, citizens of the European Union nations are also granted the right to get a writeup covering all the data the firm has collected from them for free. They can also get, at no cost, the locations in which the data is being stored or processed, along with the reason that it is being handled.

GDPR compliance for your business

If you fell behind on GDPR compliance, analysts suggest many firms are in that position. A Gartner study forecast that more than half of companies regulated by the GDPR will not have reached complete compliance even by the end of 2018. Since the notion of territorial scope (i.e., impact beyond the confines of the EU) is so critical to the GDPR and the way it updates European data law, businesses in nations outside the European Union should “not be surprised to find that they are a particular target of data regulators,” noted the Workplace Privacy, Data Management & Security Report.

Are you concerned about the impact of the Global Data Protection Regulation on your business? At Total Server Solutions, through our singular mission of providing you with the finest hosted services and the most robust infrastructure available anywhere, we can help you build a system that meets your needs while also achieving and maintaining compliance with the GDPR. See our customer testimonials.

Juggling security to protect sensitive customer data - GDPR compliance steps - General Data Protection Regulation

Posted by & filed under List Posts.

While there are borders between nations, the world is integrally connected. That is perhaps nowhere more evident than in the marketplace of the Internet. The interconnection that the Web allows also means that security is a huge priority, since no one wants anyone who is unauthorized accessing their confidential data. Sometimes legislation will be passed that impacts the way sensitive information is treated. If the body making these decisions is large enough, the simple passing of a new set of rules can have a seismic influence on global business and the ways that information systems are defended.

A good example of this kind of law passed in the United States is the Health Insurance Portability and Accountability Act (HIPAA) of 1996. While HIPAA compliance is technically limited to protecting the health records of US citizens, it has a broader effect because companies headquartered elsewhere must have their systems adequately secured to meet the needs of any US patient data. Similarly, GDPR compliance is necessary for all global companies related to the data of European customers.

If the General Data Protection Regulation sounds new, it was actually passed on April 27, 2016 – so there were 25 months given to organizations to prepare for the May 25, 2018 effective date. It is reasonable that many companies have not understood that they could have to meet the needs of a law passed by a foreign entity.

What is the GDPR?

The General Data Protection Regulation is a wide-ranging new law that mandates reasonable protection of data of citizens within European Union countries that is handled by any businesses, no matter where (i.e., Europe or otherwise) the information is gathered, processed, or stored. Both organizations that have business established in European Nation member states and digital entities (apps and websites) that interact with the sensitive information of European citizens must be GDPR-compliant, as indicated by Leslie K. Lambert.

If you want a little bedtime reading, the GDPR can be read in all its glory in the Official Journal of the European Union – see Regulation (EU) 2016/679 of the European Parliament and of the Council.

7 steps to GDPR compliance

If you have not had a chance to evaluate your systems and update them to reflect the new needs of the GDPR, here are simple steps you can take to achieve compliance:

#1.) Establish a GDPR team and data protection officer.

GDPR compliance should be an organization-wide concern. Align a group of people from various departments and roles (including IT, risk, finance, and marketing) who will each serve different functions in the adoption of these new parameters. The GDPR mandates the assignment of a data protection officer at firms or agencies that perform high-volume handling of confidential personal details or criminal backgrounds, or that conduct high-volume routine and frequent tracking of the people to whom the data applies – called data subjects.

Assuming you do not meet those stipulations and are not required to have a DPO, you may still want to assign a DPO or GDPR compliance officer so that your efforts are more straightforward, as indicated by UK attorney Rachael King.

#2.) Consider your accountability.

You will be reviewing the way that you treat data, both through your own means and through others acting on your behalf. You can better understand the GDPR, suggested Luke Irwin of IT Governance, by looking through the lens of accountability. Ask yourself the following questions related to all data you store:

  • Why is the data being stored?
  • Where did you get the data?
  • Why did you initially collect the records?
  • What is the timeframe for retention of the records?
  • Is the information well-protected, through both encryption and access restrictions?
  • What are the circumstances through which sharing with other entities occurs?

#3.) Prioritize your customers’ privacy rights.

Once you’ve taken a hard look at the way that your organization is storing and retaining information, turn and look directly at the rights of individuals, as newly mandated by the GDPR. In other words, become familiar with the privacy concerns that are the driving force behind this key law. Institutions that gather and retain data of (EU-residing) individuals have to respect certain privacy rights, which include:

  • Right to deletion (ability to remove records)
  • Right to access (ability to view records)
  • Right to portability (ability to transfer records)
  • Right to notification (ability to know key information about records)
  • Right to correction (ability to change inaccurate information)
  • Right to restriction (ability to limit the ways personal data is handled)
  • Right to object (ability to stop certain processing based on personal concerns).

#4.) Check your current documents and mind the gap.

Many organizations move first to looking at their agreements with outside entities (both service providers and clients) to gear themselves toward compliance. The first step, though, should be to look at what you currently have instated in-house, as advised by Mark Ross in Compliance Week.

Your policies, procedures, and other elements of your compliance stance should all be reviewed, with any aspects that do not meet GDPR noted. Having looked inward, then you must look outward and verify that all of your vendors are GDPR-compliant as well. As you look at all your various systems and relationships, you are conducting a gap analysis. This analysis must check that there are data retention stipulations noting the maximum time for which data can be stored. You should also ensure that you know where and in what manner all data storage occurs, as organized within data maps.

#5.)  Create a gameplan and determine applicable contracts.

Once your gap analysis is complete, you can start to look carefully at all your agreements. You should have a gameplan that organizes the way your contracts are drafted and amended over time. Write your GDPR amendment, bearing in mind that your firm may fit the definition of a controller and processor under the law. Be ready for companies not to always readily accept this additional language. You will lower your risk by preparing this clause and using it to negotiate.

Now look at your current agreements to identify ones that fit the scope. You can use a machine learning tool that assess contracts in order to find the provisions that should be targeted. To complete this process:

  • Set aside any contracts that are inactive.
  • Focus your attention first on agreements that represent the greatest risk.
  • Review the contract to see if it is GDPR-compliant or not. If data is being sent outside the EU, the way in which that data is transferred will have to meet GDPR specifications.

#6.) Send amendments and store final agreements. 

For any contracts that are not GDPR-compliant as-is, you need to get those agreements amended. The amendment process may take some initiative on your part since some organizations will not be as concerned with the GDPR or otherwise not as quick to act as others. Once you have determined what needs updated, send out amendments, and get these new contracts signed. Once you have the agreements finalized, you can store them in a structured data format according to their key terms, within a contract lifecycle management system (to simplify organization and referencing). 

#7.) Look at your data breach notification procedures.

Notification of data breaches is a core component of regulations that protect personal data, as previously seen within HIPAA and other regulations. Any time that information you are holding or processing becomes compromised, the entity that becomes aware of the breach must send information related to the incident “without undue delay” and in a maximum of 72 hours to the Information Commissioner’s Officer (ICO). Verify that your environment will automatically notify you if a breach ever takes place. Also be certain that all your personnel know how to respond to a security event should one occur.

GDPR-compliant hosting 

Are you concerned about the new parameters of the General Data Protection Regulation and how it specifically impacts your organization? We are happy to discuss how the needs of the GDPR can be integrated into your data documentation, systems, and partnerships. At Total Server Solutions, we provide everything you need for a GDPR-compliant system, with a 24/7 staff of engineers and full training for all our personnel. See how we’re different.


service level agreement - signing to agree to terms

Posted by & filed under List Posts.

The service level agreement (SLA) can help you to evaluate potential service providers. This document is important both because it establishes what kinds of services are included and the quality parameters with which they must be performed. The SLA also notes what the fixes or next steps are when a provider does not succeed in meeting the specifications within the SLA contract.

In this article, we look at what an SLA is, key sections that are usually included, and a few frequently asked questions on the topic.

Service level agreement definition

A service level agreement is a contract between a customer and the provider of a service related to the content and quality of services to be provided. An important component of an SLA is metrics, which can be gauged to determine if the agreement is being properly upheld. Hosting providers and other IT firms, as well as many other types of companies, standardly use SLAs to govern relationships with their customers.

These contracts are often associated with tech businesses due to their service model but have been in general use since the late 1980s.

Note that within entities that do not have provider-client arrangements that are typical of vendors, the SLA becomes an operating level agreement (OLA).

Important provisions within an SLA

Before looking at the specific sections, it is worth noting that you can use the SMART model from George T. Doran to help guide its construction. SMART stands for specific, measurable, achievable, relevant, and time-bound. Any expectations of the SLA will be better defined if you ensure they have these characteristics.

To look at the contract more closely, typical components of a service level agreement include the following:

I. Service description – This section should discuss the services that the vendor is conducting, the actual tasks that will be completed, and when these services will be delivered. It should include:

  • Overview of services that are to be delivered, including types and tasks
  • Timeframes when support is available for the various kinds of service
  • Process and details for contacting the provider.

II. Responsibility description – In this part, you want to assign responsibility for all aspects of service provision. This section should delineate:

  • The responsibilities assumed by the vendor
  • The responsibilities assumed by the customer
  • The responsibilities that are split between the two parties.

III. Operational specifications – Guidelines for operations are necessary within a service setting so that the provider can meet the parameters they have established. It is key to identify and track these elements, because the level of service performance achieved may depend in part on operational parameters. You may have to update the SLA related to operations if the number of users goes beyond what you have stated within this section, or if you no longer have sufficient oversight and control over the parameters.

IV. Service level goals (SLGs) – The understanding from a client in terms of the performance of services is typically included within this area of an SLA. The way that the organization will perform in terms of metrics (measured elements) allows a customer to know if a vendor is upholding its end of the bargain. The specific data that is needed to determine performance will vary based on the type of service and the variables used for measurement. When a hosting provider promises uptime of 24/7, 99% uptime, for instance, that is a commitment related to the equipment and network availability metric. When a provider commits to solve key problems within two hours, that represents them assuming a responsibility related to the critical incident resolution metric.

V. Service improvement goals (SIGs) – An SLA may also state expectations for how much a service level goal will get better as time passes – both in terms of rate increase and amount increase. Performance data for SLGs will be used for this calculation, along with the development of a performance trend related to a set stretch of time. By looking at the trend, you can tell if the provider is meeting the required rate.

VI. Service performance penalties & incentives – Service level agreements should certainly have penalties related to not meeting its parameters, but incentives can also be included. The service provider could be financially incentivized to outperform the service goals.

VII. Reporting on service performance – This section details service reports and charts that the vendor will supply to its clients, allowing a direct comparison of the service goals to the true performance. A graph can be helpful because you can visually see whenever the level of services that is supplied falls below the service goal.

VIII. SLA signatures – Finally, you want to have the agreement signed into effect by both parties, the client and the vendor. Without the signatures, this document cannot be binding.

FAQ about SLAs

Here are some typical questions that people have about service level agreements:

1. Why are SLAs important?

A service level agreement is key to defining the relationship between a customer and supplier. It is a compilation of details on all services that are being provided and how quality level will be maintained. These documents are important because they provide clarity for expectations, setting down on paper what might otherwise be assumptions. The transparency of stating responsibilities, guidelines, and metrics in real numbers allows you to know that everyone is on the same page.

Does an SLA automatically transfer?

Signing an SLA may make you feel that you are safe with a service moving forward, but it is important that the agreement is not with the service but the provider. Therefore, if a merger or acquisition occurs, your SLA may no holder have any relevance. Never think that an SLA will remain in effect when the ownership of an organization is transferred. However, you will often find that the acquiring company will agree to meet the terms of SLAs that are already in effect simply as a customer satisfaction gesture.

What metrics should be included within the SLA?

You will want to define the metrics that determine whether you are performing the service in an acceptable manner. You want the monitoring of metrics to be very simple and to gather the applicable data through an automated system for better reliability.

Although metrics are not always the same, those that are key to track will often include:

  • Availability – This provision describes the extent to which a service can be accessed and used during a certain time period. The provider may offer 99.9% availability during regular business hours, for instance, with lower availability outside that window.
  • Defect rate – This figure gives you the rate or quantity of mistakes that are allowable within important deliverables.
  • Technical strength – When you have software developed by an outside firm, you can use a tool to check for problematic aspects such as size and errors in its script.
  • Security – When your network or a particular system gets breached, you can lose a lot of money. For any elements of security that are measurable, it is important to keep track of those metrics since they will help determine if the appropriate steps are taken in order to avoid compromise of the data. An example is patching and updating of an antivirus system.
  • Business outcomes – Often organizations will want to include measurements related to business processes. It is fine to do that using key performance indicators (KPIs) if you are able to determine the provider’s responsibility related to those KPIs.

How do you tell if SLA service levels are being maintained?

The majority of organizations that provide services will give you metrics, whether through their website or otherwise. The data that is included makes it simpler for customers to know if the vendor succeeded in hitting all the expectations described in the contract.

The right provider and the right SLA

Knowing what to look for in an SLA is important, but finding the right provider is even more critical. At Total Server Solutions, our platform is designed for high performance, and our long-term success is entirely dependent upon the success of our customers. See our service level agreement.

geese making a cloud migration much as your apps and infrastructure do

Posted by & filed under List Posts.

Cloud hosting, also known as infrastructure as a service (IaaS), is on the rise. The broader segment of cloud infrastructure and services expanded by almost a quarter between 2016 and 2017, per a report released by Synergy Research Group. While software-as-a-service (SaaS) increased at a 31 percent rate, the combined area of platform-as-a-service (PaaS) and IaaS grew at an even more impressive (almost shocking) 47%.

Underscoring the growing popularity of cloud provided through a service model, the hardware and software that builds cloud systems is only growing at a third of the rate that the cloud services market is.

Since there is already a huge amount of IT infrastructure installed as legacy systems within on-site data centers, the shift to cloud will be rapid but certainly not immediate. In agreement with the growth trends suggested above, a poll released by SolarWinds in March 2017 revealed that 95% of IT decision-makers had moved critical apps and infrastructure to the cloud over the previous twelve months; but that’s just referencing single applications. An analysis by Constellation Research found that the portion of total workloads that have been transferred to cloud is just 5 to 7 percent.

The transition will need multiple generations of software and technology before it is at its peak. While any change can be complex and have its frustrations, the good thing for those shifting to IaaS is that many organizations have already made large cloud moves, so the migration can be informed by the common errors of others. 

Typical mistakes when migrating to cloud

Here are some of the most common mistakes that people make when they switch their infrastructure from on-premises systems to cloud service providers: 

Mistake #1 – Using the wrong cloud migration strategy

Forrester Research principle analyst Dave Bartoletti noted that the top way organizations will update their applications over the next few years will be by transitioning them to cloud.

While that may be true, it is very common for companies to move too hastily when they analyze the various approaches to cloud moves.

Bartoletti noted that there are many routes you can take when looking at how to get an application into an IaaS environment, adding that when you choose a method that is not best, “you can spend a lot of money and not get the payback you want.” 

Mistake #2 – Failing to assess your application portfolio

You need to first look at what you have, the apps that you will be migrating. It is wise to conduct a portfolio analysis, whether internally or via a consultant, to give you a sense of the applications that are ripest for a move. Cloudifying all your apps and systems at once can be overwhelming and lead to costly mistakes.

As noted in Computerworld, firms are smart to create two categories of apps, ones that are best suited for replacement and ones that are good fits for migration.

Another key point is that the concerns with security or compliance of an app should help to guide your decisions. While cloud is a secure location for computing that must meet the requirements of strict regulations (such as HIPAA), it is not necessarily the best choice to transfer the applications that contain the most critical, highly confidential data upfront.

Mistake #3 – Excessive customization of cloud

While you do not want to make the mistake of assuming all cloud systems to be the same, you also do not necessarily want to create a cloud infrastructure setting that is excessively customized – since that will mean that it will be difficult for you to systematize your approach and broadly implement it for application migrations. Marko noted that this scenario tends to arise when a migration is handled by one department, which uses service settings, security policies, and tailored management protocols that are too specific to be useful company-wide.

Mistake #4 – Not performing a business analysis upfront

A business analysis will tell you what the benefits are, and that analysis is key to understanding what your savings could be with a cloud deployment over your current setup.

Bartoletti noted that the business analysis should answer a few important questions:

  • Is the main concern that you save money or enhance your performance?
  • What are ways that you can optimize in order to save as much as possible and achieve the highest possible speed?
  • What are the migration tools that are best suited to this project?

Selection of those tools is more time-consuming that it may first appear, said Bartoletti, who added, “You don’t just Google search tools for migration and use the first one that pops up.”

Mistake #5 – Failing to understand how long integration will take

It is easy to think it will be quick to integrate cloud, as advised by Rishidot Research founder Krishnana Subramanian.

While cloud is simple, it can also make IT environments more complex, as when organizations are integrating cloud with in-house infrastructure and apps. Since that is the case, integration should be considered prior to cloud adoption.

There should always be a broad design to your architecture that extends across all systems, explained Wang, who added, “Then you have to figure out what’s owned, accessed, and borrowed.”

You also might have to make adjustments to the code for an application to work correctly in an IaaS setting, as noted by Bartoletti. For instance, you might have to change the code so that it uses cloud storage rather than a local file system.

Mistake #6 – Forgetting to prioritize your security policies

Your security policies could start to break away from standardization, lacking complete coverage and consistency, when you transfer to cloud infrastructure. Your firm has user authorization and access, event monitoring and logging, app and system configuration, network traffic, and other security requirements. The policies will not go away with cloud, and they may well become stricter. It is critical to have various layers to your security stance if you want to keep your systems and data protected in cloud.

Mistake #7 – Falling short with your training 

Often IT professionals are not as knowledgeable about cloud as other technologies, particularly when they are performing an initial cloud move. Recruiting people who specialize in cloud can be prohibitively costly.

One way or another, having the insight into cloud will minimize the amount of time it takes for the transition and prevent frustrating issues from arising unexpectedly. Plus, when you have completed the move, you may determine that the disorganization of an on-site system still exists, just instead on cloud servers. Granted, with the right provider, you can get the help you need for a seamless migration.

Mistake #8 – Thinking cloud hosting is cloud hosting

Speaking of the provider, one of the main mistakes that people make when they adopt IaaS is thinking that all cloud hosting is fundamentally the same, as indicated by Kurt Marko. There are certainly aspects that are shared by cloud infrastructure solutions, such as various kinds of storage and virtual servers. However, there are specific elements of individual cloud hosting environments, including the billing plans, features, and the complexity of network and application services available. Focus on security and the level of performance will also vary from one provider to the next.

Choosing your cloud host

By paying attention to common mistakes made by those who went before you, you can more confidently move forward with a cloud migration. As indicated by Marko, one of the key mistakes is to think that IaaS providers are all the same. Do you need a cloud host that combines outstanding speed with the stringent security standards of the American Association of CPAs? At Total Server Solutions, we believe that a cloud-based solution should be secure, scalable, reliable, fast, and easy to use. See our High Performance Cloud Platform.



ecommerce conversion -- how to improve your conversion rate

Posted by & filed under List Posts.

Global retail ecommerce revenue grew at a compound annual growth rate (CAGR) of 24.8% in 2017 to reach $2.304 trillion, according to figures from eMarketer. The analysis determined that 58.9% of sales came through mobile devices, underscoring the increasing importance of mcommerce to online efforts.

Overall retail sales increased at a significantly slower rate, 5.8%, to hit $22.640 trillion. Globally during 2017, ecommerce represented 10.2% of all retail – a rise from 8.6% of the total in 2016. Sales from mobile hit $1.357 trillion in 2017, up an incredible 40.3% over 2016 and accounting for 6.0% of all retail sales.

As ecommerce continues to grow and become an ever-more-impactful area of the economy, each individual company looks for ways to expand its own online sales. This report explores a study on key performance indicators and statistics that provide insight into ecommerce conversion rate and revenue. It then reviews a few specific strategies to increase your site’s conversion rate.

Benchmark KPI analysis of ecommerce

The 2017 E-Commerce Benchmark KPI Study from Wolfgang Digital is one of the most prominent sources of information to analytically review the effectiveness of your online sales presence. The study uses more than half a billion dollars ($531 million) in Internet revenue and 143 million website visits to create its benchmarks for a quantifiable understanding of ecommerce strategies. It helps people grasp the aspects of analytics that are most critical for growth.

Three of the most interesting insights from this study are related to mobile vs. desktop, stickiness, and average website conversion rate:

  • Desktop is still dominant. Mobile was at 52% of ecommerce sessions in 2017, followed by desktop and tablets at 36% and 12% respectively. While mobile may generate more traffic, desktop sessions still accounted for 61% of all revenue, with 20% more per order and a 164% higher conversion rate than mobile.
  • The greatest correlation of all data collected by the researchers was the 0.6 correlation between time on the site and conversion. Conversion rate increased 10% when 16% more time was spent on a site.
  • Need a bar against which you can measure your site? The average conversion rate for all sites, according to the voluminous data set used for this study, was 1.6%.

9 ways to improve your conversion rate

Many of these ideas are from a piece by Douglas Karr for marketing technology conference MarTech. Others are from communications executives at organizations that either benefit from strong ecommerce or are charged with helping clients do the same.

#1 – Create a simple shopping experience.

Directions that you can go with your ecommerce presence are abundant, and the complexity of the challenge can make it easy to forget how important it is to remove any unhelpful complexity from the user experience, noted William Topaz of Anxiety.org. The visitor should feel that your site is easy and that they do not need to figure anything out. Topaz’s perspective is that site visitors should immediately be able to see the most fundamental content and call-to-action elements. Ensure that all information you collect from the customer is essential. Focus on clarity and clearing up any potential confusion the buyer might have, said Topaz, who added, “Most importantly – always be testing. Always!”

#2 – Bolster your social media.

Improving your social media will lead to higher conversion rates and stronger sales. That may sound counterintuitive if your sales are all through your site. Social is key because the vast majority of online shoppers (84%) will look over at least one of your social media profiles before they buy, per Karr.

#3 – Let people speak with people.

Many people like to be able to get what they need and be done with it, noted Holly Chessman of Glance Networks. Still, when users try to decide between different products, are unable to locate a certain item, or are otherwise in need of help, access to a person is essential. You can facilitate better support of your shoppers through co-browsing, phone, and chat, said Chessman, thus introducing broader and more personalized options for help than what might be provided otherwise. In this way, you can “[h]umanize your company, make customers happy and solve problems in one fell swoop,” said Chessman.

#4 – Display ratings and reviews.

It should be your goal for customers to get from your site whatever they might otherwise leave to obtain. A key example is product ratings and reviews. Keep people on your site by providing this information.

The importance of these elements is indicated by FreeLogoServices CEO Craig Bloem, who noted the following stats in Inc.:

  • Nearly everyone, 91% of people, read reviews either on occasion or consistently when shopping online.
  • Most people, 68%, determine the product they want by looking over just 1 to 6 reviews.
  • The vast majority of online shoppers, 84%, say that they give more weight to reviews than to recommendations from friends.

#5 – Make sure that your product images captivate. 

The photographs of your products that are presented on your site will help you present a sense of its quality to potential buyers, noted Lin Grosman of GoDataFeed. It will also better establish a sense of trust. Imagery should be complex and diverse, said Grosman, with images that intrigue, shots from various angles, and a zoom feature.

#6 – Move away from guesswork. 

In order to get a better sense of how to improve your sales, you must determine how your product meets the needs of your target customer, explained Seth Waite of RevUnit. Understanding what they want and molding your site to reflect their expectations will boost conversion. Multivariate and split testing will help you systematically collect data on customer preferences, said Waite, who added that “[a]ssumptions about user experience can be the biggest conversion killers.”

#7 – Focus on your return policy.

Return policies are critical to ecommerce success. The 2017 UPS Pulse of the Online Shopper report found that nearly 4 in 5 consumers (79%) prioritize free shipping on returns when they decide where to buy. Returns are not all bad, though, as another statistic indicated: almost half of shoppers (44%) said that they made an additional purchase once the return had been processed.

#8 – Be careful with shipping fees. 

The average abandonment rate for ecommerce shopping carts is 69.23%, per a study from the Baymard Institute. The top reason people leave a cart behind is because of unexpected extra charges, with Baymard finding that 61% of would-be shoppers leave behind carts because they are scared away by shipping, taxes, or other fees. A different study, from Barilliance, supports the critical nature of shipping costs as well, finding that unexpected shipping charges were the #1 reason people leave their shopping carts. 

#9 – Improve your speed. 

Finally, Karr stressed the need for speed on a site, saying that conversion will fare horribly in the context of latency. This comment is backed up by a high-profile study that showed nearly half of consumers expect a load time of no more than 2 seconds. Failing to meet that expectation could mean that a potential customer is gone forever.

High performance for better conversion 

As seen above, there are many different ways in which you can improve your site’s conversion rate. Related to the final point on speed, probably the most critical element of site speed is the infrastructure that backs your site. At Total Server Solutions, we know what it takes to keep busy sites running fast. See our high performance web hosting for ecommerce.