Best practices for ecommerce success -- gear representing putting best practices to work for your business

Posted by & filed under List Posts.

More than half of Americas (51%) now prefer online to in-person shopping. Since people are buying increasingly online, the competition in the market is also tightening. Implementing best practices is increasingly important if you want your business to perform well and continue to grow at a steady rate in the years ahead.

Best practices for ecommerce include the following:

#1. Establish your key performance indicators (KPI).

Strategizing through a formal plan helps guide your forward motion and embed decisions in larger purpose. All that you perform should be in pursuit of tangible goals. While that is the case, noted an Econsultancy report, ecommerce outfits do not always clearly define their objectives. If your ecommerce company does not have an up-to-date ecommerce plan, then optimizing the way you conduct online business could require you to first “work with rest of the business to come up with the framework into which ecommerce activity can fit,” said the report.

KPI, quantifiable performance metrics, must be determined during this process. As you conduct an overview of what your goals might be and how your KPI assessment might proceed, you want to consider potential for updating the way you operate. Assessing KPI data is about checking how simple it is to complete tasks effectively. In order to improve your ecommerce capabilities, you may need to modify your site and the systems that back it in diverse ways.

As you think about changes, noted the report, consider control in who can actually take the necessary steps. It is necessary to assess which of your personnel – product managers, merchandise managers, etc. – have access to the site and can make edits. Similarly, you want your user experience (UX) staff to be able to test quickly and effectively, without running into access issues.

To be clear, access controls are key to security and compliance. PCI compliance requires the formal adoption of access and data control policies and procedures, as indicated by the Stanford University PCI Policy. However, ensuring the removal of obstructions to your ability to improve the site should be carefully considered.

#2. Get rid of clutter.

You will convert more visitors to your site if you make your design as simple as possible. When you look at the homepage, it should be clear where people’s attention is being directed. A person’s eyes should be moving toward either a product you sell or a call-to-action (CTA) button. When the page is cluttered, there is a less straightforward movement through a CTA.

Clutter is an incredibly common issue with ecommerce sites, according to Neil Patel of QuickSprout. Patel cited statistics that it took users more than 3 seconds to locate the CTAs on more than half of ecommerce sites (53%).

Removing clutter is a reminder that you want people who come to your site to buy from you. Cleaning up the sight eases their task of making a purchase. It also could minimize support requests.

#3. Polish your about page.

Many people will look at your about page. Often shoppers will decide if they want to order from you based on how they feel about that page. Statistics cited by web developer Thomas G. Bennett suggest more than half of visitors will see the page (52%). The visibility of the page is also clear in the success story from WordStream Blog: when the publication upgraded its about page, it saw a 13% rise in conversions.

Bennett suggested the following ways to improve this critical page:

  • Rather than thinking about this page describing you, think about it describing you solving customer problems.
  • Give the visitor a sense of your organization’s personality, but do not get so loose with the page that it becomes unprofessional.
  • Write a short snippet about your complete company. Discuss how you were prompted to start the store, if applicable. Talk about why you wanted to be your own boss. Talk about why the business is important.
  • Consider including reviews and testimonials. Reviews and testimonials will help visitors vicariously understand the experience of a satisfied customer. These statements are great because they establish your products working without you having to promote them.
  • Differentiate yourself. If your organization provides free consulting or monthly informational PDFs to your customers, let people know. Differentiate yourself and describe that difference.
  • Show imagery. You can feature a photograph of your staff together – or individual shots of employees to pair with quick bios.
  • End with a CTA. The way you describe yourself on the about page and position yourself as your customer’s problem-solver will make them likelier to want to make a purchase. Leverage that opportunity with a call-to-action.

#4. Get fast web hosting.

In many contexts, the desire for speed is reduced naturally by the desire for quality; for instance, we don’t expect fine dining to be delivered in 5 seconds, whereas we may be frustrated if a vending machine does not dispense in that window because the product is low-quality. In the context of the internet, on the other hand, speed is simply a bottom-line factor that will impact your success. A fast site leads to more sales.

In fact, the impact of speed has been clear for 10 years. Even back then, an Aberdeen Group report (no longer online but available via email here) found, “A 1-second delay in page load time equals 11% fewer page views, a 16% decrease in customer satisfaction, and 7% loss in conversions.”

It is noteworthy that Patel, a marketer, lists web hosting performance – quality of infrastructure – as a core ecommerce best practice. However, speed is a broad issue. While web hosting will solve many performance issues, ecommerce firms should be aware that downtime and slowness of a site are often not caused by the host. Almost all situations in which there is a performance issue on a site arises out of a member of your staff “blindly troubleshooting,” per Aberdeen’s Ryan Arsenault. A 2015 Aberdeen analysis looking at challenges for business web performance determined that nearly half of companies (46%) did not have web app performance monitoring tools implemented, while 1 in 5 (21%) did not have web performance monitors in place.

#5. Optimize for mobile.

In today’s environment, you need to specifically assess mcommerce – with a specific plan related to building that part of your business. Strengthening mobile seems obvious when you consider that close to two-thirds (62%) of traffic through ecommerce sites is via mobile.

Notably, mobile might be used for research, while the order is placed by the user through desktop. This jumping from one device to another by users is part of the basis of cross-device targeting. Nonetheless, a large portion of online shopping is now through mcommerce: overall in 2017, mobile device purchases accounted for $18 billion of the $78.6 billion that went toward online retail. Furthermore, more than half of people (57%) said that they do not recommend an ecommerce store if its mobile site is poorly designed.

#6. Have high-quality support that is easy to reach.

Support is absolutely key to online differentiation. Some shoppers will inevitably run into challenges when they try to order from you. When someone is trying to solve a straightforward issue, whether it’s prior to sale (such as finding an item) or after (such as troubleshooting a product you sent them), fast resolution will create greater immediate and long-term sales.

Your high-performance ecommerce solution

While more people are shifting to making their purchases online, ecommerce is no less challenging – particularly as competition continues to build. Fundamental to ecommerce success is building best practices into the way you do business. One best practice is to improve your performance through infrastructure. At Total Server Solutions, our hosting plans can accommodate everything from small, static sites all the way up to large enterprises. See our high-performance web hosting for ecommerce.

Posted by & filed under List Posts.

Inc. Magazine Unveils Its 37th Annual List of
America’s Fastest-Growing Private Companies—the Inc. 5000

For the 2nd Time, Total Server Solutions Appears on the Inc. 5000,

Ranking No. 2919 With Three-Year Revenue Growth of 140 Percent

 

NEW YORK, August 15, 2018Inc. magazine today revealed that Total Server Solutions is No. 2919 on its 37th annual Inc. 5000, the most prestigious ranking of the nation’s fastest-growing private companies. The list represents a unique look at the most successful companies within the American economy’s most dynamic segment—its independent small businesses. Microsoft, Dell, Domino’s Pizza, Pandora, Timberland, LinkedIn, Yelp, Zillow, and many other well-known names gained their first national exposure as honorees on the Inc. 5000.

TSS’ has a true team of talented individuals who are dedicated to customer success. Our second year in a row being named on the Inc. 5000 list is a testament to just that.” said Gary Simat, Chief Executive Officer of Total Server Solutions. “As we are just on the heels of our recent acquisition of Zerolag Communications, TSS has solidified itself as a leader in managed infrastructure as a service, servicing workloads across any platform, on any provider.  We have been realizing amazing and consistent year over year growth in revenue, client count, and talent on staff; it truly is an exciting time at TSS.”

Not only have the companies on the 2018 Inc. 5000 (which are listed online at Inc.com, with the top 500 companies featured in the September issue of Inc., available on newsstands August 15) been very competitive within their markets, but the list as a whole shows staggering growth compared with prior lists. The 2018 Inc. 5000 achieved an astounding three-year average growth of 538.2 percent, and a median rate of 171.8 percent. The Inc. 5000’s aggregate revenue was $206.1 billion in 2017, accounting for 664,095 jobs over the past three years.

Complete results of the Inc. 5000, including company profiles and an interactive database that can be sorted by industry, region, and other criteria, can be found at www.inc.com/inc5000.

“If your company is on the Inc. 5000, it’s unparalleled recognition of your years of hard work and sacrifice,” says Inc. editor in chief James Ledbetter. “The lines of business may come and go, or come and stay. What doesn’t change is the way entrepreneurs create and accelerate the forces that shape our lives.”

The annual Inc. 5000 event honoring the companies on the list will be held October 17 to 19, 2018, at the JW Marriott San Antonio Hill Country Resort, in San Antonio, Texas. As always, speakers include some of the greatest innovators and business leaders of our generation.

Total Server Solutions provides managed services, high performance infrastructure and custom solutions to individuals and businesses in a range of industries. Their customers range from financial institutions, to advertising platform operators, to hosting providers, to telecom companies. Total Server Solutions is also trusted by educational institutions and government agencies to keep their data on-line and available.

 

CONTACT:
Gary Simat
Total Server Solutions
+1(855)227-1939 Ext 649
Gary.Simat@TotalServerSolutions.com
www.TotalServerSolutions.com

Tucker Kroll
Total Server Solutions
Tucker.Kroll@TotalServerSolutions.com
www.TotalServerSolutions.com

 

More about Inc. and the Inc. 5000

Methodology
The 2018 Inc. 5000 is ranked according to percentage revenue growth when comparing 2014 and 2018. To qualify, companies must have been founded and generating revenue by March 31, 2014. They had to be U.S.-based, privately held, for profit, and independent—not subsidiaries or divisions of other companies—as of December 31, 2017. (Since then, a number of companies on the list have gone public or been acquired.) The minimum revenue required for 2014 is $100,000; the minimum for 2017 is $2 million. As always, Inc. reserves the right to decline applicants for subjective reasons. Companies on the Inc. 500 are featured in Inc.’s September issue. They represent the top tier of the Inc. 5000, which can be found at http://www.inc.com/inc5000.

About Inc. Media
Founded in 1979 and acquired in 2005 by Mansueto Ventures, Inc. is the only major brand dedicated exclusively to owners and managers of growing private companies, with the aim to deliver real solutions for today’s innovative company builders. Inc. took home the National Magazine Award for General Excellence in both 2014 and 2012. The total monthly audience reach for the brand has been growing significantly, from 2,000,000 in 2010 to more than 18,000,000 today.  For more information, visit www.inc.com.

The Inc. 5000 is a list of the fastest-growing private companies in the nation. Started in 1982, this prestigious list has become the hallmark of entrepreneurial success. The Inc. 5000 Conference & Awards Ceremony is an annual event that celebrates the remarkable achievements of these companies. The event also offers informative workshops, celebrated keynote speakers, and evening functions.

For more information on Inc. and the Inc. 5000 Conference, visit http://conference.inc.com/.

For more information contact:
Inc. Media
Drew Kerr
212-849-8250
dkerr@mansueto.com
 

Ecommerce ethics attempt to describe fair and just behavior by online merchants. (Yellow ethics sign)

Posted by & filed under List Posts.

A Tesla investor sued Elon Musk in early August, saying that they believed his claim on Twitter that he had funding solidified to turn the publicly traded company private was fraudulent. This story is still in development and certainly Musk has not (at least at this point) been found guilty of any wrongdoing. The investor, who is not suing related to ethics but purported crime, is hoping to recover financially (asking other short-sellers to join a class-action): Musk’s tweet is potential fraud that hurt their portfolios. However, it also represents an ethical issue since deceiving people would not be considered acceptable ethical behavior within common mainstream understanding.

With the rise of the Internet, business has become truly global. Since people across the planet want the marketplace to be as fair as possible, there is worldwide concern with the specific business area of ecommerce ethics. For instance, it is addressed by ethical design consultant Tina Farber in German magazine Smashing Magazine as a basis with which to conduct design work. Thousands of miles away, Professor Pathik Variya of India’s Dharmsinh Desai University listed ethical obligations of ecommerce firms. You certainly see significant overlap in the discussion of ethics for online business.

This article explores some of the core ethical issues related to ecommerce. First, though, it grounds discussion to talk directly about what ethics and business ethics are.

What exactly are ethics?

The definition for ethics from the Markkula Center for Applied Ethics is perhaps particularly interesting since it comes from a Silicon Valley based institution, Santa Clara University. The center’s definition is twofold. For one, it describes ethics as “well-founded standards of right and wrong that prescribe what humans ought to do, usually in terms of rights, obligations, benefits to society, fairness, or specific virtues.”

Secondly, the center adds that ethics refers to the study and development of ethical principles. To take on both of those meanings of ethics at your organization, you could espouse ethical principles in the way you operate, as well as commit to further improving your ethical framework and practices as you proceed.

Ethics can be followed and applied personally or organizationally, internally and externally. Business ethics may initially sound as if they are solely the concern of industry, but that is not the case, as indicated in the Stanford Encyclopedia of Philosophy (run by the school’s Metaphysics Research Lab) by business ethics specialist and Bentley University professor Jeffrey Moriarty. As Moriarty noted, business ethics are something with which we should all be concerned since everyone does business at least to the extent that we purchase items on a daily or near-daily basis. Moriarty also commented that many of us additionally spend hours daily and throughout our lives focused on producing within a business context. The actions of businesses help to determine the nature of our culture, both for good and for bad, he concluded.

Core ethical issue #1 – security

To get into specific concerns, security is one issue that is mentioned often in discussion of business ethics. After all, security is not just about meeting Payment Card Industry Data Security Standard (PCI DSS) compliance but meeting ethical expectations that define fair and forthright business interactions.

An analysis on HonorSociety.org focused its discussion of security ethics on an increasingly key issue: protecting your information systems from insider threats. That point of focus makes sense given the numbers. In healthcare, 58% of breaches are now caused by the insider, according to a 2018 Verizon study. Throughout industry, a 2015 analysis from Intel found that the insider was responsible for 43% of data breaches. Some statistics are even higher than these already high numbers. For example, HonorSociety.org cited statistics finding that human error accounted for 80% of data breaches. Regardless the specific figures, it is certainly true, as Chris Duckett said in ZDNet, that “[y]our biggest threat is inside your organisation [sic] and probably didn’t mean it.”

Since error is so prevalent, it should be addressed through robust and regular training – which is a best practice for infosecurity anyway. Routine risk assessments (both comprehensive ones and ones that target systems you are evaluating for adoption) are also critical for breach prevention.

Core ethical issue #2 – Accuracy in descriptions and marketing

Another key ethical notion is that ecommerce companies should be straightforward in their descriptions of products through all communications – advertising, product pages, the blog, social media, and any other settings. (This aspect of ethics was central to the Musk lawsuit described above.)

Delivering on the promise, that what a person gets in the end is what they thought they were getting from the start, runs contrary to the ethical issues of bait-and-switch sales and deceptive advertising. In ecommerce, in contrast to traditional brick-and-mortar retail, the customer is unable to directly see or touch a product prior to purchasing it. Online, they are able to see products within videos and photos; however, that image undoubtedly presents the items in as near-perfect conditions as possible. This aspect of the images being so close to perfection on an ecommerce site is interesting in that what the shopper sees is not the product that gets purchased. Instead, it is a picture of another copy of the product.

It is easy to make mistakes with product descriptions. However, ethics require care that what the customer is actually getting is aligned with how it is presented online.

Core ethical issue #3 – Surveillance capitalism

A core issue of design ethics will be uncomfortable for many but is worthy of consideration given the amount of data flowing through ecommerce platforms: surveillance capitalism. This issue, brought up by Falber, arises when you consider your reasons for gathering and analyzing your user data. Falber cited ethical designer Aral Balkan, who offered a disturbing analogy. Balkan noted that Facebook using data to improve its platform is similar to a cow getting a massage in order to make Kobe beef – because those massages are “not for the benefit of the cow but to make the cow a better product.” He concludes his point, “In this analogy, you are the cow.”

Falber expanded Balkan’s thought by noting that data collection and analysis is problematic when its real aim is financial gain. People could debate Facebook’s side in this matter, but the issue of surveillance capitalism is certainly discussed in ethical circles related to web design and development.

Core ethical issue #4 – Moral agency

The notion of corporate moral agency is used by some thinkers to describe business ethics. Through this framework, any individual engaged in business is a moral agent – just as the collective of people working for a certain firm make up corporate moral agency. There is disagreement over whether a company should itself be considered a moral agent as well (beyond thinking of morality in terms of the staff as a group).

While it may not be easy to think in terms of moral agency, it can help develop a deeper understanding for ethics as a systemic value and as something to improve both individually and collectively.

Ecommerce based on key standards

Clearly, following ethics is important in how business is conducted. While we expect ethical behavior from those with whom we do business, we do not always get it; to protect ourselves, we seek proof that organizations follow established standards. One of the most credible ways for any service provider to demonstrate how strong its systems are from a security and control perspective is the Statement on Standards for Attestation Engagements 16 (SSAE 16) from the American Institute of Certified Public Accountants (AICPA). See our SSAE-16 and PCI-compliant ecommerce solutions.

Figuring out your cloud ROI will help you make better decisions. Money cloud in the sky.

Posted by & filed under List Posts.

As the saying goes, “You have to spend money to make money.” However, we all know that how you spend money will be a major factor in determining your success. By measuring the return on investment (ROI) of a certain expense, an organization can decide whether it is a wise choice moving forward or not.

Cloud computing is a great example of a key IT area for running the ROI formula. Increasingly cloud systems are replacing on-premise ones. Were those decisions the right ones? If you think so, you can prove it with ROI, giving you strong evidence that you are moving your company in the right direction.

This article looks at how many companies do NOT measure cloud ROI; thoughts on agility and the breakeven point from David S. Linthicum; and 5 obstacles to strong cloud ROI.

Poll: 1 in 3 firms do not measure cloud ROI

If you are not yet checking your ROI systematically, you are certainly not alone. There is obviously not a consensus that performing this calculation is a high priority. Almost one-third of organizations do not determine cloud ROI, according to an international survey from the Information Systems Audit and Control Association (ISACA). The ISACA poll of chief information officers found that 68% of firms calculated cloud ROI. ISACA noted that the 32% of companies that were not calculating ROI were able to justify their use of the technology on other grounds: transitioning from capital to operating expenses (CAPEX to OPEX), improved agility, etc.

Organizations that did calculate ROI typically used a 1-5-year timeframe for measurement. Most used a hybrid method that included both perceived quantitative and qualitative factors. The most common elements included in the hybrid model were business impact (time to market, penetration, agility, etc.), time savings, cost of transition, and staffing changes, along with capital and operating expenses.

The survey also found that companies that do come up with ROI numbers often only do it once, which misses the benefit of being able to check your expectations against results. When you look at that population that is calculating ROI, only 52% do so before and after cloud deployment, while 43% only check before and 6% only after the transition.

While 32% may seem low, the figure is rising over time, according to ISACA research director Ed Moyle. Indeed, see this InformationWeek poll of 339 organizations from 2014, showing the level at 20%. Moyle added, “If ROI is not calculated in advance of implementation, it becomes difficult to validate or refute the expected value.” To extend that thought, the validation or refutation could then occur with the second check of ROI following implementation.

An agility-based ROI model

Deloitte chief cloud strategy officer David S. Linthicum explained that this poll demonstrated using agility as the central component of an ROI model now makes more sense. Linthicum has been arguing for moving away from capital and operational cost reduction to an agility-based model since 2011. Linthicum noted that he thinks we are beginning a shift in the understanding of cloud from cost savings to agility – which he believes will lead to much greater disruption.

There are tools that you can use to determine the agility that is generated by cloud adoption. Factors including your business’s size, its level of innovation, and the vertical market all must be included to gauge your agility.

You can bring in your past metrics, and you can use the same algorithms for different environments. You could use an agility-based model to look at competitors, determining their cloud ROI.

While you can create comparative analyses, there is not much as far as cloud ROI public case studies go – so it is challenging to confirm that your numbers are solid. However, Linthicum noted that it is still a good idea to move forward with agility-centered ROI measurement since it will give you a much better sense of the true value the technology is bringing to your efforts.

Breakeven: 20% to 40% of workloads

It makes sense with a new technology to test the waters and wade in gradually. However, it is also important to realize that you will not see the ROI results that you want from cloud immediately.

While Linthicum talks a lot about the importance of agility, there are other key metrics that he believes are pivotal as well. One is commitment to the technology.

Organizations that dabble in cloud in small pieces over time will likely not see any advantage in using it, he noted. That’s because there are sunk costs (unrecoverable costs that have already occurred) related to cloud: integrating cloud systems into your management and monitoring platforms, addressing security concerns, recruiting new personnel, training, etc.

The real question is, when do your returns start to overcome the sunk costs? That is the breakeven point, after which cloud becomes increasingly beneficial since the bill is already partially paid. Linthicum noted that there is very little difference in cost between 500 to 2000 workloads. Once your sunk costs are returned, your operational costs will not rise significantly as you continue to add workloads. It is impossible to avoid the upfront cost to see the ROI benefits.

The breakeven point for an enterprise with 2000 workloads is usually about 400 to 800 workloads, in Linthicum’s experience. That is equivalent to 20% to 40% of all IT processes.

Keeping only small amounts of IT in cloud prohibits an organization from seeing its full benefit. In fact, when companies run the ROI on cloud that only represents a small portion of overall computing, they will often find that ROI is negative – i.e., it is not paying for itself.

Now, while it may make sense to commit a substantial portion of your IT to cloud, you do not want to necessarily move your entire infrastructure to cloud overnight, Linthicum stressed. However, it is clear that the faster you shift most of your systems from on-premise to public cloud, the faster you will see a positive ROI. You will not typically get a benefit from the cloud when you are only moving a small amount of workloads, but only farther along the path of increased adoption.

5 things that hurt cloud ROI

While cloud ROI benefits from increased adoption, it is not as simple as overcoming a breakeven point. Issues can also arise. Consultancy Cloud Technology Partners noted a few things that stand in the way of ROI. Here are those five obstacles:

  1. Culture – Some obstacles will be within your corporate culture. You have to reconceptualize the way the business runs in order to realize the potential of cloud.
  2. Politics – Often a political problem that arises with cloud is division over the extent to which it should be adopted, with conflict often between the data center chief and whoever is advocating for cloud.
  3. Expectations – Many organizations will start out thinking immediately in terms of hybrid cloud or complex systems within cloud management platforms (CMPs). Focus your efforts before expanding to larger and more complex projects.
  4. Execution – Managing the transition can be tricky. “Minimal viable cloud” is recommended by CTP. This strategy bundles together a small group of workloads, with operations, controls, and security applied to it. Then you can add additional small sets in the same manner.
  5. Technical difficulties – Dedicating yourself to the cloud will avoid technical issues, particularly when you want to integrate with your on-premise system. When you want to combine on-premise with cloud, it creates difficulty. Consider replacing legacy tools with ones based in cloud.

Realizing strong cloud ROI

We talk quite a bit about cloud as if it were one system, but of course, it is many — and all clouds are not created equal. To realize strong ROI, you need the fastest, most robust cloud platform in the industry. See our High Performance Cloud.

ROSI - the return on security investment. Fingerprint on keyboard - assessment of solutions

Posted by & filed under List Posts.

People often talk about security in terms of defenses and caution – an emergency system to prevent worse-case scenarios. However, thinking in terms of defense and prevention can distract us from a fundamental truth: security is powerful. It has an incredible amount of value to organizations across all sectors and markets. Establishing the ROI of security – the return on security investment (ROSI) – in a systematic way is worthwhile so that you know exactly how much you are getting back for what you spend on security environments, tools, and services (such as hosting in an SSAE-16-compliant data center).

What are return on investment (ROI) and return on security investment (ROSI)?

Entrepreneur defines ROI as “[a] profitability measure that evaluates the performance of a business by dividing net profit by net worth.” If your total assets are $1 million and your net profits are $250,000, your ROI is .25 or 25 percent. While that framework introduces how to calculate ROI, perhaps a simpler way to consider ROI is comparing the amount you get back to the amount you put in. A 100% ROI is the break-even point when the business or aspect of your business has at least made back the amount that you spent.

Establishing a strong ROI helps to make a good business case for further investment in something we all know is important given the current digital landscape: information security.

Metrics-driven ROSI approach

By using metrics to determine how effective various security tools are, organizations are able to consistently be assessing how well their overall defense system is functioning, understand the most pronounced threats they face, and reveal areas that might need replacement or additional safeguards.

Metrics help you better understand your systems, but they are also important because they help you sharpen the analysis behind your ROSI calculations so your investment proposals are stronger. Even though determining ROSI is valuable to organizations, fewer than 1 in 5 (17%) use this approach, per the NSS Labs 2017 Security Architecture Study.

Determining the ROSI and backing it with applicable metrics is becoming increasingly important, noted Vikram Phatak on security news site Dark Reading. Phatak said that not having the ROSI figures to back up their assessments could lead to situations in which security leaders have to report “that the cause of a data center breach was a result of ‘having had [italics his] a technology solution for the problem in the budget, but it got cut.'”

The basis for the ROSI formula

Here are risk assessment concepts that you can use to leverage your metrics and make your ROSI calculations. These concepts together make up the ROSI formula:

Annual loss expectancy (ALE) – The total amount you should expect to lose to security problems every year, ALE is a control figure that is used to show the amount of money that can be lost assuming no changes are made.

ALE = Annual Rate of Occurrence (ARO) * Single Loss Expectancy (SLE)

Annual rate of occurrence (ARO) – ARO gauges how likely it is for a security incident to happen during a year. You can look at your history to determine how many incidents occur in the average year.

Single loss expectancy (SLE) – This figure is the total amount of money that you expect to lose during one security event. Determining the SLE can become easier and more systematic if you have organized and valuated your data. This number should at least include your direct and indirect costs for a breach.

Modified annual loss expenctancy (mALE) – The mALE is identical to the annual loss expectancy except that you add the losses saved when you install a security measure. Your improvement should be expressed in the mitigation ratio, which is the percentage of threats that the security tool blocks.

Return on security investment (ROSI) formula – Using the above concepts, you create the ROSI formula. This formula takes into account the costs and risks of security events, along with how much it costs to put a security protection into place. When you talk about ROSI, you can discuss the technical manner in which the number was calculated. Here is the formula:

ROSI = (ALE * mitigation ratio – cost of solution) / cost of solution

ROSI example #1: warehouse robots

Risk represents costs. There are potential costs associated with a risk that are mitigated with security defenses. Information security to lower risk can be very expensive. Since that’s the case, risk analysis (indicated in the above concepts) will guide organizations in determining ROSI because it will reveal just what level of investment is needed in safeguards.

An example suggested by Norman Marks in information management publication CMSWire is the defenses for robots implemented in a warehouse. The information executives at the company collaborated with business decision-makers to determine the level of risk – chance of a risk and its potential impact. The business managers, as a round figure, estimated that the total cost of a breach would be about $10 million. The chief of information security (CISO) reported that he thought the current chance that a breach of that scope would occur was 5%.

The CISO wanted to spend $250,000 annually in order to get the risk of that $10 million event down to 2%. To measure ROSI, you are adjusting the ROI formula so that you are gauging the level of risk reduction (through the mitigation ratio) rather than the level of investment gain. By reducing the risk from 5% to 2%, that would mean a 3% improvement in risk. Turn that risk chance into a real number: a 3% reduction in the chance of a $10 million loss should be caulculated as 3% of that figure per year, which in this case would be $300,000. Since the idea is that you are putting in $250,000 per year of protections but are getting back $300,000 in reduced risk, your ROSI is 20%.

Additional analysis should occur to determine if the investment is sound, but that initial assessment looks positive.

ROSI example #2: UBA platform

Another example ROSI situation is described by Isaac Cohen in IDG’s CSO. In that example, a company is looking into a company-wide solution, a user behavior analytics (UBA) platform, to prevent breaches. The CIO of the company calculates that there have been 30 security incidents over the last 3 years – so 10 annually on average. In total costs related to fines, lost productivity, and lost data, each incident represents a cost of $20,000. The UBA is expected to be able to defend against 9 out of 10 current attacks. The cost of the UBA platform is $50,000 per year. The way you would calculate ROSI in this case would be as follows:

  • 10 incidents times $20,000 per incident = $200,000.
  • $200,000 times mitigation ratio of .9 = $180,000.
  • Subtract the $50,000 from that for the solution, and you get $130,000.
  • Now take $130,000 (your return) and divide it by what you spent, $50,000.
  • You get 2.6, equivalent to a 260% ROSI.

Strong security for your critical data

Implementing strong security is in part about finding the right partners. At Total Server Solutions, our SSAE-16 Type II audit is your assurance that we follow the best practices for keeping the data center up and running strong. See our security commitment.

Lock against code - WordPress security steps to take in 2018

Posted by & filed under List Posts.

Statistics garnered from analysis of tens of thousands of WordPress sites within the Alexa top 1 million suggest why hackers often choose WordPress to attack. Incredibly, the study from WP WhiteSecurity found that 70% of installations are vulnerable to hacking.

The researchers looked at the WordPress installation status and behavior of these WordPress sites in the four days following the release of WordPress 3.6.1 (replacing 3.6) on September 11, 2013. The researchers found that there were 74 different versions of the WordPress software being used. Four days following the release of WordPress 3.6.1, 30.95% of the websites (13,034 WordPress installations) were still running WP 3.6, which had known security flaws.

Five years later, many sites could still use help with security best practices. The below steps to harden WordPress in 2018 will discuss fast updating and other actions you can take to better protect your sensitive data.

Quickly update to new WP versions.

WordPress is open source, and it is frequently updated to patch security holes (as well as to fix bugs and add features). You typically do not need to worry about minor updates, because WordPress auto-installs them by default. However, when updates are classified as major versions, you will have to start the update process manually.

Beyond the core code, there are thousands of themes and plugins that you can attach to your site; these add-ons are developed by independent parties, and the most attractive ones are also updated regularly.

Updates are critical for your site’s security, as well as its stability. All components of your site should always reflect the most up-to-date version of the software.

Use a password manager, and strengthen your passwords.

If you know any of your passwords and have used them to log in to an account on another service, your password policy should be changed, noted Gerroald Barron of premium WP plugin firm iThemes. A strong password is long, unique (i.e., only used once), and randomly generated. If you are able to remember any of your passwords, they probably need to be strengthened. If you have a credible, well-maintained password manager, you can keep your account logins secure while also being able to choose random strings of characters (as you can do through Perfect Passwords).

A password manager can both generate passwords and securely store them via a browser extension. You then just need to know the master password for the password manager.

Utilize a web application firewall (WAF).  

Using a web application firewall will help stop unauthorized traffic prior to it accessing your site.

Switch your WP salts and keys routinely. 

Another important task brought up by Barron is regular replacement of salts and keys. WordPress stores data in your browser, as cookies, to verify anyone who uses the installation internally or places a comment. It is important that all the login data stored in these cookies is encrypted so no one can view it after the fact. WordPress achieves that encryption through authentication salts and keys stored in the configuration file (wp-config.php). Modify these on a regular basis. If you want, you can use a plugin to manage the process.

Disable file editing.

There is a code editor, built into WordPress, that enables the editing of themes and plugins with the admin page. This feature should be disabled, though, so that no one exploits it to insert malicious code.

To disable file editing, you need to insert a snippet of code yourself into the wp-config.php file:

// Disallow file edit

define( ‘DISALLOW_FILE_EDIT’, true ); 

Strengthen user and admin logins.

Go beyond the use of strong passwords. You certainly want to change the administrative account name from admin to something else. Actually, it is a good idea to create a new user and assign it with admin privileges. The admin account can then be removed or switched to having subscriber permissions.

Use two-factor authentication (2FA) for better security. When you use two-factor authentication, you are sent an additional token or code to a secondary device for an extra layer of authentication.

Change the default setting to limit the allowable login attempts. You can limit the number of login efforts through a plugin. Some plugins will additionally ban the IP address of the user and send you a notification about the incident.

Finally, switch to a custom login page. You can prevent the vast majority of brute-force attacks through taking greater care with your username and password, as well as changing the URL for login. Examples of changed URLs from Anushree Sen of Page Potato are as follows:

  • Change wp-login.php to my_new_login
  • Change wp_admin/ to my_new_admin
  • Change wp-login.php?action=register to my_new_registration.

Back up the WordPress database.

To improve your database security, create a backup at regular intervals. Backups may not seem to be security measures, but they are because they will ensure that you still have a clean copy of the data regardless if an attack were to succeed. Backing up will allow you to know that you can recover if a disaster occurs. Data should be backed up regularly – at least once per day. Secure cloud backup is a strong idea. Your hosting service could keep the backup safe and in a distant physical location, for additional disaster preparedness.

Change your database table prefix.

It makes it easier to conduct SQL injection attacks when the default prefix for your database table is retained. It should be changed to a challenging string of characters. The default prefix is wp_. You could change to wp_38sjR94_, for instance. Whatever you choose, do not go with your gomain name as the prefix. In order to change this prefix, update the wp-config.php file. You can only use numbers, letters, and underscores.

Here is the adjusted line in code:

$table_prefix  = ‘wp_38sjR94_’;

Now go to your database, via phpMyAdmin. There, modify the name of the table so it matches what you put in the configuration file. If you use cPanel, you will see phpMyAdmin within it, in the Databases section. Once you are in, run this SQL query from WPBeginner to change the names with one action:

RENAME table `wp_commentmeta` TO `wp_38sjR94_commentmeta`;

RENAME table `wp_comments` TO `wp_38sjR94_comments`;

RENAME table `wp_links` TO `wp_38sjR94_links`;

RENAME table `wp_options` TO `wp_38sjR94_options`;

RENAME table `wp_postmeta` TO `wp_38sjR94_postmeta`;

RENAME table `wp_posts` TO `wp_38sjR94_posts`;

RENAME table `wp_terms` TO `wp_38sjR94_terms`;

RENAME table `wp_termmeta` TO `wp_38sjR94_termmeta`;

RENAME table `wp_term_relationships` TO `wp_38sjR94_term_relationships`;

RENAME table `wp_term_taxonomy` TO `wp_38sjR94_term_taxonomy`;

RENAME table `wp_usermeta` TO `wp_38sjR94_usermeta`;

RENAME table `wp_users` TO `wp_38sjR94_users`;

You may also have to add a few lines related to any plugins since they will sometimes insert their own tables into the database. Your goal here is to adjust all of the table prefixes.

Choose a secure host.

According to Sen, your choice of a secure WordPress host is the most important one you will make related to data protection. Your account could be hacked if you use a low-end shared hosting service. “[C]hoos[e] a reputable and trusted web-hosting service provider… who understands the risks of cross-contamination, segregates the website accounts and configures the security permissions of each account present in their WordPress-optimised environment,” noted Sen.

Are you in need of a secure WordPress environment? Turning to an experienced WordPress hosting provider allows you to the leverage the niche expertise derived from focusing on IT infrastructure. At Total Server Solutions, our data center is PCI-DSS compliant and SSAE-16 audited. See our commitment to the security gold standard.

With growth of malware and ransomware, security is a top priority.

Posted by & filed under List Posts.

It is easy to develop blind spots in our thinking, particularly toward things that we see often, as if they become invisible to us after so much repetition. For instance, we may read so much about cyberattacks and how important security is that it may make it more difficult to logically consider the topic and strategize protection. After all, just about every type of system you can imagine has been hacked, from smart city technology and alarm systems to mobile bank apps, plane systems, and cars.

The seeming overabundance of attention on cyberattacks is actually a window into the reality that the threat landscape is increasingly complex and must be confronted to avoid huge losses. Spurred by various forces, companies know that cybersecurity deserves consideration – but they do not always move forward systematically. This article looks at drivers of cybersecurity as a top priority, evidence of failure to implement full security best practices, and steps you can take to fortify your posture.

3 forces driving the increasing importance of cybersecurity

According to a 2017 Fortinet poll of IT executives, three key reasons that cybersecurity is becoming a bigger priority in business boardrooms are:

Cloud migration proliferating – It is no secret that cloud is being utilized more broadly within business. With workloads being switched over to cloud, nearly three-quarters of IT security executives said that they think cloud security is becoming a greater concern. Just over three-quarters (77%) said that their boards were recognizing cloud security and a budget to ensure it as top points of focus. The actual implementation of cloud security solutions was not quite as high, though, with only half of those polled (50%) saying that they would adopt cloud security solutions in the upcoming 12 months.

Regulatory scrutiny growing – Greater prioritization of IT security is also fueled by additional regulations, cited by one-third of those polled (34%). Of particular interest is the General Data Protection Regulation (GDPR), which could bring fines, additional costs, and credibility concerns (since violations are posted publicly).

Cyberattacks and data breaches rising – The vast majority (85%) said that their organization had suffered a data breach. The most common form of attack was malware and ransomware, listed by nearly half of decision-makers surveyed (47%). There was progress in the right direction in making security a bigger focus following WannaCry and other prominent worldwide attacks. The scope and makeup of today’s attacks are making it a concern of boards rather than just IT leadership.

Concern with security does not always result in action

Agreeing with the above survey, another indicator of how critical security is to business comes from the UK’s Department for Culture, Media and Sport. When this agency polled more than 1500 UK-based businesses in 2017, nearly three-quarters (74%) said that digital security was a top priority for senior management, while two-thirds (67%) said that they had purchased cybersecurity systems or services in the previous year. Investment in cybersecurity was stronger with larger organizations: the survey found that 91% of those from large enterprises had spent on information security, while the number was 87% for midsize firms. The safeguarding of customer data was the #1 reason for cybersecurity investment, cited by 51% of those surveyed. Problematically, only one in three respondents said that their business had a formal cybersecurity policy in force (or had cybersecurity guidelines listed within audit documentation or a business continuity plan). The number was even lower for the implementation of cybersecurity incident management plans (i.e., the actions to take if you were to learn you were being attacked): just 11 percent of UK organizations polled had one enacted.

Perhaps the key point to take away from that survey is that businesses are generally prioritizing security – investing in security technologies, for instance – but do not comprehensively follow cybersecurity best practices. As George Ralph noted in Private Equity Wire, “It seems like the fear of attack has induced spend, but hasn’t extended to policies and procedures that could reduce the threat of attack, or ensure attacks were dealt with more effectively.”

Taking action for better cybersecurity

Here are 7 action steps you can take to improve your cybersecurity, from the International Council of E-Commerce Consultants (EC-Council), PricewaterhouseCoopers, and Deloitte:

#1 – Take a proactive approach to cybersecurity.

It is critical to develop some knowledge about common threats and understand essential ways that you can identify threats, noted Deloitte.

#2 – Go beyond risk avoidance to building resiliency.

PwC found that organizations that were creating a climate of risk resilience were seeing better long-term financial gains than those that were simply responding to problems as they arose. The PwC researchers gave the example of Japan following the tsunami in 2011, when businesses that had risk management programs with business continuity plans were able to get back up and running much more quickly than those that did not.

#3 – Test for the weakest link.

Seeing how well you handle mock situations can inform a much stronger approach, so use stress tests. These tests should incorporate all your interdependencies, so that you know what might go wrong with other systems on which your own systems rely.

#4 – Strengthen your defenses.

Develop a complete strategy for patching, secure software development, and a secure physical environment, said Deloitte.

#5 – Give special attention to threats that could alter or eliminate data.

While confidentiality now stands as the most critical objective of cybersecurity within the business world, integrity will take its place in the near future, per Dan Geer (cited by PwC), who specializes in risk management and IT security. A heightened focus on maintaining integrity will facilitate recovery from an attack. Blockchain is one technology that will assist organizations with integrity.

#6 – Maintain oversight and make updates.

Typically organizations detect vulnerabilities, create patches, and keep threats from becoming broader problems. At the same time, many businesses do not make sure that their disaster recovery plan is relevant to their circumstances or that their staff remains informed on key security concerns, per the EC-Council.

While it is critical to monitor your system and react to what you see, monitoring is not enough on its own. It is important, said the council, to change the way that you approach cybersecurity given the continuing growth and development of threats. The council suggests including these three strategies:

  • Establish an inventory that routinely scans your assets and rapidly locates vulnerabilities.
  • Fix vulnerabilities systematically through a mitigation process.
  • Organize and consolidate your threat intelligence in a central location.

#7 – Be aware of ransomware.

According to Panda Security, we were already clocking 230,000 new malware samples per day in 2015. Specifically, ransomware is on the rise. This type of attack occurred 36% more frequently in 2017 and is projected to become increasingly prevalent.

As the EC-Council puts it, what is now occurring in cybercrime is mass blackmail. Ransomware is a threat to the confidentiality of private information. Malicious parties access your personally identifiable information (PII), encrypt it, and also transfer out a copy of all the data from company devices – for leverage in blackmail efforts. The thieves then demand payment, which is sometimes collected in installments.

Your secure ecommerce platform

Do you need full-featured ecommerce software run on secure infrastructure? At Total Server Solutions, your data is hosted within our PCI-DSS and SSAE-16 compliant datacenter. See our comprehensive ecommerce solutions.

cloud infrastructure - deciding what to put in the public and private components

Posted by & filed under List Posts.

Public, private, and hybrid are the three primary forms of cloud in use by organizations. As its name suggests, hybrid is a blend of the private and public models. A company with a hybrid cloud is able to choose the public or private setting for each given scenario. Michael Moore notes that companies will typically use private cloud when they need the strongest security and public cloud for any systems that they want to be as mobile and scalable as possible. 

Hybrid cloud: it’s about choice

Anyone who is paying much attention to business IT knows that adoption of cloud is widespread. The extent to which cloud has become standard is mind-boggling, with infrastructure that incorporates numerous public and private clouds implemented in almost 95% of organizations in 31 nations, per IDC. This multicloud scenario is complicated, with Kentik reporting that more than a third of firms say cloud is the technology responsible for the greatest network complexity.

Given this challenge, organizations are increasingly turning to the hybrid cloud model to better manage the complexity. A hybrid cloud makes it possible for organizations to improve the agility of their systems, quickly develop and release apps, and run workloads in the settings that are best for specific situations.

Often organization will choose to run some of their less sensitive systems externally while keeping their more critical data within their own data center, noted Nick Ismail, concurring with Moore. Using a hybrid cloud also allows an organization, based on analysis of cost and capacity, to shift workloads between public and private systems. 

Deciding what to store in your private cloud

It is a matter of trust, really, that organizations want to handle certain data in their own private clouds. Oliver Rist and Juan Martinez noted that choosing to run systems yourself or to use the systems of an external provider is similar, in a way, to deciding whether you want your cash to be in your pocket or held by another person.

Rist and Martinez said that this idea of money being held by you or someone else is overly simplistic, though, since decisions to move data outside an organization often have to do with the resources available to the organization. To extend the analogy, if you have a sack of money, you might not have a secure location to store it. A credible person you know might work at Fort Knox and be able to store the cash there for you while allowing you access to it as needed. Going back to the issue of trust, it would certainly make sense to store the money in Fort Knox if you trust your friend who works there.

Most small and midsize businesses lack capital to be able to create a high-grade security system for themselves in-house, so public cloud is attractive even for more sensitive data. After all, public cloud has much better security than many people think, as discussed below. 

Deciding on your public cloud partner

Using an infrastructure-as-a-service (IaaS) company (i.e., a public cloud server provider) gives you access to their physical hardware, storage devices, and switches for the management of your data. The beauty of this setup is that you are not in charge of figuring out how and where to move your workloads if a server goes down.

Clouds that are set up in-house also do not give you the same in-the-moment flexibility as a public cloud. For instance, when you think that you will get a spike in hits to your site during a certain period (think the holidays), you can launch a public cloud machine just for that period of time, then shift off it once traffic is back at a normal level.

If you do use public cloud, you only need to fund the resources you use. If you use your own data center instead, it is necessary to buy additional servers so that your capacity meets demand during that short period. When the rush is over, suddenly you are grossly underutilizing your hardware.

Finding a public cloud provider is not as simple as looking at a list of technical parameters and determining the host that best meets them. Keep in mind that you should be on the same page as your provider, advised Rist and Martinez, who added that “[y]ou’ll truly be partnering with your vendor to ensure the performance and security of your business data.” 

Considering the security of public cloud

Hybrid cloud is essentially about dividing your workloads into public and private sides, and, as indicated above, security is often the primary consideration for these decisions. The basic notion is that your data center is secure, so the important data should go there; only unimportant systems should go to cloud. While that may seem reasonable, it really is not, as suggested by the Fort Knox analogy above and by various cloud thought-leaders.

Public cloud is a setting in which many infrastructure and data security experts are on staff, which leads to better all-around protection than is typically available through an on-premise datacenter. David Linthicum noted that IT professionals tend to think they are more adept at security than outsiders would be. However, he stressed that “public cloud is more secure than the typical data center.”

Linthicum argued that public cloud vendors have stronger security tools installed and pay more attention to vulnerabilities within their ecosystems than is true of most organizations. Consider that public cloud providers are exciting entities for hackers to attack since the data they hold and process is so extensive. The solutions that are deployed system-wide by IaaS vendors are typically cutting-edge, featuring artificial intelligence and pattern matching capabilities.

It only makes sense that cybercriminals would opt for simpler projects than cloud providers, which is why they instead go after on-premise data centers. That is backed up by an October 2016 analysis at the Infosec Institute, which found that most successful attacks on enterprises that have been covered in the news have been of in-house rather than cloud systems.

Quentin Hardy, deputy technology editor for the New York Times, agreed with that assessment, noting that the majority of headline-grabbing cyberattacks were not of public cloud but of traditional server setups. To go back to Fort Knox again, Hardy also compared data to money in these considerations, saying that a bank vault (an external location in which money from numerous people is held) is a better place to store money than within your dresser – because the former, said Hardy, has “got more protection from bad guys.”

Setting up the entire hybrid cloud with a hosting service

Given the protections that are standardly built into public cloud, many businesses decide to go “all-in” with public and skip private cloud entirely. That is true of many SMBs and startups, but it is also true of some major enterprises. The most prominent example is probably General Electric, which announced in 2014 that it was eliminating 90 percent of its internal data centers, moving the systems they supported to public cloud.

However, there is another option that gets the data out of your own data centers without having to place complete confidence in the public setting: third-party-hosted hybrid cloud. That scenario charges the web host with creating an architecture that couples their current public cloud with a private cloud (one for your exclusive use) on your behalf.

Your hybrid cloud partner

Whether it makes more sense to your organization to look to an outside environment for an entire hybrid deployment or just its public portion, it is critical to work with a company that you can trust. At Total Server Solutions, our infrastructure meets American Institute of Certified Public Accountants (AICPA) standards, and our cloud hosting boasts the highest levels of performance in the industry. See how we make our cloud so fast.

The ecommerce process -- reducing your shopping cart abandonment with a few simple strategies

Posted by & filed under List Posts.

Shopping cart abandonment is one of the biggest ongoing concerns of ecommerce companies. After all, you don’t want to expend energy and resources to attract visitors to your site only to lose them halfway through the buying process. Unfortunately for owners and managers of online stores, there is actually a higher likelihood that someone will abandon a cart than that they will go through with the purchase. An analysis that averaged statistics from 40 studies found that the average shopping cart abandonment rate is 69.89%.

A report from Business Insider mentions some bad news and good news related to this challenge, noting that it is extremely costly but also represents an opportunity to improve revenue. The analysis specifically looked at retailers, estimating that 63% of the $4 trillion they lose annually to abandonment could potentially be recovered. Plus, cart abandonment usually does not mean the loss of the sale or customer; in fact, three-quarters of those who leave behind their carts report that they are planning to either come back and make the purchase online or visit the same retailer’s local store. That is the good news. The bad news is that shopping cart abandonment is on the rise, in part because of the increase in mcommerce (shopping via mobile device). This report suggests that it may be worse than the above rate, with Barilliance calculating a 74% average abandonment rate in 2013.

What can you do about this issue? Here are a few strategies by ecommerce and conversion thought-leaders:

1.) Improve trust.

With an incredible 31.8 million consumers suffering from credit card fraud in 2014, it is no wonder that people are skeptical about giving their sensitive financial data to websites.

Trust logos are one common feature that is used to increase confidence in the buying process, noted SEMrush. Perhaps these seals are most important in terms of meeting expectations; one analysis found that 3 in 5 shoppers (61%) left a site because they did not see any trust seals.

These logos are typically tied into security products, so you will be getting actual technological improvements along with the ability to show off the seal. To show your customers that their data is safe, get a valid secure sockets layer (SSL) certificate and show its security logo, potentially along with other trust symbols (PayPal Verified, MasterCard SecureCode, TRUSTe, etc.), on your site.

2.) Install exit-intent popups.

Popups are a major cause of annoyance online, so many companies are hesitant to use them. However, exit-intent popups can give a major boost to your conversion, per OptinMonster. This type of popup, which can be implemented on checkout pages or anywhere else on your site, is driven by an algorithm that attempts to detect when a person is about to leave the site. The popup is geared toward keeping them on the site by introducing further information or giving them a special offer.

OptinMonster provides the example of a “Don’t Go” popup that offers 10% off with the coupon code DONTGO and has boxes for the user to enter their name and email for later order completion.

3.) Simplify checkout.

You are likelier to have someone abandon their cart if they experience any confusion along the way. Be careful about checkouts that involve numerous pages and forms, instead favoring express checkout.

Three elements suggested by Small Business Bonfire to make checkout easier for shoppers are the option to keep the address the same for billing and shipping, the use of auto-fill forms, and the implementation of single-click checkout.

4.) Make the cart visible throughout.

According to data from KISSmetrics, nearly a quarter of people (24%) said that they would prefer to save their cart for possible later purchase. Since so many customers are interested in completing a purchase at some point, it helps to keep the cart highly visible so they remember it, said OptinMonster. For instance, you could implement a cart icon in the corner of the page that automatically expands when you hover over it.

5.) Expand ways the customer can pay.

Having more payment options can complicate management and accounting, but it is important to make checkout as user-friendly as possible with multiple payment options, noted Small Business Bonfire. For instance, it can be a good idea to take both credit cards and PayPal.

6.) Incorporate cart abandonment emails.

When someone is abandoning their cart right at the end, that may seem frustrating – but, as SEMrush points out, it is actually positive because you have probably already collected their email address. A notification should be sent out immediately that they left items in their shopping cart, via autoresponder. You actually want that notification to be a series, with a couple more messages sent during the ensuing 24 hours.

7.) Implement guest checkout.

You do not want to drive shoppers away by making it necessary for them to have an account before they can buy. When they have to register prior to purchase, it complicates the process, and some people will leave, noted OptinMonster.

Think about it this way: by requiring an account, you are essentially demanding that the user enter their basic account information, confirm their email address, and then come back to the shopping cart to finalize the purchase. For people in a hurry, these extra steps can feel too inconvenient.

By allowing guest checkout, you get around the need for account registration. It is a better idea to try to turn guest purchasers into accountholders after the fact than it is to eliminate guest checkout entirely.

Strong ecommerce platforms make it simple to enable guest checkout. Users then have to option to create an account once the purchase has been completed.

8.) Don’t forget the human touch.

Autoresponders may make sense for some situations, but you will have greater success if you personally reach out to people right after the cart was abandoned to see if you can be of any assistance, explained SEMrush. The reason they left may be as simple as a payment or coupon code error. If you are able to help the person find the answer they need – to again make checkout simple for them – they may return and complete the transaction.

9.) Make all charges transparent.

People do not want to see the price rise substantially during the checkout process. Adding fees during checkout can prompt someone to leave their cart, noted Small Business Bonfire. Stating the full amount of the product as quickly as possible, with shipping and any other fees included, will let the shopper know exactly how much they will be charged.

10.) Include social proof.

Another thing that is impactful when a person is trying to decide whether to place an order is to show them that they are unlikely to experience buyer’s remorse. By presenting ways that your products have helped other people, social proof allows online shoppers to feel less worried that they will regret the purchase.

Here are a few methods, suggested by SEMrush, for adding social proof to an ecommerce site:

  • Put testimonials on landing pages and top reviews on product pages.
  • Send post-purchase messages to customers asking them to leave you a review.
  • Incorporate software such as Notify to let shoppers know others who are buying from you.

11.) Improve your speed.

One other key reason that people will leave a site is because your site is moving too slowly. While there are many tactics you can take with your site to make it faster, one of the key ones is to ensure your infrastructure is built for speed. At Total Server Solutions, we know what it takes to keep high-volume, high-quality shopping cart sites running strong. See our high-performance ecommerce hosting solutions.

 

 

 

HIPAA risk analysis - steps to achieve - doctor on laptop

Posted by & filed under List Posts.

As you consider your risk analysis and efforts to keep it HIPAA-compliant, it is helpful to understand that the notion of risk is inherently context-based. Whenever you think about risk, initial questions to ask yourself are:

  • What asset am I attempting to protect?
  • What are potential threats?
  • What must be defended?
  • How substantial is the risk?

To look at the notion of context and how importance it is to risk, Sarah Morris of KirkpatrickPrice suggested the analogy of a tire that has significant wear-and-tear. When you think of it in terms of driving, its condition is awful, and it represents great risk. If you took the tire off your car and instead used it as a tire swing, you would remove the friction of the roads and no longer have the risk. With that in mind, Morris recommends not jumping to conclusions when it comes to determining your amount of risk – since you need to completely understand the context. Once you are complete with the analysis, you will be able to gauge your risk using that specific information.

Moving forward with your risk analysis

To understand your context so that you have a sense of your risk, you must conduct a risk analysis. The steps for performing a HIPAA-compliant risk analysis are as follows: 

Step 1.) Know key terms.

Major terms that are important to understanding HIPAA law are:

  • covered entity – Under HIPAA, a covered entity is a healthcare provider, plan, or data clearinghouse.
  • business associate – When covered entities use third parties to handle their protected health information (PHI), that organization is called a business associate.
  • business associate agreement – This term refers to a contract signed between a covered entity and any third party handling its PHI, stipulating responsibilities related to its protection.
  • electronic protected health information (ePHI) – When medical information is digitized into electronic health records (EHR), the data contained within IT environments is called ePHI (although PHI can be used as a catchall).
  • protected health information (PHI) – Typically shortened to its acronym, this term refers to sensitive personally identifiable health data that is safeguarded by HIPAA law.
  • Security Rule – A key stipulation of HIPAA’s Title II, the Administrative Simplification Provisions, this rule provides guidelines for the protection of electronic health records.

Step 2.) Know basic requirements of HIPAA law.

Within the Security Rule is the Security Management Process standard, which states that HIPAA compliance requires procedures and policies that avoid, identify, limit, and remediate any security issues that violate healthcare law.

The part of HIPAA that discusses the need for risk analysis is 45 C.F.R. § 164.308(a)(1)(ii)(A). To summarize that section:

In order for any organization to achieve HIPAA compliance, it is necessary to extensively review any possible risks to the ePHI that might expose it, corrupt it, or make it unavailable.

A description of strong risk analysis questions is contained in NIST Special Publication (SP) 800-66. Here are the questions (which are not mandatory or all-inclusive but suggest possible directions that may apply to your situation):

  • Do you know where the electronic protected health information is within your system (accounting for all data you generate, store, send, or receive)?
  • How is your ePHI handled externally, as when service providers produce, store, send, or receive healthcare data?
  • What poses a risk to the ePHI within your data environment, including all environmental, natural, and human threats?

While a risk analysis has direct benefits in terms of understanding your risk, you will experience indirect benefits as well in guiding you toward better compliance with other standards of the law. For instance, while the Security Rule has certain guidelines for deployment that are labeled as “required,” others are labeled “addressable.” The HHS clarified that it is not your choice whether to comply with addressable items. Instead, the entity should look at the parameter in terms of how appropriate and reasonable they are, given the context.

Step 3.) Assess the scope of your analysis.

Examine all of the equipment and digital environments within your organization that generate, send, store, or receive ePHI with respect to the physical, administrative, and technical safeguards described within the law. Servers and computers are a clear place to start, but think broadly as you consider your technology, as noted by the American Medical Association (AMA). For instance, photocopiers will typically have hard drives within them that store images of everything that you scan. All mobile technology that handles ePHI should be included within your scope as well. Also at this point, create an asset list and write down a diagram or outline of the ePHI workflow.

Step 4.) Determine possible weaknesses and threats. 

When you look at the ways in which you might be vulnerable, you can benefit from the work you did in determining your scope so that you know the locations to look for weaknesses and threats. It is important to ask the same questions about your environment repeatedly so that you are considering all the potential problems that may arise in various segments of your system that handle sensitive health data. 

What you want to achieve at this point is a full picture of everything that might put your firm at risk. It is also when you can create an inventory of all the security methods that are currently implemented. Typically you will need to talk within your organization – with the office manager, for instance – as well as having discussions with knowledgeable outside parties related to the ePHI threat landscape and standard protections. 

Step 5.) Evaluate your risk. 

As stated above, risk is all about context. The nature of the systems you are protecting will lead to a reasonable understanding of how likely data breaches are to occur – and how devastating the outcomes would be.

An example negative situation that is a common HIPAA violation is the loss of an unencrypted laptop. Risk is different for different organizations related to laptop loss, though. For instance, a practice that visits patients in their homes could consider loss of laptops a high risk since it would be very possible to occur and because they might contain ePHI related to patient visits. By implementing laptop encryption, the risk is mitigated.

Also rank your risks during this process. You can determine your overall level of risk at this point as well.

Step 6.) Finalize your documentation.

Create a document that outlines the findings of your risk analysis (some of which is already composed). Make sure that this writeup includes the list of all your assets, weaknesses, threats, likelihood of occurrence, impact, controls that are now implemented, ranking of your controls, any residual risk you might have, and any advice that you have in terms of new controls to deploy.

Step 7.) Review and update your risk analysis process moving forward.

Risk analysis should be an ongoing project, of course. It should occur once a year, according to the AMA. Deciding how often to perform these assessments is context-based as well, though. As noted in Healthcare Informatics, “Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every three years) depending on circumstances of their environment.”

HIPAA-compliant hosting for your patient data

HIPAA is flexible and allows you to assess your security stance based on the context. To better understand your context, you perform a risk analysis. The above steps will help you in conducting your risk analysis. Probably you will find ways in which your systems could be improved, as with expertly engineered HIPAA-compliant hosting. At Total Server Solutions, our service is what sets us apart, and it’s our people that make our service great. See our approach.