Ecommerce ethics attempt to describe fair and just behavior by online merchants. (Yellow ethics sign)

Posted by & filed under List Posts.

A Tesla investor sued Elon Musk in early August, saying that they believed his claim on Twitter that he had funding solidified to turn the publicly traded company private was fraudulent. This story is still in development and certainly Musk has not (at least at this point) been found guilty of any wrongdoing. The investor, who is not suing related to ethics but purported crime, is hoping to recover financially (asking other short-sellers to join a class-action): Musk’s tweet is potential fraud that hurt their portfolios. However, it also represents an ethical issue since deceiving people would not be considered acceptable ethical behavior within common mainstream understanding.

With the rise of the Internet, business has become truly global. Since people across the planet want the marketplace to be as fair as possible, there is worldwide concern with the specific business area of ecommerce ethics. For instance, it is addressed by ethical design consultant Tina Farber in German magazine Smashing Magazine as a basis with which to conduct design work. Thousands of miles away, Professor Pathik Variya of India’s Dharmsinh Desai University listed ethical obligations of ecommerce firms. You certainly see significant overlap in the discussion of ethics for online business.

This article explores some of the core ethical issues related to ecommerce. First, though, it grounds discussion to talk directly about what ethics and business ethics are.

What exactly are ethics?

The definition for ethics from the Markkula Center for Applied Ethics is perhaps particularly interesting since it comes from a Silicon Valley based institution, Santa Clara University. The center’s definition is twofold. For one, it describes ethics as “well-founded standards of right and wrong that prescribe what humans ought to do, usually in terms of rights, obligations, benefits to society, fairness, or specific virtues.”

Secondly, the center adds that ethics refers to the study and development of ethical principles. To take on both of those meanings of ethics at your organization, you could espouse ethical principles in the way you operate, as well as commit to further improving your ethical framework and practices as you proceed.

Ethics can be followed and applied personally or organizationally, internally and externally. Business ethics may initially sound as if they are solely the concern of industry, but that is not the case, as indicated in the Stanford Encyclopedia of Philosophy (run by the school’s Metaphysics Research Lab) by business ethics specialist and Bentley University professor Jeffrey Moriarty. As Moriarty noted, business ethics are something with which we should all be concerned since everyone does business at least to the extent that we purchase items on a daily or near-daily basis. Moriarty also commented that many of us additionally spend hours daily and throughout our lives focused on producing within a business context. The actions of businesses help to determine the nature of our culture, both for good and for bad, he concluded.

Core ethical issue #1 – security

To get into specific concerns, security is one issue that is mentioned often in discussion of business ethics. After all, security is not just about meeting Payment Card Industry Data Security Standard (PCI DSS) compliance but meeting ethical expectations that define fair and forthright business interactions.

An analysis on focused its discussion of security ethics on an increasingly key issue: protecting your information systems from insider threats. That point of focus makes sense given the numbers. In healthcare, 58% of breaches are now caused by the insider, according to a 2018 Verizon study. Throughout industry, a 2015 analysis from Intel found that the insider was responsible for 43% of data breaches. Some statistics are even higher than these already high numbers. For example, cited statistics finding that human error accounted for 80% of data breaches. Regardless the specific figures, it is certainly true, as Chris Duckett said in ZDNet, that “[y]our biggest threat is inside your organisation [sic] and probably didn’t mean it.”

Since error is so prevalent, it should be addressed through robust and regular training – which is a best practice for infosecurity anyway. Routine risk assessments (both comprehensive ones and ones that target systems you are evaluating for adoption) are also critical for breach prevention.

Core ethical issue #2 – Accuracy in descriptions and marketing

Another key ethical notion is that ecommerce companies should be straightforward in their descriptions of products through all communications – advertising, product pages, the blog, social media, and any other settings. (This aspect of ethics was central to the Musk lawsuit described above.)

Delivering on the promise, that what a person gets in the end is what they thought they were getting from the start, runs contrary to the ethical issues of bait-and-switch sales and deceptive advertising. In ecommerce, in contrast to traditional brick-and-mortar retail, the customer is unable to directly see or touch a product prior to purchasing it. Online, they are able to see products within videos and photos; however, that image undoubtedly presents the items in as near-perfect conditions as possible. This aspect of the images being so close to perfection on an ecommerce site is interesting in that what the shopper sees is not the product that gets purchased. Instead, it is a picture of another copy of the product.

It is easy to make mistakes with product descriptions. However, ethics require care that what the customer is actually getting is aligned with how it is presented online.

Core ethical issue #3 – Surveillance capitalism

A core issue of design ethics will be uncomfortable for many but is worthy of consideration given the amount of data flowing through ecommerce platforms: surveillance capitalism. This issue, brought up by Falber, arises when you consider your reasons for gathering and analyzing your user data. Falber cited ethical designer Aral Balkan, who offered a disturbing analogy. Balkan noted that Facebook using data to improve its platform is similar to a cow getting a massage in order to make Kobe beef – because those massages are “not for the benefit of the cow but to make the cow a better product.” He concludes his point, “In this analogy, you are the cow.”

Falber expanded Balkan’s thought by noting that data collection and analysis is problematic when its real aim is financial gain. People could debate Facebook’s side in this matter, but the issue of surveillance capitalism is certainly discussed in ethical circles related to web design and development.

Core ethical issue #4 – Moral agency

The notion of corporate moral agency is used by some thinkers to describe business ethics. Through this framework, any individual engaged in business is a moral agent – just as the collective of people working for a certain firm make up corporate moral agency. There is disagreement over whether a company should itself be considered a moral agent as well (beyond thinking of morality in terms of the staff as a group).

While it may not be easy to think in terms of moral agency, it can help develop a deeper understanding for ethics as a systemic value and as something to improve both individually and collectively.

Ecommerce based on key standards

Clearly, following ethics is important in how business is conducted. While we expect ethical behavior from those with whom we do business, we do not always get it; to protect ourselves, we seek proof that organizations follow established standards. One of the most credible ways for any service provider to demonstrate how strong its systems are from a security and control perspective is the Statement on Standards for Attestation Engagements 16 (SSAE 16) from the American Institute of Certified Public Accountants (AICPA). See our SSAE-16 and PCI-compliant ecommerce solutions.

Figuring out your cloud ROI will help you make better decisions. Money cloud in the sky.

Posted by & filed under List Posts.

As the saying goes, “You have to spend money to make money.” However, we all know that how you spend money will be a major factor in determining your success. By measuring the return on investment (ROI) of a certain expense, an organization can decide whether it is a wise choice moving forward or not.

Cloud computing is a great example of a key IT area for running the ROI formula. Increasingly cloud systems are replacing on-premise ones. Were those decisions the right ones? If you think so, you can prove it with ROI, giving you strong evidence that you are moving your company in the right direction.

This article looks at how many companies do NOT measure cloud ROI; thoughts on agility and the breakeven point from David S. Linthicum; and 5 obstacles to strong cloud ROI.

Poll: 1 in 3 firms do not measure cloud ROI

If you are not yet checking your ROI systematically, you are certainly not alone. There is obviously not a consensus that performing this calculation is a high priority. Almost one-third of organizations do not determine cloud ROI, according to an international survey from the Information Systems Audit and Control Association (ISACA). The ISACA poll of chief information officers found that 68% of firms calculated cloud ROI. ISACA noted that the 32% of companies that were not calculating ROI were able to justify their use of the technology on other grounds: transitioning from capital to operating expenses (CAPEX to OPEX), improved agility, etc.

Organizations that did calculate ROI typically used a 1-5-year timeframe for measurement. Most used a hybrid method that included both perceived quantitative and qualitative factors. The most common elements included in the hybrid model were business impact (time to market, penetration, agility, etc.), time savings, cost of transition, and staffing changes, along with capital and operating expenses.

The survey also found that companies that do come up with ROI numbers often only do it once, which misses the benefit of being able to check your expectations against results. When you look at that population that is calculating ROI, only 52% do so before and after cloud deployment, while 43% only check before and 6% only after the transition.

While 32% may seem low, the figure is rising over time, according to ISACA research director Ed Moyle. Indeed, see this InformationWeek poll of 339 organizations from 2014, showing the level at 20%. Moyle added, “If ROI is not calculated in advance of implementation, it becomes difficult to validate or refute the expected value.” To extend that thought, the validation or refutation could then occur with the second check of ROI following implementation.

An agility-based ROI model

Deloitte chief cloud strategy officer David S. Linthicum explained that this poll demonstrated using agility as the central component of an ROI model now makes more sense. Linthicum has been arguing for moving away from capital and operational cost reduction to an agility-based model since 2011. Linthicum noted that he thinks we are beginning a shift in the understanding of cloud from cost savings to agility – which he believes will lead to much greater disruption.

There are tools that you can use to determine the agility that is generated by cloud adoption. Factors including your business’s size, its level of innovation, and the vertical market all must be included to gauge your agility.

You can bring in your past metrics, and you can use the same algorithms for different environments. You could use an agility-based model to look at competitors, determining their cloud ROI.

While you can create comparative analyses, there is not much as far as cloud ROI public case studies go – so it is challenging to confirm that your numbers are solid. However, Linthicum noted that it is still a good idea to move forward with agility-centered ROI measurement since it will give you a much better sense of the true value the technology is bringing to your efforts.

Breakeven: 20% to 40% of workloads

It makes sense with a new technology to test the waters and wade in gradually. However, it is also important to realize that you will not see the ROI results that you want from cloud immediately.

While Linthicum talks a lot about the importance of agility, there are other key metrics that he believes are pivotal as well. One is commitment to the technology.

Organizations that dabble in cloud in small pieces over time will likely not see any advantage in using it, he noted. That’s because there are sunk costs (unrecoverable costs that have already occurred) related to cloud: integrating cloud systems into your management and monitoring platforms, addressing security concerns, recruiting new personnel, training, etc.

The real question is, when do your returns start to overcome the sunk costs? That is the breakeven point, after which cloud becomes increasingly beneficial since the bill is already partially paid. Linthicum noted that there is very little difference in cost between 500 to 2000 workloads. Once your sunk costs are returned, your operational costs will not rise significantly as you continue to add workloads. It is impossible to avoid the upfront cost to see the ROI benefits.

The breakeven point for an enterprise with 2000 workloads is usually about 400 to 800 workloads, in Linthicum’s experience. That is equivalent to 20% to 40% of all IT processes.

Keeping only small amounts of IT in cloud prohibits an organization from seeing its full benefit. In fact, when companies run the ROI on cloud that only represents a small portion of overall computing, they will often find that ROI is negative – i.e., it is not paying for itself.

Now, while it may make sense to commit a substantial portion of your IT to cloud, you do not want to necessarily move your entire infrastructure to cloud overnight, Linthicum stressed. However, it is clear that the faster you shift most of your systems from on-premise to public cloud, the faster you will see a positive ROI. You will not typically get a benefit from the cloud when you are only moving a small amount of workloads, but only farther along the path of increased adoption.

5 things that hurt cloud ROI

While cloud ROI benefits from increased adoption, it is not as simple as overcoming a breakeven point. Issues can also arise. Consultancy Cloud Technology Partners noted a few things that stand in the way of ROI. Here are those five obstacles:

  1. Culture – Some obstacles will be within your corporate culture. You have to reconceptualize the way the business runs in order to realize the potential of cloud.
  2. Politics – Often a political problem that arises with cloud is division over the extent to which it should be adopted, with conflict often between the data center chief and whoever is advocating for cloud.
  3. Expectations – Many organizations will start out thinking immediately in terms of hybrid cloud or complex systems within cloud management platforms (CMPs). Focus your efforts before expanding to larger and more complex projects.
  4. Execution – Managing the transition can be tricky. “Minimal viable cloud” is recommended by CTP. This strategy bundles together a small group of workloads, with operations, controls, and security applied to it. Then you can add additional small sets in the same manner.
  5. Technical difficulties – Dedicating yourself to the cloud will avoid technical issues, particularly when you want to integrate with your on-premise system. When you want to combine on-premise with cloud, it creates difficulty. Consider replacing legacy tools with ones based in cloud.

Realizing strong cloud ROI

We talk quite a bit about cloud as if it were one system, but of course, it is many — and all clouds are not created equal. To realize strong ROI, you need the fastest, most robust cloud platform in the industry. See our High Performance Cloud.

ROSI - the return on security investment. Fingerprint on keyboard - assessment of solutions

Posted by & filed under List Posts.

People often talk about security in terms of defenses and caution – an emergency system to prevent worse-case scenarios. However, thinking in terms of defense and prevention can distract us from a fundamental truth: security is powerful. It has an incredible amount of value to organizations across all sectors and markets. Establishing the ROI of security – the return on security investment (ROSI) – in a systematic way is worthwhile so that you know exactly how much you are getting back for what you spend on security environments, tools, and services (such as hosting in an SSAE-16-compliant data center).

What are return on investment (ROI) and return on security investment (ROSI)?

Entrepreneur defines ROI as “[a] profitability measure that evaluates the performance of a business by dividing net profit by net worth.” If your total assets are $1 million and your net profits are $250,000, your ROI is .25 or 25 percent. While that framework introduces how to calculate ROI, perhaps a simpler way to consider ROI is comparing the amount you get back to the amount you put in. A 100% ROI is the break-even point when the business or aspect of your business has at least made back the amount that you spent.

Establishing a strong ROI helps to make a good business case for further investment in something we all know is important given the current digital landscape: information security.

Metrics-driven ROSI approach

By using metrics to determine how effective various security tools are, organizations are able to consistently be assessing how well their overall defense system is functioning, understand the most pronounced threats they face, and reveal areas that might need replacement or additional safeguards.

Metrics help you better understand your systems, but they are also important because they help you sharpen the analysis behind your ROSI calculations so your investment proposals are stronger. Even though determining ROSI is valuable to organizations, fewer than 1 in 5 (17%) use this approach, per the NSS Labs 2017 Security Architecture Study.

Determining the ROSI and backing it with applicable metrics is becoming increasingly important, noted Vikram Phatak on security news site Dark Reading. Phatak said that not having the ROSI figures to back up their assessments could lead to situations in which security leaders have to report “that the cause of a data center breach was a result of ‘having had [italics his] a technology solution for the problem in the budget, but it got cut.'”

The basis for the ROSI formula

Here are risk assessment concepts that you can use to leverage your metrics and make your ROSI calculations. These concepts together make up the ROSI formula:

Annual loss expectancy (ALE) – The total amount you should expect to lose to security problems every year, ALE is a control figure that is used to show the amount of money that can be lost assuming no changes are made.

ALE = Annual Rate of Occurrence (ARO) * Single Loss Expectancy (SLE)

Annual rate of occurrence (ARO) – ARO gauges how likely it is for a security incident to happen during a year. You can look at your history to determine how many incidents occur in the average year.

Single loss expectancy (SLE) – This figure is the total amount of money that you expect to lose during one security event. Determining the SLE can become easier and more systematic if you have organized and valuated your data. This number should at least include your direct and indirect costs for a breach.

Modified annual loss expenctancy (mALE) – The mALE is identical to the annual loss expectancy except that you add the losses saved when you install a security measure. Your improvement should be expressed in the mitigation ratio, which is the percentage of threats that the security tool blocks.

Return on security investment (ROSI) formula – Using the above concepts, you create the ROSI formula. This formula takes into account the costs and risks of security events, along with how much it costs to put a security protection into place. When you talk about ROSI, you can discuss the technical manner in which the number was calculated. Here is the formula:

ROSI = (ALE * mitigation ratio – cost of solution) / cost of solution

ROSI example #1: warehouse robots

Risk represents costs. There are potential costs associated with a risk that are mitigated with security defenses. Information security to lower risk can be very expensive. Since that’s the case, risk analysis (indicated in the above concepts) will guide organizations in determining ROSI because it will reveal just what level of investment is needed in safeguards.

An example suggested by Norman Marks in information management publication CMSWire is the defenses for robots implemented in a warehouse. The information executives at the company collaborated with business decision-makers to determine the level of risk – chance of a risk and its potential impact. The business managers, as a round figure, estimated that the total cost of a breach would be about $10 million. The chief of information security (CISO) reported that he thought the current chance that a breach of that scope would occur was 5%.

The CISO wanted to spend $250,000 annually in order to get the risk of that $10 million event down to 2%. To measure ROSI, you are adjusting the ROI formula so that you are gauging the level of risk reduction (through the mitigation ratio) rather than the level of investment gain. By reducing the risk from 5% to 2%, that would mean a 3% improvement in risk. Turn that risk chance into a real number: a 3% reduction in the chance of a $10 million loss should be caulculated as 3% of that figure per year, which in this case would be $300,000. Since the idea is that you are putting in $250,000 per year of protections but are getting back $300,000 in reduced risk, your ROSI is 20%.

Additional analysis should occur to determine if the investment is sound, but that initial assessment looks positive.

ROSI example #2: UBA platform

Another example ROSI situation is described by Isaac Cohen in IDG’s CSO. In that example, a company is looking into a company-wide solution, a user behavior analytics (UBA) platform, to prevent breaches. The CIO of the company calculates that there have been 30 security incidents over the last 3 years – so 10 annually on average. In total costs related to fines, lost productivity, and lost data, each incident represents a cost of $20,000. The UBA is expected to be able to defend against 9 out of 10 current attacks. The cost of the UBA platform is $50,000 per year. The way you would calculate ROSI in this case would be as follows:

  • 10 incidents times $20,000 per incident = $200,000.
  • $200,000 times mitigation ratio of .9 = $180,000.
  • Subtract the $50,000 from that for the solution, and you get $130,000.
  • Now take $130,000 (your return) and divide it by what you spent, $50,000.
  • You get 2.6, equivalent to a 260% ROSI.

Strong security for your critical data

Implementing strong security is in part about finding the right partners. At Total Server Solutions, our SSAE-16 Type II audit is your assurance that we follow the best practices for keeping the data center up and running strong. See our security commitment.

Lock against code - WordPress security steps to take in 2018

Posted by & filed under List Posts.

Statistics garnered from analysis of tens of thousands of WordPress sites within the Alexa top 1 million suggest why hackers often choose WordPress to attack. Incredibly, the study from WP WhiteSecurity found that 70% of installations are vulnerable to hacking.

The researchers looked at the WordPress installation status and behavior of these WordPress sites in the four days following the release of WordPress 3.6.1 (replacing 3.6) on September 11, 2013. The researchers found that there were 74 different versions of the WordPress software being used. Four days following the release of WordPress 3.6.1, 30.95% of the websites (13,034 WordPress installations) were still running WP 3.6, which had known security flaws.

Five years later, many sites could still use help with security best practices. The below steps to harden WordPress in 2018 will discuss fast updating and other actions you can take to better protect your sensitive data.

Quickly update to new WP versions.

WordPress is open source, and it is frequently updated to patch security holes (as well as to fix bugs and add features). You typically do not need to worry about minor updates, because WordPress auto-installs them by default. However, when updates are classified as major versions, you will have to start the update process manually.

Beyond the core code, there are thousands of themes and plugins that you can attach to your site; these add-ons are developed by independent parties, and the most attractive ones are also updated regularly.

Updates are critical for your site’s security, as well as its stability. All components of your site should always reflect the most up-to-date version of the software.

Use a password manager, and strengthen your passwords.

If you know any of your passwords and have used them to log in to an account on another service, your password policy should be changed, noted Gerroald Barron of premium WP plugin firm iThemes. A strong password is long, unique (i.e., only used once), and randomly generated. If you are able to remember any of your passwords, they probably need to be strengthened. If you have a credible, well-maintained password manager, you can keep your account logins secure while also being able to choose random strings of characters (as you can do through Perfect Passwords).

A password manager can both generate passwords and securely store them via a browser extension. You then just need to know the master password for the password manager.

Utilize a web application firewall (WAF).  

Using a web application firewall will help stop unauthorized traffic prior to it accessing your site.

Switch your WP salts and keys routinely. 

Another important task brought up by Barron is regular replacement of salts and keys. WordPress stores data in your browser, as cookies, to verify anyone who uses the installation internally or places a comment. It is important that all the login data stored in these cookies is encrypted so no one can view it after the fact. WordPress achieves that encryption through authentication salts and keys stored in the configuration file (wp-config.php). Modify these on a regular basis. If you want, you can use a plugin to manage the process.

Disable file editing.

There is a code editor, built into WordPress, that enables the editing of themes and plugins with the admin page. This feature should be disabled, though, so that no one exploits it to insert malicious code.

To disable file editing, you need to insert a snippet of code yourself into the wp-config.php file:

// Disallow file edit

define( ‘DISALLOW_FILE_EDIT’, true ); 

Strengthen user and admin logins.

Go beyond the use of strong passwords. You certainly want to change the administrative account name from admin to something else. Actually, it is a good idea to create a new user and assign it with admin privileges. The admin account can then be removed or switched to having subscriber permissions.

Use two-factor authentication (2FA) for better security. When you use two-factor authentication, you are sent an additional token or code to a secondary device for an extra layer of authentication.

Change the default setting to limit the allowable login attempts. You can limit the number of login efforts through a plugin. Some plugins will additionally ban the IP address of the user and send you a notification about the incident.

Finally, switch to a custom login page. You can prevent the vast majority of brute-force attacks through taking greater care with your username and password, as well as changing the URL for login. Examples of changed URLs from Anushree Sen of Page Potato are as follows:

  • Change wp-login.php to my_new_login
  • Change wp_admin/ to my_new_admin
  • Change wp-login.php?action=register to my_new_registration.

Back up the WordPress database.

To improve your database security, create a backup at regular intervals. Backups may not seem to be security measures, but they are because they will ensure that you still have a clean copy of the data regardless if an attack were to succeed. Backing up will allow you to know that you can recover if a disaster occurs. Data should be backed up regularly – at least once per day. Secure cloud backup is a strong idea. Your hosting service could keep the backup safe and in a distant physical location, for additional disaster preparedness.

Change your database table prefix.

It makes it easier to conduct SQL injection attacks when the default prefix for your database table is retained. It should be changed to a challenging string of characters. The default prefix is wp_. You could change to wp_38sjR94_, for instance. Whatever you choose, do not go with your gomain name as the prefix. In order to change this prefix, update the wp-config.php file. You can only use numbers, letters, and underscores.

Here is the adjusted line in code:

$table_prefix  = ‘wp_38sjR94_’;

Now go to your database, via phpMyAdmin. There, modify the name of the table so it matches what you put in the configuration file. If you use cPanel, you will see phpMyAdmin within it, in the Databases section. Once you are in, run this SQL query from WPBeginner to change the names with one action:

RENAME table `wp_commentmeta` TO `wp_38sjR94_commentmeta`;

RENAME table `wp_comments` TO `wp_38sjR94_comments`;

RENAME table `wp_links` TO `wp_38sjR94_links`;

RENAME table `wp_options` TO `wp_38sjR94_options`;

RENAME table `wp_postmeta` TO `wp_38sjR94_postmeta`;

RENAME table `wp_posts` TO `wp_38sjR94_posts`;

RENAME table `wp_terms` TO `wp_38sjR94_terms`;

RENAME table `wp_termmeta` TO `wp_38sjR94_termmeta`;

RENAME table `wp_term_relationships` TO `wp_38sjR94_term_relationships`;

RENAME table `wp_term_taxonomy` TO `wp_38sjR94_term_taxonomy`;

RENAME table `wp_usermeta` TO `wp_38sjR94_usermeta`;

RENAME table `wp_users` TO `wp_38sjR94_users`;

You may also have to add a few lines related to any plugins since they will sometimes insert their own tables into the database. Your goal here is to adjust all of the table prefixes.

Choose a secure host.

According to Sen, your choice of a secure WordPress host is the most important one you will make related to data protection. Your account could be hacked if you use a low-end shared hosting service. “[C]hoos[e] a reputable and trusted web-hosting service provider… who understands the risks of cross-contamination, segregates the website accounts and configures the security permissions of each account present in their WordPress-optimised environment,” noted Sen.

Are you in need of a secure WordPress environment? Turning to an experienced WordPress hosting provider allows you to the leverage the niche expertise derived from focusing on IT infrastructure. At Total Server Solutions, our data center is PCI-DSS compliant and SSAE-16 audited. See our commitment to the security gold standard.

With growth of malware and ransomware, security is a top priority.

Posted by & filed under List Posts.

It is easy to develop blind spots in our thinking, particularly toward things that we see often, as if they become invisible to us after so much repetition. For instance, we may read so much about cyberattacks and how important security is that it may make it more difficult to logically consider the topic and strategize protection. After all, just about every type of system you can imagine has been hacked, from smart city technology and alarm systems to mobile bank apps, plane systems, and cars.

The seeming overabundance of attention on cyberattacks is actually a window into the reality that the threat landscape is increasingly complex and must be confronted to avoid huge losses. Spurred by various forces, companies know that cybersecurity deserves consideration – but they do not always move forward systematically. This article looks at drivers of cybersecurity as a top priority, evidence of failure to implement full security best practices, and steps you can take to fortify your posture.

3 forces driving the increasing importance of cybersecurity

According to a 2017 Fortinet poll of IT executives, three key reasons that cybersecurity is becoming a bigger priority in business boardrooms are:

Cloud migration proliferating – It is no secret that cloud is being utilized more broadly within business. With workloads being switched over to cloud, nearly three-quarters of IT security executives said that they think cloud security is becoming a greater concern. Just over three-quarters (77%) said that their boards were recognizing cloud security and a budget to ensure it as top points of focus. The actual implementation of cloud security solutions was not quite as high, though, with only half of those polled (50%) saying that they would adopt cloud security solutions in the upcoming 12 months.

Regulatory scrutiny growing – Greater prioritization of IT security is also fueled by additional regulations, cited by one-third of those polled (34%). Of particular interest is the General Data Protection Regulation (GDPR), which could bring fines, additional costs, and credibility concerns (since violations are posted publicly).

Cyberattacks and data breaches rising – The vast majority (85%) said that their organization had suffered a data breach. The most common form of attack was malware and ransomware, listed by nearly half of decision-makers surveyed (47%). There was progress in the right direction in making security a bigger focus following WannaCry and other prominent worldwide attacks. The scope and makeup of today’s attacks are making it a concern of boards rather than just IT leadership.

Concern with security does not always result in action

Agreeing with the above survey, another indicator of how critical security is to business comes from the UK’s Department for Culture, Media and Sport. When this agency polled more than 1500 UK-based businesses in 2017, nearly three-quarters (74%) said that digital security was a top priority for senior management, while two-thirds (67%) said that they had purchased cybersecurity systems or services in the previous year. Investment in cybersecurity was stronger with larger organizations: the survey found that 91% of those from large enterprises had spent on information security, while the number was 87% for midsize firms. The safeguarding of customer data was the #1 reason for cybersecurity investment, cited by 51% of those surveyed. Problematically, only one in three respondents said that their business had a formal cybersecurity policy in force (or had cybersecurity guidelines listed within audit documentation or a business continuity plan). The number was even lower for the implementation of cybersecurity incident management plans (i.e., the actions to take if you were to learn you were being attacked): just 11 percent of UK organizations polled had one enacted.

Perhaps the key point to take away from that survey is that businesses are generally prioritizing security – investing in security technologies, for instance – but do not comprehensively follow cybersecurity best practices. As George Ralph noted in Private Equity Wire, “It seems like the fear of attack has induced spend, but hasn’t extended to policies and procedures that could reduce the threat of attack, or ensure attacks were dealt with more effectively.”

Taking action for better cybersecurity

Here are 7 action steps you can take to improve your cybersecurity, from the International Council of E-Commerce Consultants (EC-Council), PricewaterhouseCoopers, and Deloitte:

#1 – Take a proactive approach to cybersecurity.

It is critical to develop some knowledge about common threats and understand essential ways that you can identify threats, noted Deloitte.

#2 – Go beyond risk avoidance to building resiliency.

PwC found that organizations that were creating a climate of risk resilience were seeing better long-term financial gains than those that were simply responding to problems as they arose. The PwC researchers gave the example of Japan following the tsunami in 2011, when businesses that had risk management programs with business continuity plans were able to get back up and running much more quickly than those that did not.

#3 – Test for the weakest link.

Seeing how well you handle mock situations can inform a much stronger approach, so use stress tests. These tests should incorporate all your interdependencies, so that you know what might go wrong with other systems on which your own systems rely.

#4 – Strengthen your defenses.

Develop a complete strategy for patching, secure software development, and a secure physical environment, said Deloitte.

#5 – Give special attention to threats that could alter or eliminate data.

While confidentiality now stands as the most critical objective of cybersecurity within the business world, integrity will take its place in the near future, per Dan Geer (cited by PwC), who specializes in risk management and IT security. A heightened focus on maintaining integrity will facilitate recovery from an attack. Blockchain is one technology that will assist organizations with integrity.

#6 – Maintain oversight and make updates.

Typically organizations detect vulnerabilities, create patches, and keep threats from becoming broader problems. At the same time, many businesses do not make sure that their disaster recovery plan is relevant to their circumstances or that their staff remains informed on key security concerns, per the EC-Council.

While it is critical to monitor your system and react to what you see, monitoring is not enough on its own. It is important, said the council, to change the way that you approach cybersecurity given the continuing growth and development of threats. The council suggests including these three strategies:

  • Establish an inventory that routinely scans your assets and rapidly locates vulnerabilities.
  • Fix vulnerabilities systematically through a mitigation process.
  • Organize and consolidate your threat intelligence in a central location.

#7 – Be aware of ransomware.

According to Panda Security, we were already clocking 230,000 new malware samples per day in 2015. Specifically, ransomware is on the rise. This type of attack occurred 36% more frequently in 2017 and is projected to become increasingly prevalent.

As the EC-Council puts it, what is now occurring in cybercrime is mass blackmail. Ransomware is a threat to the confidentiality of private information. Malicious parties access your personally identifiable information (PII), encrypt it, and also transfer out a copy of all the data from company devices – for leverage in blackmail efforts. The thieves then demand payment, which is sometimes collected in installments.

Your secure ecommerce platform

Do you need full-featured ecommerce software run on secure infrastructure? At Total Server Solutions, your data is hosted within our PCI-DSS and SSAE-16 compliant datacenter. See our comprehensive ecommerce solutions.

cloud infrastructure - deciding what to put in the public and private components

Posted by & filed under List Posts.

Public, private, and hybrid are the three primary forms of cloud in use by organizations. As its name suggests, hybrid is a blend of the private and public models. A company with a hybrid cloud is able to choose the public or private setting for each given scenario. Michael Moore notes that companies will typically use private cloud when they need the strongest security and public cloud for any systems that they want to be as mobile and scalable as possible. 

Hybrid cloud: it’s about choice

Anyone who is paying much attention to business IT knows that adoption of cloud is widespread. The extent to which cloud has become standard is mind-boggling, with infrastructure that incorporates numerous public and private clouds implemented in almost 95% of organizations in 31 nations, per IDC. This multicloud scenario is complicated, with Kentik reporting that more than a third of firms say cloud is the technology responsible for the greatest network complexity.

Given this challenge, organizations are increasingly turning to the hybrid cloud model to better manage the complexity. A hybrid cloud makes it possible for organizations to improve the agility of their systems, quickly develop and release apps, and run workloads in the settings that are best for specific situations.

Often organization will choose to run some of their less sensitive systems externally while keeping their more critical data within their own data center, noted Nick Ismail, concurring with Moore. Using a hybrid cloud also allows an organization, based on analysis of cost and capacity, to shift workloads between public and private systems. 

Deciding what to store in your private cloud

It is a matter of trust, really, that organizations want to handle certain data in their own private clouds. Oliver Rist and Juan Martinez noted that choosing to run systems yourself or to use the systems of an external provider is similar, in a way, to deciding whether you want your cash to be in your pocket or held by another person.

Rist and Martinez said that this idea of money being held by you or someone else is overly simplistic, though, since decisions to move data outside an organization often have to do with the resources available to the organization. To extend the analogy, if you have a sack of money, you might not have a secure location to store it. A credible person you know might work at Fort Knox and be able to store the cash there for you while allowing you access to it as needed. Going back to the issue of trust, it would certainly make sense to store the money in Fort Knox if you trust your friend who works there.

Most small and midsize businesses lack capital to be able to create a high-grade security system for themselves in-house, so public cloud is attractive even for more sensitive data. After all, public cloud has much better security than many people think, as discussed below. 

Deciding on your public cloud partner

Using an infrastructure-as-a-service (IaaS) company (i.e., a public cloud server provider) gives you access to their physical hardware, storage devices, and switches for the management of your data. The beauty of this setup is that you are not in charge of figuring out how and where to move your workloads if a server goes down.

Clouds that are set up in-house also do not give you the same in-the-moment flexibility as a public cloud. For instance, when you think that you will get a spike in hits to your site during a certain period (think the holidays), you can launch a public cloud machine just for that period of time, then shift off it once traffic is back at a normal level.

If you do use public cloud, you only need to fund the resources you use. If you use your own data center instead, it is necessary to buy additional servers so that your capacity meets demand during that short period. When the rush is over, suddenly you are grossly underutilizing your hardware.

Finding a public cloud provider is not as simple as looking at a list of technical parameters and determining the host that best meets them. Keep in mind that you should be on the same page as your provider, advised Rist and Martinez, who added that “[y]ou’ll truly be partnering with your vendor to ensure the performance and security of your business data.” 

Considering the security of public cloud

Hybrid cloud is essentially about dividing your workloads into public and private sides, and, as indicated above, security is often the primary consideration for these decisions. The basic notion is that your data center is secure, so the important data should go there; only unimportant systems should go to cloud. While that may seem reasonable, it really is not, as suggested by the Fort Knox analogy above and by various cloud thought-leaders.

Public cloud is a setting in which many infrastructure and data security experts are on staff, which leads to better all-around protection than is typically available through an on-premise datacenter. David Linthicum noted that IT professionals tend to think they are more adept at security than outsiders would be. However, he stressed that “public cloud is more secure than the typical data center.”

Linthicum argued that public cloud vendors have stronger security tools installed and pay more attention to vulnerabilities within their ecosystems than is true of most organizations. Consider that public cloud providers are exciting entities for hackers to attack since the data they hold and process is so extensive. The solutions that are deployed system-wide by IaaS vendors are typically cutting-edge, featuring artificial intelligence and pattern matching capabilities.

It only makes sense that cybercriminals would opt for simpler projects than cloud providers, which is why they instead go after on-premise data centers. That is backed up by an October 2016 analysis at the Infosec Institute, which found that most successful attacks on enterprises that have been covered in the news have been of in-house rather than cloud systems.

Quentin Hardy, deputy technology editor for the New York Times, agreed with that assessment, noting that the majority of headline-grabbing cyberattacks were not of public cloud but of traditional server setups. To go back to Fort Knox again, Hardy also compared data to money in these considerations, saying that a bank vault (an external location in which money from numerous people is held) is a better place to store money than within your dresser – because the former, said Hardy, has “got more protection from bad guys.”

Setting up the entire hybrid cloud with a hosting service

Given the protections that are standardly built into public cloud, many businesses decide to go “all-in” with public and skip private cloud entirely. That is true of many SMBs and startups, but it is also true of some major enterprises. The most prominent example is probably General Electric, which announced in 2014 that it was eliminating 90 percent of its internal data centers, moving the systems they supported to public cloud.

However, there is another option that gets the data out of your own data centers without having to place complete confidence in the public setting: third-party-hosted hybrid cloud. That scenario charges the web host with creating an architecture that couples their current public cloud with a private cloud (one for your exclusive use) on your behalf.

Your hybrid cloud partner

Whether it makes more sense to your organization to look to an outside environment for an entire hybrid deployment or just its public portion, it is critical to work with a company that you can trust. At Total Server Solutions, our infrastructure meets American Institute of Certified Public Accountants (AICPA) standards, and our cloud hosting boasts the highest levels of performance in the industry. See how we make our cloud so fast.

The ecommerce process -- reducing your shopping cart abandonment with a few simple strategies

Posted by & filed under List Posts.

Shopping cart abandonment is one of the biggest ongoing concerns of ecommerce companies. After all, you don’t want to expend energy and resources to attract visitors to your site only to lose them halfway through the buying process. Unfortunately for owners and managers of online stores, there is actually a higher likelihood that someone will abandon a cart than that they will go through with the purchase. An analysis that averaged statistics from 40 studies found that the average shopping cart abandonment rate is 69.89%.

A report from Business Insider mentions some bad news and good news related to this challenge, noting that it is extremely costly but also represents an opportunity to improve revenue. The analysis specifically looked at retailers, estimating that 63% of the $4 trillion they lose annually to abandonment could potentially be recovered. Plus, cart abandonment usually does not mean the loss of the sale or customer; in fact, three-quarters of those who leave behind their carts report that they are planning to either come back and make the purchase online or visit the same retailer’s local store. That is the good news. The bad news is that shopping cart abandonment is on the rise, in part because of the increase in mcommerce (shopping via mobile device). This report suggests that it may be worse than the above rate, with Barilliance calculating a 74% average abandonment rate in 2013.

What can you do about this issue? Here are a few strategies by ecommerce and conversion thought-leaders:

1.) Improve trust.

With an incredible 31.8 million consumers suffering from credit card fraud in 2014, it is no wonder that people are skeptical about giving their sensitive financial data to websites.

Trust logos are one common feature that is used to increase confidence in the buying process, noted SEMrush. Perhaps these seals are most important in terms of meeting expectations; one analysis found that 3 in 5 shoppers (61%) left a site because they did not see any trust seals.

These logos are typically tied into security products, so you will be getting actual technological improvements along with the ability to show off the seal. To show your customers that their data is safe, get a valid secure sockets layer (SSL) certificate and show its security logo, potentially along with other trust symbols (PayPal Verified, MasterCard SecureCode, TRUSTe, etc.), on your site.

2.) Install exit-intent popups.

Popups are a major cause of annoyance online, so many companies are hesitant to use them. However, exit-intent popups can give a major boost to your conversion, per OptinMonster. This type of popup, which can be implemented on checkout pages or anywhere else on your site, is driven by an algorithm that attempts to detect when a person is about to leave the site. The popup is geared toward keeping them on the site by introducing further information or giving them a special offer.

OptinMonster provides the example of a “Don’t Go” popup that offers 10% off with the coupon code DONTGO and has boxes for the user to enter their name and email for later order completion.

3.) Simplify checkout.

You are likelier to have someone abandon their cart if they experience any confusion along the way. Be careful about checkouts that involve numerous pages and forms, instead favoring express checkout.

Three elements suggested by Small Business Bonfire to make checkout easier for shoppers are the option to keep the address the same for billing and shipping, the use of auto-fill forms, and the implementation of single-click checkout.

4.) Make the cart visible throughout.

According to data from KISSmetrics, nearly a quarter of people (24%) said that they would prefer to save their cart for possible later purchase. Since so many customers are interested in completing a purchase at some point, it helps to keep the cart highly visible so they remember it, said OptinMonster. For instance, you could implement a cart icon in the corner of the page that automatically expands when you hover over it.

5.) Expand ways the customer can pay.

Having more payment options can complicate management and accounting, but it is important to make checkout as user-friendly as possible with multiple payment options, noted Small Business Bonfire. For instance, it can be a good idea to take both credit cards and PayPal.

6.) Incorporate cart abandonment emails.

When someone is abandoning their cart right at the end, that may seem frustrating – but, as SEMrush points out, it is actually positive because you have probably already collected their email address. A notification should be sent out immediately that they left items in their shopping cart, via autoresponder. You actually want that notification to be a series, with a couple more messages sent during the ensuing 24 hours.

7.) Implement guest checkout.

You do not want to drive shoppers away by making it necessary for them to have an account before they can buy. When they have to register prior to purchase, it complicates the process, and some people will leave, noted OptinMonster.

Think about it this way: by requiring an account, you are essentially demanding that the user enter their basic account information, confirm their email address, and then come back to the shopping cart to finalize the purchase. For people in a hurry, these extra steps can feel too inconvenient.

By allowing guest checkout, you get around the need for account registration. It is a better idea to try to turn guest purchasers into accountholders after the fact than it is to eliminate guest checkout entirely.

Strong ecommerce platforms make it simple to enable guest checkout. Users then have to option to create an account once the purchase has been completed.

8.) Don’t forget the human touch.

Autoresponders may make sense for some situations, but you will have greater success if you personally reach out to people right after the cart was abandoned to see if you can be of any assistance, explained SEMrush. The reason they left may be as simple as a payment or coupon code error. If you are able to help the person find the answer they need – to again make checkout simple for them – they may return and complete the transaction.

9.) Make all charges transparent.

People do not want to see the price rise substantially during the checkout process. Adding fees during checkout can prompt someone to leave their cart, noted Small Business Bonfire. Stating the full amount of the product as quickly as possible, with shipping and any other fees included, will let the shopper know exactly how much they will be charged.

10.) Include social proof.

Another thing that is impactful when a person is trying to decide whether to place an order is to show them that they are unlikely to experience buyer’s remorse. By presenting ways that your products have helped other people, social proof allows online shoppers to feel less worried that they will regret the purchase.

Here are a few methods, suggested by SEMrush, for adding social proof to an ecommerce site:

  • Put testimonials on landing pages and top reviews on product pages.
  • Send post-purchase messages to customers asking them to leave you a review.
  • Incorporate software such as Notify to let shoppers know others who are buying from you.

11.) Improve your speed.

One other key reason that people will leave a site is because your site is moving too slowly. While there are many tactics you can take with your site to make it faster, one of the key ones is to ensure your infrastructure is built for speed. At Total Server Solutions, we know what it takes to keep high-volume, high-quality shopping cart sites running strong. See our high-performance ecommerce hosting solutions.




HIPAA risk analysis - steps to achieve - doctor on laptop

Posted by & filed under List Posts.

As you consider your risk analysis and efforts to keep it HIPAA-compliant, it is helpful to understand that the notion of risk is inherently context-based. Whenever you think about risk, initial questions to ask yourself are:

  • What asset am I attempting to protect?
  • What are potential threats?
  • What must be defended?
  • How substantial is the risk?

To look at the notion of context and how importance it is to risk, Sarah Morris of KirkpatrickPrice suggested the analogy of a tire that has significant wear-and-tear. When you think of it in terms of driving, its condition is awful, and it represents great risk. If you took the tire off your car and instead used it as a tire swing, you would remove the friction of the roads and no longer have the risk. With that in mind, Morris recommends not jumping to conclusions when it comes to determining your amount of risk – since you need to completely understand the context. Once you are complete with the analysis, you will be able to gauge your risk using that specific information.

Moving forward with your risk analysis

To understand your context so that you have a sense of your risk, you must conduct a risk analysis. The steps for performing a HIPAA-compliant risk analysis are as follows: 

Step 1.) Know key terms.

Major terms that are important to understanding HIPAA law are:

  • covered entity – Under HIPAA, a covered entity is a healthcare provider, plan, or data clearinghouse.
  • business associate – When covered entities use third parties to handle their protected health information (PHI), that organization is called a business associate.
  • business associate agreement – This term refers to a contract signed between a covered entity and any third party handling its PHI, stipulating responsibilities related to its protection.
  • electronic protected health information (ePHI) – When medical information is digitized into electronic health records (EHR), the data contained within IT environments is called ePHI (although PHI can be used as a catchall).
  • protected health information (PHI) – Typically shortened to its acronym, this term refers to sensitive personally identifiable health data that is safeguarded by HIPAA law.
  • Security Rule – A key stipulation of HIPAA’s Title II, the Administrative Simplification Provisions, this rule provides guidelines for the protection of electronic health records.

Step 2.) Know basic requirements of HIPAA law.

Within the Security Rule is the Security Management Process standard, which states that HIPAA compliance requires procedures and policies that avoid, identify, limit, and remediate any security issues that violate healthcare law.

The part of HIPAA that discusses the need for risk analysis is 45 C.F.R. § 164.308(a)(1)(ii)(A). To summarize that section:

In order for any organization to achieve HIPAA compliance, it is necessary to extensively review any possible risks to the ePHI that might expose it, corrupt it, or make it unavailable.

A description of strong risk analysis questions is contained in NIST Special Publication (SP) 800-66. Here are the questions (which are not mandatory or all-inclusive but suggest possible directions that may apply to your situation):

  • Do you know where the electronic protected health information is within your system (accounting for all data you generate, store, send, or receive)?
  • How is your ePHI handled externally, as when service providers produce, store, send, or receive healthcare data?
  • What poses a risk to the ePHI within your data environment, including all environmental, natural, and human threats?

While a risk analysis has direct benefits in terms of understanding your risk, you will experience indirect benefits as well in guiding you toward better compliance with other standards of the law. For instance, while the Security Rule has certain guidelines for deployment that are labeled as “required,” others are labeled “addressable.” The HHS clarified that it is not your choice whether to comply with addressable items. Instead, the entity should look at the parameter in terms of how appropriate and reasonable they are, given the context.

Step 3.) Assess the scope of your analysis.

Examine all of the equipment and digital environments within your organization that generate, send, store, or receive ePHI with respect to the physical, administrative, and technical safeguards described within the law. Servers and computers are a clear place to start, but think broadly as you consider your technology, as noted by the American Medical Association (AMA). For instance, photocopiers will typically have hard drives within them that store images of everything that you scan. All mobile technology that handles ePHI should be included within your scope as well. Also at this point, create an asset list and write down a diagram or outline of the ePHI workflow.

Step 4.) Determine possible weaknesses and threats. 

When you look at the ways in which you might be vulnerable, you can benefit from the work you did in determining your scope so that you know the locations to look for weaknesses and threats. It is important to ask the same questions about your environment repeatedly so that you are considering all the potential problems that may arise in various segments of your system that handle sensitive health data. 

What you want to achieve at this point is a full picture of everything that might put your firm at risk. It is also when you can create an inventory of all the security methods that are currently implemented. Typically you will need to talk within your organization – with the office manager, for instance – as well as having discussions with knowledgeable outside parties related to the ePHI threat landscape and standard protections. 

Step 5.) Evaluate your risk. 

As stated above, risk is all about context. The nature of the systems you are protecting will lead to a reasonable understanding of how likely data breaches are to occur – and how devastating the outcomes would be.

An example negative situation that is a common HIPAA violation is the loss of an unencrypted laptop. Risk is different for different organizations related to laptop loss, though. For instance, a practice that visits patients in their homes could consider loss of laptops a high risk since it would be very possible to occur and because they might contain ePHI related to patient visits. By implementing laptop encryption, the risk is mitigated.

Also rank your risks during this process. You can determine your overall level of risk at this point as well.

Step 6.) Finalize your documentation.

Create a document that outlines the findings of your risk analysis (some of which is already composed). Make sure that this writeup includes the list of all your assets, weaknesses, threats, likelihood of occurrence, impact, controls that are now implemented, ranking of your controls, any residual risk you might have, and any advice that you have in terms of new controls to deploy.

Step 7.) Review and update your risk analysis process moving forward.

Risk analysis should be an ongoing project, of course. It should occur once a year, according to the AMA. Deciding how often to perform these assessments is context-based as well, though. As noted in Healthcare Informatics, “Some covered entities may perform these processes annually or as needed (e.g., bi-annual or every three years) depending on circumstances of their environment.”

HIPAA-compliant hosting for your patient data

HIPAA is flexible and allows you to assess your security stance based on the context. To better understand your context, you perform a risk analysis. The above steps will help you in conducting your risk analysis. Probably you will find ways in which your systems could be improved, as with expertly engineered HIPAA-compliant hosting. At Total Server Solutions, our service is what sets us apart, and it’s our people that make our service great. See our approach.

data eminating outward from the individual, the key concern of the General Data Protection Regulation from the European Union

Posted by & filed under List Posts.

Bolstered consumer consent. The “right to be forgotten.” 72-hour breach reporting. Hefty fine schedules. These aspects of the General Data Protection Regulation from the European Union are now in effect, as of May 25, 2018. As the most significant change to data security law in Europe in two decades, this new set of rules is getting a huge amount of attention in security and compliance circles.

Companies that are based in the EU must abide by the law, as must multinational firms that do business in EU nations. US-based businesses that do not have any operations in the EU may think that they are not impacted by the GDPR, but that is actually not the case – as is true for any companies from other non-EU countries. No matter where you are on the planet, you have to be concerned with the issue of GDPR compliance if you have a website and collect user information, since you could at times be handling the data of EU citizens.

Do you really have to follow this EU law?

Some businesses may think that a regulation written across the ocean is insufficient for them to change the way they do business, instead taking their chances that they will not get a fine. However, companies that take this approach should be aware of the size of fines for noncompliance. While fines are in two tiers, both tiers involve substantial penalties: the most severe ones are at the higher amount of 20 million Euros (approximately 23.60 million US dollars) or 4% of yearly worldwide revenue, and the lower ones are at half of that, the higher amount of 10 million Euros (11.80 million USD) or 2% of annual global revenue. Breaches due to violations that the EU lawmakers determined were the most critical ones related to personal data security can get the maximum, higher-tier fine. The important provisions on data security as it relates to these two two tiers of fines are in Articles 5 and 32, as discussed in greater detail by international business law firm Pinsent Masons.

Beyond the fines, there are also numerous other costs associated with being fined – such as the impact of bad publicity and lawsuits. For businesses to be prudent and to ensure their ongoing stability, GDPR compliance is essential.

Organizations that are not within the European Union can look to the GDPR itself to verify their need for compliance. Within the regulation’s Article 3, it states that you have to meet the GDPR when your organization gathers behavioral or personal data from a citizen of a European Union nation. Article 3 stipulates that data subjects (protected individuals) must be in the EU when that data is gathered. Also, to be clear, no financial transaction must take place in order for protections to be needed. Collection of personally identifiable information (PII), which the GDPR calls personal data, necessitates protecting it per the regulation’s guidelines.

While it is clear that non-EU companies must follow the GDPR, the core point that currently remains unanswered is whether a similar data protection law might be passed in the United States. Despite the costs and frustrations that arise from a new form of compliance, some business leaders see the law as a sign of progress. FollowAnalytics CEO Samir Addamine called passage of the GDPR the “rare time that the EU is… in advance of the rest of the world.”

Basics of the GDPR

It is now necessary for organizations to get consent from EU citizens in order to gather their data. When getting the consent of these users, it is necessary for the contract to be straightforward and easy to access; also, the reason the data processing is taking place should be given within the consent terms. The way that the terms are written should be highly readable, and anyone who signs an agreement should be able to cancel it just as simply as they initiate it. It is also necessary to notify your EU users in a maximum of 72 hours if a data breach occurs that may have impacted their records.

Additionally, the GDPR gives every citizen of the EU the right to be forgotten – the right to ask that their information be cleared out of a business’s systems if the purpose for which it was gathered is no longer relevant or if the individual wants to take back their consent.

The broad applications of the GDPR are evident through a simple example from Jeremy Goldman of creative consultancy the Firebrand Group: if you closed a social media account, the company would have to remove all your data. There are exceptions to this rule: it is not your right to have the data removed if its preservation is for the public good, as when the nature of the data is somehow newsworthy. Another restriction to this aspect of the regulation is that you cannot get records removed when their removal threatens freedom of expression (the broader category that includes freedom of speech).

Where should I focus first?

When it comes to taking on new standards and implementing the parameters of new forms of compliance, it helps to have an initial point of focus. Otherwise the complexity of legislation can feel overwhelming and deter forward motion toward GDPR compliance by international companies (and again, that means all countries with websites that might collect the personal data of EU citizens).

Perhaps the best place to start is with the need (mentioned above) to get a clear, simply stated, and straightforward agreement from users in order to collect their information. Companies may wonder specifically what it means for consent to be clear or easily readable, since it is difficult to get completely away from legal terminology and concepts. Consent must “involve a conscious and informed act by the individual,” noted Compliancejunction. It is no longer acceptable in these situations to have a prechecked checkbox, for instance. The terms must note the data controller (the organization that will be responsible for the records) as well as any outside firms that will be handling the information. While consent has not required as much intentional transparency in the past, as of May 25, the obtaining of consent has to be achieved through an unambiguous action that is distinct from signing the general user agreement.

Within the General Data Protection Regulation, citizens of the European Union nations are also granted the right to get a writeup covering all the data the firm has collected from them for free. They can also get, at no cost, the locations in which the data is being stored or processed, along with the reason that it is being handled.

GDPR compliance for your business

If you fell behind on GDPR compliance, analysts suggest many firms are in that position. A Gartner study forecast that more than half of companies regulated by the GDPR will not have reached complete compliance even by the end of 2018. Since the notion of territorial scope (i.e., impact beyond the confines of the EU) is so critical to the GDPR and the way it updates European data law, businesses in nations outside the European Union should “not be surprised to find that they are a particular target of data regulators,” noted the Workplace Privacy, Data Management & Security Report.

Are you concerned about the impact of the Global Data Protection Regulation on your business? At Total Server Solutions, through our singular mission of providing you with the finest hosted services and the most robust infrastructure available anywhere, we can help you build a system that meets your needs while also achieving and maintaining compliance with the GDPR. See our customer testimonials.

Juggling security to protect sensitive customer data - GDPR compliance steps - General Data Protection Regulation

Posted by & filed under List Posts.

While there are borders between nations, the world is integrally connected. That is perhaps nowhere more evident than in the marketplace of the Internet. The interconnection that the Web allows also means that security is a huge priority, since no one wants anyone who is unauthorized accessing their confidential data. Sometimes legislation will be passed that impacts the way sensitive information is treated. If the body making these decisions is large enough, the simple passing of a new set of rules can have a seismic influence on global business and the ways that information systems are defended.

A good example of this kind of law passed in the United States is the Health Insurance Portability and Accountability Act (HIPAA) of 1996. While HIPAA compliance is technically limited to protecting the health records of US citizens, it has a broader effect because companies headquartered elsewhere must have their systems adequately secured to meet the needs of any US patient data. Similarly, GDPR compliance is necessary for all global companies related to the data of European customers.

If the General Data Protection Regulation sounds new, it was actually passed on April 27, 2016 – so there were 25 months given to organizations to prepare for the May 25, 2018 effective date. It is reasonable that many companies have not understood that they could have to meet the needs of a law passed by a foreign entity.

What is the GDPR?

The General Data Protection Regulation is a wide-ranging new law that mandates reasonable protection of data of citizens within European Union countries that is handled by any businesses, no matter where (i.e., Europe or otherwise) the information is gathered, processed, or stored. Both organizations that have business established in European Nation member states and digital entities (apps and websites) that interact with the sensitive information of European citizens must be GDPR-compliant, as indicated by Leslie K. Lambert.

If you want a little bedtime reading, the GDPR can be read in all its glory in the Official Journal of the European Union – see Regulation (EU) 2016/679 of the European Parliament and of the Council.

7 steps to GDPR compliance

If you have not had a chance to evaluate your systems and update them to reflect the new needs of the GDPR, here are simple steps you can take to achieve compliance:

#1.) Establish a GDPR team and data protection officer.

GDPR compliance should be an organization-wide concern. Align a group of people from various departments and roles (including IT, risk, finance, and marketing) who will each serve different functions in the adoption of these new parameters. The GDPR mandates the assignment of a data protection officer at firms or agencies that perform high-volume handling of confidential personal details or criminal backgrounds, or that conduct high-volume routine and frequent tracking of the people to whom the data applies – called data subjects.

Assuming you do not meet those stipulations and are not required to have a DPO, you may still want to assign a DPO or GDPR compliance officer so that your efforts are more straightforward, as indicated by UK attorney Rachael King.

#2.) Consider your accountability.

You will be reviewing the way that you treat data, both through your own means and through others acting on your behalf. You can better understand the GDPR, suggested Luke Irwin of IT Governance, by looking through the lens of accountability. Ask yourself the following questions related to all data you store:

  • Why is the data being stored?
  • Where did you get the data?
  • Why did you initially collect the records?
  • What is the timeframe for retention of the records?
  • Is the information well-protected, through both encryption and access restrictions?
  • What are the circumstances through which sharing with other entities occurs?

#3.) Prioritize your customers’ privacy rights.

Once you’ve taken a hard look at the way that your organization is storing and retaining information, turn and look directly at the rights of individuals, as newly mandated by the GDPR. In other words, become familiar with the privacy concerns that are the driving force behind this key law. Institutions that gather and retain data of (EU-residing) individuals have to respect certain privacy rights, which include:

  • Right to deletion (ability to remove records)
  • Right to access (ability to view records)
  • Right to portability (ability to transfer records)
  • Right to notification (ability to know key information about records)
  • Right to correction (ability to change inaccurate information)
  • Right to restriction (ability to limit the ways personal data is handled)
  • Right to object (ability to stop certain processing based on personal concerns).

#4.) Check your current documents and mind the gap.

Many organizations move first to looking at their agreements with outside entities (both service providers and clients) to gear themselves toward compliance. The first step, though, should be to look at what you currently have instated in-house, as advised by Mark Ross in Compliance Week.

Your policies, procedures, and other elements of your compliance stance should all be reviewed, with any aspects that do not meet GDPR noted. Having looked inward, then you must look outward and verify that all of your vendors are GDPR-compliant as well. As you look at all your various systems and relationships, you are conducting a gap analysis. This analysis must check that there are data retention stipulations noting the maximum time for which data can be stored. You should also ensure that you know where and in what manner all data storage occurs, as organized within data maps.

#5.)  Create a gameplan and determine applicable contracts.

Once your gap analysis is complete, you can start to look carefully at all your agreements. You should have a gameplan that organizes the way your contracts are drafted and amended over time. Write your GDPR amendment, bearing in mind that your firm may fit the definition of a controller and processor under the law. Be ready for companies not to always readily accept this additional language. You will lower your risk by preparing this clause and using it to negotiate.

Now look at your current agreements to identify ones that fit the scope. You can use a machine learning tool that assess contracts in order to find the provisions that should be targeted. To complete this process:

  • Set aside any contracts that are inactive.
  • Focus your attention first on agreements that represent the greatest risk.
  • Review the contract to see if it is GDPR-compliant or not. If data is being sent outside the EU, the way in which that data is transferred will have to meet GDPR specifications.

#6.) Send amendments and store final agreements. 

For any contracts that are not GDPR-compliant as-is, you need to get those agreements amended. The amendment process may take some initiative on your part since some organizations will not be as concerned with the GDPR or otherwise not as quick to act as others. Once you have determined what needs updated, send out amendments, and get these new contracts signed. Once you have the agreements finalized, you can store them in a structured data format according to their key terms, within a contract lifecycle management system (to simplify organization and referencing). 

#7.) Look at your data breach notification procedures.

Notification of data breaches is a core component of regulations that protect personal data, as previously seen within HIPAA and other regulations. Any time that information you are holding or processing becomes compromised, the entity that becomes aware of the breach must send information related to the incident “without undue delay” and in a maximum of 72 hours to the Information Commissioner’s Officer (ICO). Verify that your environment will automatically notify you if a breach ever takes place. Also be certain that all your personnel know how to respond to a security event should one occur.

GDPR-compliant hosting 

Are you concerned about the new parameters of the General Data Protection Regulation and how it specifically impacts your organization? We are happy to discuss how the needs of the GDPR can be integrated into your data documentation, systems, and partnerships. At Total Server Solutions, we provide everything you need for a GDPR-compliant system, with a 24/7 staff of engineers and full training for all our personnel. See how we’re different.