Running Head: SECURITY ISSUES OF SMALL E-COMMERCE WEBSITES
E-commerce Website Security Issues
March 26, 2008
The research topic I have chosen for this CIS666 final paper is focused on recognition and evaluation of e-commerce website security issues for a small company that lacks the technical and human resources to fully cover all aspects of running a website. How can a small company protect its e-commerce website against all the security threats endangering companyвЂ™s assets and operations? With the list of security issues I covered in this paper, my recommendation is, that a small company with limited resources should outsource running of its e-commerce website to a credible web-hosting company with enough IT resources to better deal with common security issues.
Any company trying to get in any business should conduct an extensive research of its ability to succeed in the increasingly challenging environment, thoroughly evaluating its situation, business opportunities, challenges and risks, carefully weighting all of its options before deciding how to implement its business plan. The same applies to a company that wants to successfully launch an e-commerce website. A detail research and solid planning will significantly affect the outcome. While there are many challenges of building an e-commerce website, I would like to focus only on one, but major aspect of running an e-commerce website, and that is: security. Security is one of the most important issues that must be resolved to ensure the success of e-commerce. With so many well publicized security failures that often embarrass even sizable companies, small businesses must seriously question if they will ever be able to completely defend their websites, when even some big companies occasionally fail to defend themselves against all the security threats awaiting on the Internet to be tested by hackers and scammers and possibly risking all their business future. Of course, to reach the global markets and more customers, even a small company will have to implement an e-commerce website, but the question each small company should be asking is: should the website be developed and run in-house, or should it be outsourced? And one of the most important decision-making arguments should be the level of security needed. Will a small company be able to defend its e-commerce website, its hardware, software, data, and protect its customers against system failures, hackers, fraught and data theft? To answer these questions, I would like to cover in this paper several major e-commerce security issues that have to be considered, before making a final decision about an in-house development and in-house implementation of the website, or outsourcing either the development or running of the website, or some combination of the two options.
I would like to start with some statistic provided by the U.S Department of Labor: Forty percent of businesses never reopen after catastrophic data loss. Fifty percent of all businesses will fail within three years if they cannot recover lost data within 24 hours. Ninety-three percent of businesses fail if data is lost for ten days or more. Over forty percent of small businesses experience challenges when it comes to data backup. (U. S. Department of Labor вЂ“ Information Security, 2008). Protecting business data is crucial, and the recent statistics support the sense of urgency. Every company should have a disaster recovery plan that covers not only natural disasters like earthquake, flooding, hurricane, tornado, and other weather-related disasters, but also man-made disasters like fire, loss of power, hardware failure and loss of data, including a cyber-attack, and even a terrorist attack. Any potential risk should be addressed, evaluated for the magnitude of the harm, and a proper response should be developed. While the companyвЂ™s data might be the most valuable assets, the proper response needs to be developed also for any major systems and their software, hardware, and networking components, including backup personnel sufficiently capable of operating these systems. That might require additional staffing, extra training and also opening access to the systems to more people and that creates additional security issues. A critical hardware must be duplicated, periodically tested and updated to insure continuous operations. The best practice is to have at least two geographical locations to prevent a disruption of operations due to a local disaster. The same applies for data. There must be a sufficient data backup that is occasionally tested for consistency and there should be several geographical locations for back-up data storage, but easy and fast access in case of emergency. And that in turn