Secure Your Customer Data: Here’s How
A computer programmer visited Guess.com last year to look for jeans. Before entering his order, he keyed into the site’s address bar a string of characters, and up popped about 200,000 of Guess.com’s customer names and credit card numbers.
His selection of characters wasn’t random. Rather, the code he keyed in is well-known among programmers, and plugging it in is called an SQL (Structured Query Language) injection attack.
To determine if your site is vulnerable to an SQL attack, Stephen Cobb, senior vice president for research and education at ePrivacy Group, a privacy technology and consulting firm, suggests the following steps:
1. Get your Web systems checked by a security expert familiar with SQL and other common online vulnerabilities. “Talk with the people who set up your e-commerce site and determine if they’re aware of this and similar vulnerabilities. Have they checked for them specifically?” Cobb asks.
Based on their responses, you may feel secure about your site, or you may decide to hire an outside expert to do a security audit of your site. “This may be especially important if you’ve had, say, a neighbor who took a few Web courses design your site,” says Cobb.
The cost for such audits varies depending on the size of your e-commerce operation. Generally you can expect to pay $1,000 to $2,500 per day, says Cobb. An audit may take one to 10 days. But that still may be cheaper than getting hit with a fine from the FTC. When selecting an auditor, look for a CISSP, which stands for Certified Information Systems Security Professional.