Securing SMB Online Transactions

  /     /     /  
Publicated : 22/11/2024   Category : security


Securing SMB Online Transactions


Giving consumers the assurances they need to know theyre securely sending their private information to your business



As more consumers and business grow savvy about the safety of the private information asked for by companies they do business with, these customers are pushing their SMB vendors to improve the way they collect and store sensitive details during online transactions. Most fundamental in their demand for protection strategies is the assurance that when theyre entering information into their browsers the information is encrypted during transmission so that no snooping parties can capture those details as they make their way through an Internet connection to the vendors Web servers.
I always say put yourself in your customers shoes as they come to your site. What are you asking them to do? Are you asking them to buy something? Are you asking them to disclose any personal information? says Jeff Huckaby, CEO of rackAID, an IT management firm. At the very minimum today, their expectation is that these are secure transactions.
[Is your small business being asked by customers to provide enterprise-class security? See
Stepping Up SMB Security
.]
The process of encrypting to create a so-called secured session depends on one very important item that many SMBs overlook or skimp on to their detriment: a digital certificate. Theyre often referred to as SSL certificates--named for the technical protocol that governs how information is hidden from anybody but the consumer and the party theyre transmitting information to.
Without getting too mired in the under-the-hood details, the high and low of these certificates is that theyre used to prove to the user that the server theyre connected to through their browser really belongs to your business. Since some third party has got to referee the process of proving that identity, a whole business model has cropped up where vendors called certificate authorities (CA) or issuers have stepped in to act as that arbiter or trust.
These CAs offer a ton of different certificates at wildly different prices, so it can be pretty confusing for uninitiated SMBs to sift through the options. While the underlying technology is just about the same for all of these certificates, Huckaby says, the CA vendors who offer them are not all created equal and the different types of certificates available make it necessary for all businesses to shop around carefully for the right fit for their business needs.
The hardcore security guys may have qualms with me saying this, but the security youre getting is more or less the same at every CA brand in terms of the technical encryption of data going between your web visitor and you, he says. The difference is in how they verify who you are.
For example, some brands may issue $10 certificates that only require an email to confirm the holders identity, while others charge more than ten times as much for what are called extended validation (EV) certificates that require lots of documentation like copies of business licenses or articles of incorporation before they hand over a certificate to be installed on the business site. One of the biggest benefits of such an expensive and extensive process is that it gives users added assurance you really are who you claim to be through the visual cue of a green bar in the browser thats activated when it is on a site secured using an EV certificate.
Consumers have been trained at this point to not only look for visual cues like the green bar, but also for special badges on sites marketing their use of certificates from well known CA brands. According to Huckaby, sometimes the decision of which brand to go with may come down to marketing rather than technology.
Especially when youre in a small business, if customers dont know who you are, the person visiting the site could have some questions about whether youre a legitimate company or not and by showing a seal for a well-known company like Symantec or VeriSign, you can help assuage that fear, he says. Theres marketing evidence that shows when you put these badges next to checkout carts or order forms, you see increases in the numbers of clients you get to spend money.
How To Choose Your CA
But cost or marketing appeal shouldnt be the only deciding factor of what kind of certificate to buy or who to buy it from. Technical support and customer service should also be top of mind, CA experts warn. Support can play a huge part in the resiliency of your online business when things go wrong. Because when certificates dont work, the site cant take orders. And when the site cant take orders, cash flow is cut off.
Many times we will see independent reviews [of other CAs] from customers where they chose to go the route of the lowest cost provider and then when crunch time came, they were left hanging, says Flavio Martins, vice president of support and validation for DigiCert, a CA that specializes in servicing SMBs. Websites were down in middle of the night, they try to contact their SSL provider and come to find out hey dont offer 24-hour support. So the business is dead in the water until someone is able to get a hold of someone during business hours.
Martins says that when SMBs choose a certificate issuer, they should test that issuer at odd hours to make sure customer service would be available to them had a problem occurred outside of normal business hours.
Having looked into all the factors that go into the process of encrypting a site and buying a certificate to support that, some SMB leaders may wonder whether they can just outsource it all and be done with it.
The answer is yes, but Huckaby warns SMBs to be careful not to make assumptions about what kind of security an IT service provider will or will not install on a site. For example, dont just assume that your hosting provider is going to automatically take care of securing sessions and installing certificates on your behalf, he says. If youre not sure whether the site you have already institutes secured sessions, check for the most basic tell-tale sign in the address bar.
If you already have site and youre not sure, go to any place where you ask for information on your site and simply see if it says https [instead of just http] on the address, he says.
Other visual cues, of course, include that green bar for EV certificates. If an outsourced provider has secured your sessions but used cheaper certificates or unrecognizable brands, it may be worth the investment to ask them to buy more expensive ones on your behalf or take care of it yourself, Huckaby says.
It may also be smart to think twice about outsourcing certificate buying, Martins says. One of the problems with kicking the duty to a solution provider is that as an SMB changes IT vendors or as employees at these vendors shift, they may not maintain the kind of institutional memory necessary to do a good job managing these long-term products.
SSL is a market where youre dealing with certificates that are valid for multiple years, Martins says.So frequently, we run into situations where an organization has changed a solution provider and they need to renew certificates and they cant contact previous providers to get a hold of all that information and that can become a headache and a waste of time.
Should you choose to outsource, he suggests at very least ensuring that someone internal to the business is registered with the certificate issuer.
Even if youre working with an integrator that normally handles your IT, make sure that your contact details as a business person are included in all of your orders so you always stay up to date and be notified of anything thats happening [from the issuer], he says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Securing SMB Online Transactions