Are your company websites and applications data secure?

With so many high profile public internet hacks making the headlines almost weekly, you may be thinking that hackers are just targeting large enterprise companies. You may be thinking your company is too small in the eyes of a hacker. Infact, smaller companies could be easier targets as they are normally easier to penetrate, especially thier websites. Small companies are having data stolen every day, quite often without them knowing.

I can't see them targeting me...

We already know nation states have been capturing insecure internet traffic for decades. There is a lot of information to be stored, viewed and ultimately sold. Hackers know the black market pays well for private company data. A lot of the data is stolen when the website is sending or receiving the data (in transit), without a secure connection to your website it is trivial to steal (intercept) this data. Even when the data is stored on the server it can be stolen if it is not secured correctly.

Securing your communications (data in transit)

In 2015 your website, email, and even your phone should be used securely. A secure communication can be handled using 'SSL' (Secure Socket Layer). You will know if your company has one on their website because the web address will starthttps://. The 's' being the important part.

What the 'SSL' does is allow all communications made between your computer (or phone) to a website, secure. This security is offered in the form of encryption (confidentiality) and assurance that the data being transferred has not been altered (integrity). 

SSL v.s. TLS?

You will have probably heard the term, "Our site uses SSL", in reality what they probably mean is TLS. TLS (Transport Layer Security) is the follow on from SSL version 3.0. Think of it as the next generation of SSL. TLS 1.2 is the current version. 

Securing the stored data (data at rest)

Even when the data has been received by your website, it needs to be stored in a database securely. A https connection secures the data in transit, but when it arrives at the server it needs to be protected when it is stored (at rest). One way to achieve this is through encryption. There should be no reason to store un-encrypted (cleartext) private data in databases. You might even be breaking some laws.