4. Security – Site Owner
What is information security?
Ensuring your website is available 24 hours a day for your
customers
Ensuring only the correct people can administer the website’s
content
Preventing unauthorised alteration or destruction of your data
Avoiding your website being used to distribute other peoples’
software
Ensuring that your employees cannot accidentally delete
valuable information
Stopping your website being used to damage users’ computers
Protecting your reputation
Source: Watson Hall Security, Smart Insights (2012)
5. Types of Security Risks
Denial of Service Attack
Hacking
Destruction of Data - viruses
Malware
Phishing
Secure Payments/Website Encryption
Source: Watson Hall Security (2013);
Symantec Internet Security Threat
Report (2012);
6. Denial of Service Attack
Hackers overload website
with traffic
Website can't handle
volume and shuts down
Major disruption to service
8. Destruction of Data - Viruses
Computer viruses can shut
down company websites
I Love You Virus
Attachment sent via email
Overwrites photo/video
files
Shutdown websites
including Ford and Chrysler
due to employees opening
infected email attachments
9. Malicious Software on Websites
“When it comes to computer
viruses, you’re now more
likely to catch one visiting a
church website than surfing for
porn” – Symantec (2012)
Malware – viruses, worms,
Trojans, bots
Infects website the user’s
computers
Downloadable files on websites
are a hotbed for viruses
External content on websites
such as videos and photos are
virus-prone
Source : Symantec Internet Security
Threat Report (2012)
10. Secure Payments/Website
Encryption
Secure payments
Well known payment system such as
WorldPal or PayPal which uses encryption
Use Transport Layer Security (TLS) and
Secure Socket Layers (SSL) certificates to
reassure customers:
Padlock
HTTPS
Green Address Bar
Legally incorporated name
Source: Global Sign, (2013)
11. Phishing
Masquerades as an official
website communication
Requests users' login
information
Uses information to
fraudulently obtain funds
from their account
Who is responsible for the
customer’s loss?
13. Managerial Preventative Measures
Secure website design from
the beginning –
difficult/expensive to add
later
Antivirus software is always
up to date
Firewalls
Phishing notifications via
email
Employee email filtering
Securesign SSL/TLS
Certificates
Split login screens
14. Privacy
Data Protection Act 1998
How data is collected and used
Privacy and Electronic Communications Regulations
Cookies
Email Marketing and SPAM
15. Consumer Concerns
Data leakage – how secure
is my data and what
happens if it is lost/leaked?
Data use without consent
Annoyance/Waste of time
Not having opt in/opt out
notices
Source: Smart Insights (2012)
16. Data Protection Act 1998
Eight Principles:
1. Fairly and lawfully processed
2. Processed for limited purposes
3. Adequate, relevant and not excessive
4. Accurate and up to date
5. Not kept longer than necessary
6. Processed in accordance with the individuals rights
7. Secure
8. Not transferred to a country outside the EEC unless it
has adequate protection
Most breached principle in
2012
17. Data Protection Act 1998
Applies to customers as well
as employees
Personal data
Name, address, NI Number
Sensitive data
Political views, religion,
ethnicity
Data subject access requests
Enforced by the Information
Commissioner’s Office
19. Privacy and Electronic
Communications Regulations
Electronic Marketing
Activities
Email marketing and
SPAM
Cookies
Enforced by the Information
Commissioners Office
20. Cookies
What is a Cookie?
A small text file that stores user
information on their computer
What is it used for?
Shopping cart
Personalisation
Cookie Ingredients
Domain
Name
Value
Expiry
Path
Secure
HTTP only
21. Privacy Directive 26 May 2012
Website notification that cookies are in use
Gives option/instructions how to disable and find further
information
22. Email Marketing and SPAM
What is SPAM?
Emails sent without consent
Sent in bulk and impersonalised
Email Marketing Regulations
Consent must be given to receive marketing communications - except where there is a
defined relationship
Must contain an unsubscribe link in the email
ICO can investigate complaints relating to SPAM sent from the UK
23. Email Marketing and SPAM
Consent
User must “opt in” rather than
“opt out” – i.e. the check box
should be unticked
Must be made clear that they are
consenting to receive
communications
What is a defined
relationship/soft opt-in?
Obtained customer details during
course of previous sale
transaction
Marketing is of similar products
Option to opt-out is given in
every future message
26. Managerial/Consumer
Preventative Measures
Appoint a Data Controller for your
organisation who will be
responsible for DPA and PECR
obligations – legal obligation under
DPA
Ensure fully compliant with all
legislation and regulations
Security and privacy notices on
the website in plain English to
reassure customers
Be careful who your email address
is given to
Don’t click on spam and
attachments
Unsubscribe/ Opt out
27. Conclusion
Security
Priority
Reassurance for customers
Privacy
Comply with laws and regulations
to avoid punishment
Reassurance for customers
For more information:
Symantec Internet Security
Threat Report 2011 (published
April 2012)
ICO website
28. References
Chaffey, D., 2013. Website Security Requirements. [online]. Available at:
http://www.smartinsights.com/ecommerce/payment-security/website-security-
requirements/ [accessed 28 February 2013]
Chaffey, D., 2012. Research on consumer attitudes to online privacy. [online]. Available
at: http://www.smartinsights.com/marketplace-analysis/customer-analysis/research-on-
consumer-attitudes-to-online-privacy/ [accessed 28 February 2013]
Chaffey, D., Mayer, R., Johnston, K. and Ellis-Chadwick, F., 2000. Internet Marketing.
Essex: Pearson.
Financial Ombudsman Service, 2013. Disputed technical transaction. [online]. Available at:
http://www.financial-ombudsman.org.uk/publications/technical_notes/disputed-
transactions.htm [accessed 10 March 2013]
Global Sign, 2013. Security Certificates. [Online]. Available at:
https://www.globalsign.co.uk/ssl/domain-ssl/ [accessed 18 March 2013]
Halliday, J., 2012. The Guardian reaches nearly 9 million readers across print and online.
[online]. Available at: http://www.guardian.co.uk/media/2012/sep/12/guardian-9-
million-readers-nrs [accessed 10 March 2013]
Information Commissioner’s Office, 2013. Data Protection Act Claiming Compensation.
[online] available at:
http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/c
laiming_compensation.pdf [accessed 12 March 2013]
Information Commissioner’s Office, 2013. Electronic Mail (Regulations 22 and 23). [online]
available at:
http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_gui
de/electronic_mail.aspx [accessed 10 March 2013]
Information Commissioner’s Office, 2013. Privacy and Electronic Communications
Regulations. [online] available
at:http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications.aspx
[accessed 3 March 2013]
Information Commissioner’s Office, 2013. Sensitive details of NHS staff
published by Trust in Devon. [online] available at:
http://www.ico.gov.uk/news/latest_news/2012/sensitive-details-of-nhs-staff-
published-by-devon-trust-06082012.aspx
Information Commissioner’s Office, 2013. Viral Marketing. [online] available at:
http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_gui
de/viral_marketing.aspx [accessed 3 March 2013]
Oremus, W., 2013. Unprotected Sects. [online] Available at:
http://www.slate.com/articles/technology/technology/2012/05/malware_and_computer_vi
ruses_they_ve_left_porn_sites_for_religious_sites_.html [accessed 12 March 2013]
Norton, 2013. Phishing [online]. Available at:
http://uk.norton.com/security_response/phishing.jsp [accessed 10 March 2013]
Paypal, 2013. Security. [online]. Available at:
https://www.paypal.com/uk/webapps/mpp/paypal-safety-and-security [accessed 10 March
2013]
Perlroth, N, 2012. Six big banks targeted in online attacks. [online. Available at:
http://www.bostonglobe.com/business/2012/09/30/banks-hits-wave-computer-attacks-
group-claiming-middle-east-ties/gsE6W3V57nBAYrko1ag8rN/story.html [accessed 10 March
2013]
Seltzer, L, 2010. ‘I Love You’ virus turns ten: what have we learned? [online]. Available
at: http://www.pcmag.com/article2/0,2817,2363172,00.asp [accessed 28 February 2013]
Symantec, (2012). Internet Security Threat Report 2011{online]. Available at:
http://www.symantec.com/content/en/us/enterprise/other_resources/b-
istr_main_report_2011_21239364.en-us.pdf [ accessed 12 March 2013]
Teixera, R, 2007. Top five small business internet security threats. [online]. Available at:
http://smallbiztrends.com/2007/06/top-five-small-business-internet-security-threats.html
[accessed 3 March 2013].
Watson Hall, 2013. Top 10 Website Security Issues. [online]. Available at:
https://www.watsonhall.com/resources/downloads/top10-website-security-issues.pdf
[accessed 28 February 2013]
Notas do Editor
Lianne
Lianne – introduction – what we will cover during the presentation
Lianne – these are the top four concerns for security that consumers have according to a Smart Insights survey in 2012 and these concerns will be covered in this presentation
Lianne – Leading internet security firm Watson Hall describes information security as the following: [reads from list].
Lex – types of security risk which are contained within the previous definition
Lex – describe what a denial of service attack is, use examples of the American banks. Implication: reputation-trust
Lex – describe what a hacking is, talk about the Sun. Implication: Reputation
Lex – describe what viruses can do to website, talk about I LOVE YOU. Implication: Reputation / costs
Lex – describe what malware is and how it can be contained within website. Implication: Reputation / costs
Lex – importance of using secure payment system with encryption, using TLS and SSL certificate to reassure customers. Explain the above image.
Lex – Explain phishing – QUESTION TIME: Ask class who they think the responsibility for this kind of fraud lies with. Explain it.
Lianne – as above
Lianne – as above
Lianne – introduction to privacy section
Lianne – according to a Smart Insights survey the following are consumers biggest concerns regarding privacy and communications
Lex – discuss each principle
Lex – as above
Lex – types of penalty with examples
Lianne – The PECR covers electronic marketing activities such as email marketing, SPAM and cookies. As with Data Protection Act it is enforced by the ICO
Lianne – can you add some info here? I don’t know much about this. Thanks!
Lianne – as above and further info you think of
Lianne – as above plus whatever else you think necessary – the defined relationship is discussed in the next slide so maybe say “...except where there is a defined relationship....which will be discussed in the next slide....must contain unsubscribe..”??
Lianne – As above plus whatever further information you think is necessary
Lianne/Lex (I don’t mind doing it if you prefer but up to you). As with the DPA, the ICO can impose the same types of penalties - after a written notice for compliance has been issued. The ICO has written to companies who were deemed uncompliant with the cookie regulations including the above companies. No penalties as yet and the ICO is working with them to achieve compliance.