Digital marketing presentation - security risks for websites

1. Security & Privacy Issues for
the Consumer & Site Owner
By: Alexandra MacLeod and Liane Van Diepen
10039412/12063364
20 March 2013

2. Introduction
 Security
 Types of Risks
 Privacy
 Data Protection Act 1998
 Privacy and Electronic Communications Regulations
 Cookies
 Email Marketing and SPAM
 Managerial Implications & Preventative Measures

3. Security - Consumer Concerns
 Stolen credit card details
 Phishing
 Downloading viruses
 Website has security
certificates
Source: Smart Insights (2012)

4. Security – Site Owner
 What is information security?
 Ensuring your website is available 24 hours a day for your
customers
 Ensuring only the correct people can administer the website’s
content
 Preventing unauthorised alteration or destruction of your data
 Avoiding your website being used to distribute other peoples’
software
 Ensuring that your employees cannot accidentally delete
valuable information
 Stopping your website being used to damage users’ computers
 Protecting your reputation
Source: Watson Hall Security, Smart Insights (2012)

5. Types of Security Risks
 Denial of Service Attack
 Hacking
 Destruction of Data - viruses
 Malware
 Phishing
 Secure Payments/Website Encryption
Source: Watson Hall Security (2013);
Symantec Internet Security Threat
Report (2012);

6. Denial of Service Attack
 Hackers overload website
with traffic
 Website can't handle
volume and shuts down
 Major disruption to service

7. Hacking
 Unauthorised website
access/publication
 Malicious intent /
monetary gain
 The Sun newspaper
hacked by infamous
LulzSec hacking group
 1 million online users
 Data Protection
obligations

8. Destruction of Data - Viruses
 Computer viruses can shut
down company websites
 I Love You Virus
 Attachment sent via email
 Overwrites photo/video
files
 Shutdown websites
including Ford and Chrysler
due to employees opening
infected email attachments

9. Malicious Software on Websites
 “When it comes to computer
viruses, you’re now more
likely to catch one visiting a
church website than surfing for
porn” – Symantec (2012)
 Malware – viruses, worms,
Trojans, bots
 Infects website the user’s
computers
 Downloadable files on websites
are a hotbed for viruses
 External content on websites
such as videos and photos are
virus-prone
Source : Symantec Internet Security
Threat Report (2012)

10. Secure Payments/Website
Encryption
 Secure payments
 Well known payment system such as
WorldPal or PayPal which uses encryption
 Use Transport Layer Security (TLS) and
Secure Socket Layers (SSL) certificates to
reassure customers:
 Padlock
 HTTPS
 Green Address Bar
 Legally incorporated name
Source: Global Sign, (2013)

11. Phishing
 Masquerades as an official
website communication
 Requests users' login
information
 Uses information to
fraudulently obtain funds
from their account
 Who is responsible for the
customer’s loss?

12. Managerial Implications
 Reputational damage
 Trust
 Disruption
 Inconvenience
 Loss of traffic
 Costs

13. Managerial Preventative Measures
 Secure website design from
the beginning –
difficult/expensive to add
later
 Antivirus software is always
up to date
 Firewalls
 Phishing notifications via
email
 Employee email filtering
 Securesign SSL/TLS
Certificates
 Split login screens

14. Privacy
 Data Protection Act 1998
 How data is collected and used
 Privacy and Electronic Communications Regulations
 Cookies
 Email Marketing and SPAM

15. Consumer Concerns
 Data leakage – how secure
is my data and what
happens if it is lost/leaked?
 Data use without consent
 Annoyance/Waste of time
 Not having opt in/opt out
notices
Source: Smart Insights (2012)

16. Data Protection Act 1998
 Eight Principles:
 1. Fairly and lawfully processed
 2. Processed for limited purposes
 3. Adequate, relevant and not excessive
 4. Accurate and up to date
 5. Not kept longer than necessary
 6. Processed in accordance with the individuals rights
 7. Secure
 8. Not transferred to a country outside the EEC unless it
has adequate protection
Most breached principle in
2012

17. Data Protection Act 1998
 Applies to customers as well
as employees
 Personal data
 Name, address, NI Number
 Sensitive data
 Political views, religion,
ethnicity
 Data subject access requests
 Enforced by the Information
Commissioner’s Office

18. Data Protection Non-compliance
 Monetary – up to £500,000
 Undertaking
 Prosecution

19. Privacy and Electronic
Communications Regulations
 Electronic Marketing
Activities
 Email marketing and
SPAM
 Cookies
 Enforced by the Information
Commissioners Office

20. Cookies
 What is a Cookie?
 A small text file that stores user
information on their computer
 What is it used for?
 Shopping cart
 Personalisation
 Cookie Ingredients
 Domain
 Name
 Value
 Expiry
 Path
 Secure
 HTTP only

21. Privacy Directive 26 May 2012
 Website notification that cookies are in use
 Gives option/instructions how to disable and find further
information

22. Email Marketing and SPAM
 What is SPAM?
 Emails sent without consent
 Sent in bulk and impersonalised
 Email Marketing Regulations
 Consent must be given to receive marketing communications - except where there is a
defined relationship
 Must contain an unsubscribe link in the email
 ICO can investigate complaints relating to SPAM sent from the UK

23. Email Marketing and SPAM
 Consent
 User must “opt in” rather than
“opt out” – i.e. the check box
should be unticked
 Must be made clear that they are
consenting to receive
communications
 What is a defined
relationship/soft opt-in?
 Obtained customer details during
course of previous sale
transaction
 Marketing is of similar products
 Option to opt-out is given in
every future message

24. PECR Non-compliance
 Written request for
compliance
 Monetary – up to £500,000
 Undertaking
 Prosecution

25. Managerial Implications
 Large fines
 Reputational damage
 Trust
 Angry customers

26. Managerial/Consumer
Preventative Measures
 Appoint a Data Controller for your
organisation who will be
responsible for DPA and PECR
obligations – legal obligation under
DPA
 Ensure fully compliant with all
legislation and regulations
 Security and privacy notices on
the website in plain English to
reassure customers
 Be careful who your email address
is given to
 Don’t click on spam and
attachments
 Unsubscribe/ Opt out

27. Conclusion
 Security
 Priority
 Reassurance for customers
 Privacy
 Comply with laws and regulations
to avoid punishment
 Reassurance for customers
 For more information:
 Symantec Internet Security
Threat Report 2011 (published
April 2012)
 ICO website

28. References
 Chaffey, D., 2013. Website Security Requirements. [online]. Available at:
http://www.smartinsights.com/ecommerce/payment-security/website-security-
requirements/ [accessed 28 February 2013]
 Chaffey, D., 2012. Research on consumer attitudes to online privacy. [online]. Available
at: http://www.smartinsights.com/marketplace-analysis/customer-analysis/research-on-
consumer-attitudes-to-online-privacy/ [accessed 28 February 2013]
 Chaffey, D., Mayer, R., Johnston, K. and Ellis-Chadwick, F., 2000. Internet Marketing.
Essex: Pearson.
 Financial Ombudsman Service, 2013. Disputed technical transaction. [online]. Available at:
http://www.financial-ombudsman.org.uk/publications/technical_notes/disputed-
transactions.htm [accessed 10 March 2013]
 Global Sign, 2013. Security Certificates. [Online]. Available at:
https://www.globalsign.co.uk/ssl/domain-ssl/ [accessed 18 March 2013]
 Halliday, J., 2012. The Guardian reaches nearly 9 million readers across print and online.
[online]. Available at: http://www.guardian.co.uk/media/2012/sep/12/guardian-9-
million-readers-nrs [accessed 10 March 2013]
 Information Commissioner’s Office, 2013. Data Protection Act Claiming Compensation.
[online] available at:
http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/c
laiming_compensation.pdf [accessed 12 March 2013]
 Information Commissioner’s Office, 2013. Electronic Mail (Regulations 22 and 23). [online]
available at:
http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_gui
de/electronic_mail.aspx [accessed 10 March 2013]
 Information Commissioner’s Office, 2013. Privacy and Electronic Communications
Regulations. [online] available
at:http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications.aspx
[accessed 3 March 2013]
 Information Commissioner’s Office, 2013. Sensitive details of NHS staff
published by Trust in Devon. [online] available at:
http://www.ico.gov.uk/news/latest_news/2012/sensitive-details-of-nhs-staff-
published-by-devon-trust-06082012.aspx
 Information Commissioner’s Office, 2013. Viral Marketing. [online] available at:
http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_gui
de/viral_marketing.aspx [accessed 3 March 2013]
 Oremus, W., 2013. Unprotected Sects. [online] Available at:
http://www.slate.com/articles/technology/technology/2012/05/malware_and_computer_vi
ruses_they_ve_left_porn_sites_for_religious_sites_.html [accessed 12 March 2013]
 Norton, 2013. Phishing [online]. Available at:
http://uk.norton.com/security_response/phishing.jsp [accessed 10 March 2013]
 Paypal, 2013. Security. [online]. Available at:
https://www.paypal.com/uk/webapps/mpp/paypal-safety-and-security [accessed 10 March
2013]
 Perlroth, N, 2012. Six big banks targeted in online attacks. [online. Available at:
http://www.bostonglobe.com/business/2012/09/30/banks-hits-wave-computer-attacks-
group-claiming-middle-east-ties/gsE6W3V57nBAYrko1ag8rN/story.html [accessed 10 March
2013]
 Seltzer, L, 2010. ‘I Love You’ virus turns ten: what have we learned? [online]. Available
at: http://www.pcmag.com/article2/0,2817,2363172,00.asp [accessed 28 February 2013]
 Symantec, (2012). Internet Security Threat Report 2011{online]. Available at:
http://www.symantec.com/content/en/us/enterprise/other_resources/b-
istr_main_report_2011_21239364.en-us.pdf [ accessed 12 March 2013]
 Teixera, R, 2007. Top five small business internet security threats. [online]. Available at:
http://smallbiztrends.com/2007/06/top-five-small-business-internet-security-threats.html
[accessed 3 March 2013].
 Watson Hall, 2013. Top 10 Website Security Issues. [online]. Available at:
https://www.watsonhall.com/resources/downloads/top10-website-security-issues.pdf
[accessed 28 February 2013]