View
577
Download
1
Category
Preview:
Citation preview
Security & Privacy Issues for
the Consumer & Site OwnerBy: Alexandra MacLeod and Liane Van Diepen
10039412/12063364
20 March 2013
Introduction
Security
Types of Risks
Privacy
Data Protection Act 1998
Privacy and Electronic Communications Regulations
Cookies
Email Marketing and SPAM
Managerial Implications & Preventative Measures
Security - Consumer Concerns
Stolen credit card details
Phishing
Downloading viruses
Website has security
certificates
Source: Smart Insights (2012)
Security – Site Owner
What is information security?
Ensuring your website is available 24 hours a day for your
customers
Ensuring only the correct people can administer the website’s
content
Preventing unauthorised alteration or destruction of your data
Avoiding your website being used to distribute other peoples’
software
Ensuring that your employees cannot accidentally delete
valuable information
Stopping your website being used to damage users’ computers
Protecting your reputation
Source: Watson Hall Security, Smart Insights (2012)
Types of Security Risks
Denial of Service Attack
Hacking
Destruction of Data - viruses
Malware
Phishing
Secure Payments/Website Encryption
Source: Watson Hall Security (2013);
Symantec Internet Security Threat
Report (2012);
Denial of Service Attack
Hackers overload website
with traffic
Website can't handle
volume and shuts down
Major disruption to service
Hacking
Unauthorised website
access/publication
Malicious intent /
monetary gain
The Sun newspaper
hacked by infamous
LulzSec hacking group
1 million online users
Data Protection
obligations
Destruction of Data - Viruses
Computer viruses can shut
down company websites
I Love You Virus
Attachment sent via email
Overwrites photo/video
files
Shutdown websites
including Ford and Chrysler
due to employees opening
infected email attachments
Malicious Software on Websites
“When it comes to computer viruses, you’re now more likely to catch one visiting a church website than surfing for porn” – Symantec (2012)
Malware – viruses, worms, Trojans, bots
Infects website the user’s computers
Downloadable files on websites are a hotbed for viruses
External content on websites such as videos and photos are virus-prone
Source : Symantec Internet Security
Threat Report (2012)
Secure Payments/Website
Encryption
Secure payments
Well known payment system such as
WorldPal or PayPal which uses encryption
Use Transport Layer Security (TLS) and
Secure Socket Layers (SSL) certificates to
reassure customers:
Padlock
HTTPS
Green Address Bar
Legally incorporated name
Source: Global Sign, (2013)
Phishing
Masquerades as an official
website communication
Requests users' login
information
Uses information to
fraudulently obtain funds
from their account
Who is responsible for the
customer’s loss?
Managerial Implications
Reputational damage
Trust
Disruption
Inconvenience
Loss of traffic
Costs
Managerial Preventative Measures
Secure website design from the beginning –difficult/expensive to add later
Antivirus software is always up to date
Firewalls
Phishing notifications via email
Employee email filtering
Securesign SSL/TLS Certificates
Split login screens
Privacy
Data Protection Act 1998
How data is collected and used
Privacy and Electronic Communications Regulations
Cookies
Email Marketing and SPAM
Consumer Concerns
Data leakage – how secure
is my data and what
happens if it is lost/leaked?
Data use without consent
Annoyance/Waste of time
Not having opt in/opt out
notices
Source: Smart Insights (2012)
Data Protection Act 1998
Eight Principles:
1. Fairly and lawfully processed
2. Processed for limited purposes
3. Adequate, relevant and not excessive
4. Accurate and up to date
5. Not kept longer than necessary
6. Processed in accordance with the individuals rights
7. Secure
8. Not transferred to a country outside the EEC unless it
has adequate protection
Most breached principle in
2012
Data Protection Act 1998
Applies to customers as well
as employees
Personal data
Name, address, NI Number
Sensitive data
Political views, religion,
ethnicity
Data subject access requests
Enforced by the Information
Commissioner’s Office
Data Protection Non-compliance
Monetary – up to £500,000
Undertaking
Prosecution
Privacy and Electronic
Communications Regulations
Electronic Marketing
Activities
Email marketing and
SPAM
Cookies
Enforced by the Information
Commissioners Office
Cookies
What is a Cookie?
A small text file that stores user information on their computer
What is it used for?
Shopping cart
Personalisation
Cookie Ingredients
Domain
Name
Value
Expiry
Path
Secure
HTTP only
Privacy Directive 26 May 2012
Website notification that cookies are in use
Gives option/instructions how to disable and find further
information
Email Marketing and SPAM
What is SPAM?
Emails sent without consent
Sent in bulk and impersonalised
Email Marketing Regulations
Consent must be given to receive marketing communications - except where there is a defined relationship
Must contain an unsubscribe link in the email
ICO can investigate complaints relating to SPAM sent from the UK
Email Marketing and SPAM
Consent
User must “opt in” rather than “opt out” – i.e. the check box should be unticked
Must be made clear that they are consenting to receive communications
What is a defined relationship/soft opt-in?
Obtained customer details during course of previous sale transaction
Marketing is of similar products
Option to opt-out is given in every future message
PECR Non-compliance
Written request for
compliance
Monetary – up to £500,000
Undertaking
Prosecution
Managerial Implications
Large fines
Reputational damage
Trust
Angry customers
Managerial/Consumer
Preventative Measures
Appoint a Data Controller for your organisation who will be responsible for DPA and PECR obligations – legal obligation under DPA
Ensure fully compliant with all legislation and regulations
Security and privacy notices on the website in plain English to reassure customers
Be careful who your email address is given to
Don’t click on spam and attachments
Unsubscribe/ Opt out
Conclusion
Security
Priority
Reassurance for customers
Privacy
Comply with laws and regulations to avoid punishment
Reassurance for customers
For more information:
Symantec Internet Security Threat Report 2011 (published April 2012)
ICO website
References Chaffey, D., 2013. Website Security Requirements. [online]. Available at:
http://www.smartinsights.com/ecommerce/payment-security/website-security-
requirements/ [accessed 28 February 2013]
Chaffey, D., 2012. Research on consumer attitudes to online privacy. [online]. Available
at: http://www.smartinsights.com/marketplace-analysis/customer-analysis/research-on-
consumer-attitudes-to-online-privacy/ [accessed 28 February 2013]
Chaffey, D., Mayer, R., Johnston, K. and Ellis-Chadwick, F., 2000. Internet Marketing.
Essex: Pearson.
Financial Ombudsman Service, 2013. Disputed technical transaction. [online]. Available at:
http://www.financial-ombudsman.org.uk/publications/technical_notes/disputed-
transactions.htm [accessed 10 March 2013]
Global Sign, 2013. Security Certificates. [Online]. Available at:
https://www.globalsign.co.uk/ssl/domain-ssl/ [accessed 18 March 2013]
Halliday, J., 2012. The Guardian reaches nearly 9 million readers across print and online.
[online]. Available at: http://www.guardian.co.uk/media/2012/sep/12/guardian-9-
million-readers-nrs [accessed 10 March 2013]
Information Commissioner’s Office, 2013. Data Protection Act Claiming Compensation.
[online] available at:
http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/c
laiming_compensation.pdf [accessed 12 March 2013]
Information Commissioner’s Office, 2013. Electronic Mail (Regulations 22 and 23). [online]
available at:
http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_gui
de/electronic_mail.aspx [accessed 10 March 2013]
Information Commissioner’s Office, 2013. Privacy and Electronic Communications
Regulations. [online] available
at:http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications.aspx
[accessed 3 March 2013]
Information Commissioner’s Office, 2013. Sensitive details of NHS staff published by Trust in Devon. [online] available at: http://www.ico.gov.uk/news/latest_news/2012/sensitive-details-of-nhs-staff-published-by-devon-trust-06082012.aspx
Information Commissioner’s Office, 2013. Viral Marketing. [online] available at: http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/viral_marketing.aspx [accessed 3 March 2013]
Oremus, W., 2013. Unprotected Sects. [online] Available at: http://www.slate.com/articles/technology/technology/2012/05/malware_and_computer_viruses_they_ve_left_porn_sites_for_religious_sites_.html [accessed 12 March 2013]
Norton, 2013. Phishing [online]. Available at: http://uk.norton.com/security_response/phishing.jsp [accessed 10 March 2013]
Paypal, 2013. Security. [online]. Available at: https://www.paypal.com/uk/webapps/mpp/paypal-safety-and-security [accessed 10 March 2013]
Perlroth, N, 2012. Six big banks targeted in online attacks. [online. Available at: http://www.bostonglobe.com/business/2012/09/30/banks-hits-wave-computer-attacks-group-claiming-middle-east-ties/gsE6W3V57nBAYrko1ag8rN/story.html [accessed 10 March 2013]
Seltzer, L, 2010. ‘I Love You’ virus turns ten: what have we learned? [online]. Available at: http://www.pcmag.com/article2/0,2817,2363172,00.asp [accessed 28 February 2013]
Symantec, (2012). Internet Security Threat Report 2011{online]. Available at: http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_2011_21239364.en-us.pdf [ accessed 12 March 2013]
Teixera, R, 2007. Top five small business internet security threats. [online]. Available at: http://smallbiztrends.com/2007/06/top-five-small-business-internet-security-threats.html[accessed 3 March 2013].
Watson Hall, 2013. Top 10 Website Security Issues. [online]. Available at: https://www.watsonhall.com/resources/downloads/top10-website-security-issues.pdf[accessed 28 February 2013]
Recommended