It’s no surprise security is the dominant topic in technology when the average cost of a compromised record is $195. Common questions are:
- How is information being protected?
- What safety measures are in place to stop attacks or notify someone if one occurs?
Even the most sophisticated systems are susceptible, which is why it’s critical to follow safety measures in both the development of a database, as well as the management of it long-term. Spindustry has spent almost two decades monitoring industry security standards and developing our own security measures, and will now share the five key tactics for building and managing secure databases.
1. Identify industry regulations that affect data.
If the data must follow PII, PHI, HIPAA or PCI compliancy standards, then the structure of the website and database has to be set up differently than a typical website. Different levels of security within each of those standards may require a different approach to development. Some data may need to be secure in transmission (HTTPS), sitting in the database (encrypted at “rest”) or even in memory. The data may need intrusion protection systems, intrusion detection systems, multiple firewalls, multiple encryption philosophies, application servers, monthly security scans or yearly third-party certifications.
2. Establish internal requirements.
After satisfying any industry compliance standards, what requirements does the company have for the website and database? While having all of the data secure is good, the additional costs and time may not be necessary. For example, does the ‘News’ section of the website need the same level of security as the order form? For most businesses, the answer is no; however, there are organizations where news articles may be proprietary.
3. Configure a secure server environment.
The typical server configuration at Spindustry includes a web server and a database server. While many other development shops house the web and database servers together, Spindustry separates them to keep the database server protected from the web server. Therefore the data is not “accessible” to the public, and is more secure.
4. Determine if the site should run under SSL.
Many professionals are already aware that Google is stepping in to try and make the Internet more secure. They have indicated sites running secure (HTTPS) are more credible, and this credibility will eventually influence search engine rankings. Because running SSL provides a better level of security for accessing websites than non-SSL sites, Google is presuming a company running secure understands the importance of better security and will rank the website higher in search results.
5. Evaluate the information you’re capturing.
The Internet has facilitated both the faster transfer of information and the increased risk of possible data breaches. But it can’t eliminate all face-to-face communication. Which pieces of information are truly essential to capture online compared to what can be discussed in person? Does every form really need a user SSN?
So why aren’t all servers set up at the highest level of security?
There are many instances where the highest level of security isn’t needed. The added costs – hard costs, resource time and increased hosting fees – don’t outweigh the benefits. Also, there are instances where the highest level of security measures would interfere with functions a company needs for non-secure data.
What’s the risk of a data breach?
As referenced above, the average cost per compromised record is $195. This includes notifications, yearly checks of those affected, breach investigations and more. This does not account for the loss of trust from customers, yearly audits for maintaining security, or fines.
Want to read more security tips?
Check out blog posts about network security.