Data privacy and protection has quickly become one of the fastest-growing practice areas in the world. Although it’s always been a serious funnel of investment for organizations, the end-user now is more educated than ever on the subject. Data privacy has now become evergreen content on your newsfeed of choice. You’ve seen the documentaries on Netflix and read the debriefs from the lawsuits brought to big businesses out in Silicon Valley, getting in trouble for violating data protection policies. But how does this affect you and your organization? Are you safe on your $20 WordPress theme? The quick answer is that you probably are, but there are three concepts you can always keep in the back of your mind when testing your site that will help you stay ahead of the curve.
Protecting the Perimeter
When having these conversations with development teams, too often is the emphasis on protecting your web property from the inside out, leveraging your CMS’s core components/modules to lock down the data and all sensitive areas within it. Although you can’t put your hands on your website physically, it’s important to remember that the site does maintain a physical presence somewhere in the world. That location can change by the minute – heck, the physical location of the site could have changed while you were reading this article. To protect yourself from the outside-in, make sure you pick a hosting/infrastructure partner you can trust. In extreme circumstances, consider partnering with a dedicated cybersecurity firm to monitor your web presence for threats and plug the holes proactively.
For example, a common server hiccup could cause a server error message to appear when a user navigates to the domain of your site, which could possibly say something unassuming to you, like “[alphanumerical numbers/words/etc.] Apache 2.2.12212”. Although this may seem like just a frustrated email needs to go to your infrastructure team, a seasoned professional who has this information can then go looking for identified vulnerabilities for that version of Apache (widely published) and use this to penetrate your system from the server level, leaving your digital property exposed.
Privacy Policy, Terms of Use, and the Implementation to Back it Up
Transparency is an essential component in the core pillars of security, and frankly, the name of the game when it comes to establishing trust with your userbase out of the gate. All organizations, big and small, are all held to the same national and international (if applicable) standards/codes of conduct that all other web properties are. These rules should be clearly communicated in the policy statements on your site, and vetted by legal counsel to ensure you’re not missing any critical pieces of the puzzle.
Your first step at QA testing your compliance should take you directly to your site’s Terms of Use and/or Privacy Policy. Run your tests focusing on the policies outlined to keep your organization honest against what you promise in those statements. I’m a big fan of fire drills – simulate a real-life scenario that might happen and have your teams respond accordingly. Everything from simple GDPR data requests, site outages due to security measures shutting it down, a successful phishing attack, and even more malicious things like DoS/DDoS, malware, etc. Once complete, have a debrief. Although specialization is important, it’s just as important to have group awareness of every step each team member must take during these scenarios to resolve the problem so that you can workshop more efficient ways to handle things in the future.
Internal Compliance Policies & Officers
Last but certainly not least, once in compliance does not mean forever in compliance. To ensure security in the long term, establish an internal accountability team or a dedicated compliance officer(s) dedicated to your organization’s software/app/web security competency. Set regular benchmarks to report on biweekly or quarterly (frequency subject to depth of sensitive data/integrations with your app/site) and establish the standard operating procedures for all future development, data intake, and other typical user interactions to be proactive about your security, not just reactive should an issue arise.