As a webshop owner, it's important to recognise that the buck stops with you. If your site is hacked and your customers' data is stolen, your customers won't be complaining to your hosting service provider or your software supplier. They'll be complaining to you. And possibly seeking compensation from you. You are also likely to find yourself in trouble with the authorities.
In practice, of course, many aspects of security (such as physical access to the data centre where your server is installed) are not under your direct control. You have to leave such things to service providers, such as your hosting firm. Each of those service providers has a responsibility for data security. However, in the eyes of the law, you are the 'data controller': the one with overall responsibility for the security chain.
Like any chain, the security chain is as strong as its weakest link. So making sure that your chain is strong means thinking about each individual link – software supplier, payment provider, hoster, etc. Your responsibilities aren't limited to what happens within your own organisation. You have a duty to select service providers who together form a strong chain.
You also have a responsibility to make a processing agreement with anyone who processes data about your customers for you. The agreement clarifies which of you is responsible for doing what to protect your customers' privacy. For more information, see the articles on laws and regulations and the new EU privacy rules.
Different providers offer different service packages. Some operate on a turnkey basis, while others offer bare-bones server capacity hire and leave the configuration and maintenance to you. It's therefore vital that you understand what a prospective service provider is offering. Give the sales team a call and discuss digital site certification, malware scanning and the maintenance of server ware and webshop software. Read the contract carefully and make sure you have the expertise in house to handle anything that's not included. See the article on security standards for more info about what needs to be covered.
Regardless of what you agree with your service provider, some things will always be up to you. For example:
- Data encryption: sensitive data potentially accessible via the web should always be encrypted. Then, if the site does get hacked, privacy and confidentiality remain protected. Your webshop software may include encryption functionality, or your website builder may provide it as an add-on.
- Local physical security: if you have site admin log-in details or backup files stored on a desktop or laptop PC, you need to minimise the risk of loss or theft. Who has access to the room? Can the machine be taken away, left in an insecure place or connected to an insecure network? Can important files be copied to or from removable media, e.g. a USB stick? If so, you may have to prevent or restrict the use of such media. It's also important to make sure that loss or theft of a laptop doesn't spell disaster. Password-protect all user accounts, encrypt sensitive files and make sure you know what data is recorded and processed on what machines.
- Local system security: who can access critical applications and systems within your organisation, such as your content management system, your database software and your FTP software? Make sure access rights are limited to the people who need them.