Is My Website and Customer Data Secure?

Is My Website and Customer Data Secure?

Everyone is hopefully reviewing their data security and privacy in line with GDPR requirements. But have you ever stopped and thought about what you are really doing to secure a customer's privacy? Have you considered who has access to the customer data in your website or other systems? 

Have You Just Given Lip Service to Protecting a Customer's Data?

Who has access to your customers data? First of all, your staff probably all have access to all your customer data via your cloud based CRM. This includes past staff, if you have not revoked their access. 

Group email systems often have long histories of data, with files attached too. Do you delete emails after 1 year, 2 years or 10 years?  

Hopefully all your staff are bound by NDA's (non-disclosure agreements) that persist after their employment termination. This will ensure they do not share any information about your customers or your business' data in the future.

All staff who have access to your cloud accounting systems, including Xero, also have access to the customer data, and any other financial history they are entitled to look at. Your bookkeeper, and accountant (and all their staff), also have access to your Xero account. You may find that possibly even your previous accountant, previous bookkeeper, ex-employees, and even your personal ex-partner who used to do your accounts for you has access.  

What About Access to Your Website?

Did you consider that any staff member whom you have given access to manage your website at some point, probably still has access, even if they no longer work for you?

Have you reviewed all the administrator logins for your website? You might find there are 3 staff members, 1 web designer, another web designer, that SEO expert from 3 years ago, and that other SEO expert from last year... If you don't revoke their access, that access remains. 

Typically with websites, you need really good support. This means that your hosting provider, and all their support staff, typically have administrative privileges to your website files, databases, website builder services, WordPress or other CMS. This typically means they also have access to your customer files. This sort of access is necessary to provide great support. What would you do if you rung for support, and the support person was unable to help, because they had no access to this back-end data?

Websites, CRMs and Accounting Systems etc, are all hosted on the cloud. This means that all those virtual servers and databases are potentially viewable by other system administrators you have not even considered. Businesses use a range of techniques to secure data such as encryption, but typically system logs remain unencrypted during their short lifespan and pose additional privacy risks. 

Your IT support company probably has access to your computers, so they can also login to anything you have kept sessions open on. 

And it gets worse. The staff of all the businesses listed, probably have some level of access to the private customer data. Have you considered that their spouses might also gain some level of access, such as when they borrow their partners smartphone or laptop to watch a Netflix episode?

There are many things that all these businesses can do to mitigate their risks, but typically the weakest link in the chain, is the business owner.

You should

  • Have clear policies in place for dealing with exiting employees, contractors and suppliers. 
  • Have NDA's in place for both employees, contractors and any other supplier too. 
  • Do a regular review of all your data systems, to check all the permissible logins, and also to consider if you have old data that is no longer relevant. 
  • Implement fine grained control over which users can do what in each system (permission control)

Most importantly, do not defer security of your passwords and customer data to third parties. The buck stops with you. It's your business and you are responsible for the team who you give permission to act for you. 

Tags: gdpr  data security  

Posted: Thursday 24 May 2018