Alessandro Isolani plays with fire every day. His San Francisco-based ebates.com Inc., the shopping community he co-founded in 1999, now has 2.5 million members purchasing products from more than 500 e-merchants referred through its site. Protecting the security of those customers is one of Isolani's most important jobs. "If you blow it on security," the 33-year-old explains, "your company is dead."
Indeed, security issues dog all e-businesses. Merchants need to protect shoppers' user information. Companies must also make sure people shopping with them aren't ripping them off. Entrepreneurs must not only protect proprietary information, but also keep out hackers and minimize denial-of-service attacks, which seek to shut sites down so legitimate customers can't use them.
Isolani, a former county prosecutor specializing in computer crime, addresses security in four main ways. Take his advice:
1. Require any merchant seeking referrals to use the Secure Sockets Layer (SSL) protocol to safely transmit confidential data, such as credit card numbers, using a private key to encrypt data.
2. Don't store any credit card data on your site.
3. Require members to pick unique user names and passwords.
4. Finally, keep all user transaction records offline, completely isolated from the Internet.
Isolani feels secure enough to promise to reimburse shoppers for any loss if their credit card information is swiped as a result of an ebates.com referral. But, despite efforts by e-biz start-ups like Isolani's, there is a lot more trouble to come from poor e-commerce security, according to Elad Yoran, executive vice president and co-founder of RIPTech Inc., an e-commerce security firm in Alexandria, Virginia.
Not all online businesses have the same exposure, of course. But there are good, general-purpose solutions. If you are transmitting credit card data, for instance, SSL is a reliable and popular technology.
For most sites, authenticating users through usernames and passwords is an adequate fraud-prevention tool. Names and passwords should be encrypted so that they can't be intercepted when sent. If a site is unusually sensitive, the business can assign randomly generated passwords to users rather than letting them pick their own, which are often easily guessed. Even better security can be provided by authenticating users with the help of smart cards, which are devices programmed to contain passwords, usernames and encryption keys.
E-businesses must also protect data such as passwords and usernames from being stolen off their servers. Server security is related to the number of features your site has and to whether you share your server with other e-businesses, says Ed Jenny, an IBM executive in Atlanta with the company's small-business e-commerce division.
Generally, the more features a site offers, the harder it is to secure. Putting a database online, providing telnet services and even allowing your developer to upload pages without authenticating can all ease hackers' work. Shared servers, adds Jenny, are less secure than dedicated ones.
You can spend a chunk of change on security. Firewalls (devices that block hackers) can cost $100,000 or more. RIPTech's security detection and analysis service starts at $2,000 a month. However, some hosting services include reasonable levels of security with budget-hosting packages that cost less than $50 a month.
Many have intriguing extras. IBM usually includes scanning by "ethical hackers"-security experts who test sites by probing with simulated attacks. But security is never perfect. In the first place, security experts say most breaches are still nontechnical, involving physical break-ins or corrupt employees. And if you seek perfect technical security, requiring users to remember randomly generated passwords and stripping a site of all features that compromise security, you may bore people or turn them off. Finally, at present, there is no good technical solution to denial-of-service attacks.
The good news is, start-ups, by definition, are better at dealing with these issues. "A start-up is in the unique position of starting from scratch," says Isolani. "And it really makes it easier if you have this stuff in mind when you're designing your site."
To learn the latest on e-business security issues, check out the Web site for the Computer Security Institute , the world's leading organization for computer and network security professionals.
Mark Henricks, author of Business Plans Made Easy(Entrepreneur Media Inc., $19.95, www.entrepreneur.com) and Mastering Home Networking (Sybex Inc., $29.99, www.sybex.com), writes on business and technology issues.
IBM, (888) IBM-5800, www.ibm.com/smallbusiness
RIPTech, (703) 916-8886, www.riptech.com