Sometimes when I'm out socially and people ask what I do, the conversation progresses to concerns about their own web site. They may have a hobby site, run a micro-business or be a manager or director of a small and medium-sized enterprise (SME)—there's all sorts of great entrepreneurial activity going on.

It is very common for SMEs not to have much time or budget for information security, and the available information can be poor or inappropriate (ISSA-UK, under the guidance of their Director of Research David Lacey, is trying to improve this). But what can SMEs do about their web presence—and it is very unusual not to have a web site, whatever the size of business.

Last week I was asked "Is using <company> okay for taking online payments?" and then "what else should I be doing?". Remember we are discussing protection of the SME's own web site, not protecting its employees from using other sites. If I had no information about the business or any existing web security issues, this is what I recommend checking and doing before anything else:

• Obtain regular backup copies of all data that changes (e.g. databases, logs, uploaded files) and store these securely somewhere other than the host servers. This may typically be daily, but the frequency should be selected based on how often data changes and how much data the SME might be prepared to lose in the event of total server failure.
  • check backup data can read and restored periodically
  • don't forget to securely delete data from old backups when they are no longer required
• Use a network firewall in front of the web site to limit public (unauthenticated user) access to those ports necessary to access the web site. If other services are required remotely, use the firewall to limit from where (e.g. IP addresses) these can be used.
  • keep a record of the firewall configuration up-to-date
  • limit who can make changes to the firewall
• Ensure the host servers are fully patched (e.g. operating system, services, applications and supporting code), check all providers for software updates regularly and allow time for installing these.
  • remove or disable all unnecessary services and other software
  • delete old, unused and backup files from the host servers
• Identify all accounts (log in credentials) that provide server access (not just normal web page access), such as used for transferring files, accessing administrative interfaces (e.g. CMS admin, database and server management/configuration control panels) and using remote desktop. Change the passwords. Keep a record of who has access and remove accounts that are no longer required and enable logging for all access using these accounts.
  • restrict what each account can do as much as possible
  • add restrictions to the use of these accounts (e.g. limit access by IP address, require written approval for use, keep account disabled by default)
• Check that every agreement with third parties that are required to operate the web site are in the organisation's own name. These may include the registration of domain names, SSL certificates, hosting contracts, monitoring services, data feeds, affiliate marketing agreements and service providers such as for address look-up, credit checks and making online payments.
  • ensure the third parties have the organisation's official contact details, and not those of an employee or of the site's developers
  • make note of any renewal dates
• Obtain a copy of everything required for the web site including scripts, static files, configuration settings, source code, account details and encryption keys. Keep this updated with changes as they are made.
  • verify who legally owns the source code, designs, database, photographs, etc.
  • check what other licences affect the web site (e.g. use of open source and proprietary software libraries, database use limitations).

Do what you can, when you can. Once those are done, then:

• Verify the web site and all its components (e.g. web widgets and other third party code/content) does not include common web application vulnerabilities that can be exploited by attackers (e.g. SQL injection, cross-site scripting).
  • use resources such as the OWASP Top Ten and WASC Threat Classification
  • build security requirements into future developments
• Check what obligations the organisation is under to protect business and other people's data such as the Data Protection Act, guidance from regulators, trade organisation rules, agreements with customers and other contracts (e.g. PCI DSS via the acquiring bank).
  • impose security standards and obligations on suppliers and partner organisations
  • keep an eye open for changes to business processes that affect data
• Document (even just some short notes) the steps to rebuild the web site somewhere else, and to transfer all the data and business processes to the new site.
  • include configuration details and information about third-party services required
  • think about what else will need to be done if the web site is unavailable (does it matter, if so what exactly is important?)
• Provide information to the web site's users how to help protect themselves and their data.
  • point them to relevant help such as from GetSafeOnline, CardWatch and Think U Know
  • provide easy methods for them to contact the organisation if they think there is a security or privacy problem
• Monitor web site usage behaviour (e.g. click-through rate, session duration, shopping cart abandonment rate, conversion rate), performance (e.g. uptime, response times) and reputation (e.g. malware, phishing, suspicious applications, malicious links) to gather trend data and identify unusual activity.
  • web server logs are a start, but customised logging is better
  • use reputable online tools (some of which are free) to help.

That's just the basics. So, what would be next for an SME? If the web site is a significant sales/engagement channel, the organisation has multiple web sites, is in a more regulated sector or one that is targetted particularly by criminals (e.g. gaming, betting and financial), takes payments or does other electronic commerce, allows users to add their own content or processes data for someone else, the above is just the start. Those SMEs probably need to be more proactive.

This helps to protect the SME's business information, but also helps to protect the web site users and their information. After all, the users are existing and potential customers, clients and citizens.

Oh, the best response I had to someone when I was explaining my work: "You're an anti-hacker than?". Well, I suppose so, but it's not quite how I'd describe it.

Any comments or suggestions?

On Tuesday I attended an e-commerce insurance book launch by the Insurance Institute of London in the Old Library at Lloyd's of London.

Insurance Aspects of E-Commerce was drafted by members of the Insurance Institute of London (IIL) Research Study Group 256. It's worth pointing out that "e-commerce" here refers to doing business electronically, rather than the narrower concept of online payments i.e. payment by debit and credit cards. The publication has chapters about:

• the effect of IT on the London insurance markets
• brokers' views on e-risks and e-trading initiatives
• security of e-commerce
• experience in underwriting e-risk insurance
• online third party risks
• first party risks
• regulation of online insurance
• the effects of the Electronic Commerce (EC Directive) Regulations 2002
• review of the current London (i.e. UK) market.

So it not only explores the issues and challenges to underwriters of e-commerce insurance (sometimes also referred to as cyber liability, internet liability insurance, online insurance or e-trading insurance), but also the effect of IT on insurance (e.g. streamlining, standardisation and e-trading), the regulatory background, issues of e-trading for insurers and a thorough, yet jargon-free, explanation of the information security issues. The latter correctly highlights that e-commerce security is not just related to technology—it's a combination of technology, people and culture.

The e-risk factors for businesses seeking e-commerce insurance are described and include the organisation's activities, locations, turnover, number of staff and the scale of its online activities such as direct revenue and traffic (e.g. web site visitors numbers). Increasingly the organisation's risk management framework and disaster recovery plans are a consideration in whether insurance can be obtained and what the premium is.

The publication is worth reading by anyone responsible for a transactional web site—regardless if they are seeking any form of cyber insurance—they have ownership, marketing, compliance, governance or information system responsibilities. Perhaps only the 25 pages of Chapter 7 concerning regulation of online insurance would not be of interest to non-insurance readers.

The 170-page A5 book is available from the IIL for £59+postage, with a discount for IIL and Chartered Insurance Institute (CII) members. ISBN 978-0-900493-88-1.

The European Commission has been discussing whether software developers, and companies providing digital services, should be liable if things go wrong for consumers.

The articles Is Software Liability Part of the [Security] Solution? and EC Wants Software Makers Held Liable for Code discuss the concept of extending the current physical product liability laws the software and digital services. There is certainly a strong consumer protection ethos in the EU which doesn't necessarily exist in other parts of the world. Will we be seeing software product recalls and consumer software litigation sometime soon?

Will this affect online web applications aimed at the consumer market? If this idea becomes reality, then it would probably apply to all types of software regardless of whether it's only accessed on a desktop or over the internet. So web sites would be affected.

Of course, liability for software already exists. Many contracts place requirements on software and software service providers, but this is mainly within the commercial sector. The issue of low-cost, or free, software and services, or software that has been developed as a community project would have to be considered in any legislation. I'm sure we've all heard about cake stalls being banned due to lack of insurance. Let's hope reasonableness prevails and we don't kill off our creative industries.

Have you discussed this with your MEP? Have your say in the European elections on Thursday!