Small and medium enterprises are those owner manager organizations that have small and limited market segment to operate their business. One such small business is a web based music store who sells music and CD / DVD online. This online music selling company needs security arrangement to meet certain criterion for his business to sustain, to protect organization’s prospect as well as client side also need security. The different aspect which are kept in mind for implementing information security are as follows,
- To keep Integrity: It considers that the information shared from customer side will not alter, and customer will not receive any different information.
- Non repudiation: it looks into the matter that the order made by a real customer, so that the customer may not deny the order later.
- Authenticity of customer and the organization are confirmed information security.
- Confidentiality of information is kept so that no other unauthorized access can get the information.
- Privacy of personal data and organizational information transmitted is met.
- Availability of the online site is mandatory for better operational performance.
More to read Demonetization and Indian Digital Economy
There are three level of risk factor to maintain the online business of music selling.
The first level of threats might happen on the client side, where client might suffer from phising, spoofing, and sniffing. But the major threat to a client is Credit card fraud which happens occasionally in any online transaction. The client may download some bad applets, i.e. malicious java code, Trojan horses, worm or virus may attack client.
The second level of risk area is the communication channel, where information is transmitted from client to the organization. The information which might tamper in the communication channels are the credit card details, personal information, the information sent by the organization. Hacking and cyber vandalism are two major threats that may happen. Tapping, sniffing, alteration of information, information theft and card fraud are most likely threats in communication channel.
The third level of risk area is in the server side, where any intruder might tamper the database with some malicious code, and online denial of service attack might threaten the organization in performing web based business. Here the ISP server, bank server of the merchant’s server may be under threat.
From merchant side cyber vandalism might destroy the website.
To protect all the three level of risk area some security practices have to adopt by the merchant to make the business a full proof secure one, though the merchant have to keep in mind the financial constraint of his organizational capacity.
To protect the communication line and create secured transformation of information Public key encryption increases the integrity level of the information. Double encryption using digital signature increases the assured level of authenticity and Non repudiation. Transmission of information may create digital envelop to protect information from tapping. Digital certificate may be used to generate authenticity for the information sold on webpage.
Secure channel of communication using SSL or HTTPS may be adopted by the merchant to protect the intrusion in communication channel.
Another level of security should be applied at the server and database side. Strong firewall arrangement has to be implemented to block unauthorized access to the database. The database and the server can be attacked by denial of service by some hacker. This denial of service can be stopped by using SSL or VPN which create a secure channel of communication and that channel cannot be tempered. Time out period of logon cookies should be maintained so that no different log on authentication cannot take place. If the access of the server and database become open to everybody then some hacker may change the content of the database with some malicious java programming. When any user of the site downloads that content the infected programming come into the system of the client and damage the system. The server side may be secured by using firewall, packet filtering, application gateways, and proxy server. Authentication and access control mechanism such as payment gateways make transaction more secure, and anti virus software protect the operating system.
The third level of security concentrate to make the webpage secure, it has to keep in mind that the accessibility of the webpage will consistent. Phising and no availability of webpage are the most common problem which comes into action for ant web page. Implementation of Payment gateway should be made properly so that every transaction made on the web will be secure and no fraud may happen causing lose to the customer. Different bank information, customer details information and credit card information sharing should be protected and the protection of information sharing on web can be done by introducing encryption technology. When the user downloads any song or music i.e. any executable file digital certificate should be added to make the object authenticated and secured. The digital certificate confirms the safe and security of the object downloaded. For transmission if information public key and private key cryptography technology shall be adopted by the organization.
Evolution of risk and protection:
Among all the risk and threats that may occur in the e-business of the music store, if we priorities the threats from maximum threats then the first thing which should kept in mind for implementing security are as:
- It has to be taken care that the availability of the web page shall remain consistent, so that user can access the webpage whenever they want and ‘no availability’ problem does not come into picture.
- Denial of service attack has to be mitigated so that any user will not face the fraud action in making business transaction with the organization.
- Online money transfer should be made secure with payment gateways technique so that the credit card information, bank details might not be available to any third person who may cause any damage to the customer. Confidentiality and integrity of information should look after.
Though there are many things require making the entire e-business safe and securing, it may not be possible for the small organization to introduce all necessary protection tools as this may require high investment. And any small organization will not be able to accept the cost of making business. Then what the organization can do. First thing the organization may outsource the hosting part of the webpage to any outside organization whose core competency in business is web hosting. The merchant will be benefited by the cost as he needs not to concentrate the various aspects of security of webpage hosting. And this can be done with less cost by outsourcing the hosting and maintaining. The organization can also contact different ISP service providers to get a secured communication channel. This also helps him in getting the best service without much investment. After outsourcing these two areas, the small organization may concentrate on managing and maintaining the database which will be the warehouse of the business. He can concentrate in managing some best firewall technique and look at different digital certificates for the items which are going to be sold online. The small organization can also concentrate on giving more stock choice to its customers and how he can increase his business by giving better customer satisfied process.