Security for Small Business – Secure Architecture

Tracking is a violation of a secure architecture

As part of an ongoing series, we’re taking a look at security for small business, the tools that are available, and the best practices that keep your business ahead of the curve.

In small business, the focus is often on driving sales and supporting marketing growth. Security concerns, unless critical to the business’ sales proposition, fall by the wayside. However, it is possible to build a successful small business with an emphasis on a secure architecture.

Secure Architecture

Different applications are built differently, but most feature some kind of a modular architecture. Rather than building the entirety of a tool in-house, complex applications and websites build upon the foundations established by other tools, libraries, and extensions. This speeds time to market for user-facing features, but introduces minor compromises made for the sake of expediency.

Ensuring that a modular architecture is also a secure architecture requires a development team to be principled and intentional throughout the engineering process. It is possible to leverage modular technologies and utilize tools like analytics engines and advertising without compromising user privacy. It’s a matter of balancing business requirements with the amount of exposure that makes sense in an environment.

Third-party Features

Often, the easiest way to include new features on a website is to copy a pre-built element from a third party. This usually includes some HTML code from the provider and a script that runs on your own site to fetch additional content or otherwise manipulate the HTML you pasted in.

A good example is how posts from Twitter are embedded on a website.

The bulk of the tweet’s content is contained within static HTML provided by Twitter. The magic of the embedded content is in a script that converts the simple HTML into a properly-styled element within the page. Unfortunately, it also invites Twitter into the context of your website. Everything you can see about your customers, Twitter can see about your customers. URLs visited, exit points, device capabilities, etc. Twitter will likewise be able to track your customers across their visits to any other site that loads a Twitter embed.

Building a site with a secure architecture means building a product that protects your customers’ data from parties who would otherwise harvest and use it without their consent.

Tracking Tools

You have a high level of access to information about users viewing your website or web application. Any third-party scripts (analytics or tracking tools, comment forms, etc) installed on your site will have the same level of access to your users as you do. This includes tools like Google Analytics, CrazyEgg, and Woopra. These tools are useful, but they violate the idea of maintaining a secure architecture.

Also violating the principal of a secure architecture are every advertisement present on your site. Often, developers will reach towards advertising as a quick way to monetize a component of the business that doesn’t bring in other money on its own. Unless your site is directly selling a product, it’s costing money rather than directly producing anything.

Unfortunately, all of these trackers and advertisements can collude to violate your customers’ privacy. Many ad networks leverage technology called “ad retargeting” that uses cookies embedded in a user’s browser to follow them from one site to another. If they only partially filled out a sign-up form on one site, an advertisement on a separate, entirely unrelated site can display a “Did you forget to finish?” advertisement.

For ad sellers, it’s a huge win to track users from site to site. This helps build a personal profile for the otherwise anonymous user and helps to target later ads for relevancy. Unfortunately, it’s a huge loss for consumers attempting to navigate the web in privacy. It’s also a huge loss to your business in terms of security -- these same organizations profiling users as they traverse the web are profiling your customers and using information on your site to do it!

If you absolutely need tracking and analytics about your users, use freely-available tools like Piwik that can be hosted privately on your own infrastructure. You can still track all of the dimensions you need to inform your business decisions and monitor your sales pipeline without leaking critical information to outside organizations.

The easiest way to avoid leaking information about customers via ad networks is to simply not sell ads on your website. Ultimately, even if your website doesn’t directly product revenue, it’s still responsible for a portion of your sales pipeline. Decreasing your site’s online footprint by removing ads makes it run faster and act as less of an impediment to new sale leads. If you still need, ads, consider running your own ad server.

One Thing Right Now …

Chances are good that, somewhere on your website, there’s a Facebook comments feed or “like” button. These are great ways to help push your visitors to share content with their own social network. However, they’re also the way Facebook is leveraging your site to profile users and customize content on their own network.

Keeping your data secure starts with keeping your customers’ information secure. Remove or disable any Facebook integrations on your site and you’ll immediately stop exposing your customers’ data to Facebook’s servers. If these tools remain, even passively, Facebook can track your users from one site to the next using a cookie in the browser, and automatically associate their browsing data with their Facebook profile. Even if your user never logs in on your site, Facebook knows who they are and what they’re viewing.

The best step forward towards secure architecture is removing trackers and remote integrations from your online properties. The one thing you can do right now to get started is to at least remove Facebook.

Top image credit: EFF designer Hugh D’Andrade