03 / February 2016, Matt
Security is more than just a buzzword. When you run an online business, you have to be able to protect information: your own, and that of your customers. This particularly raises concerns when you provide e-commerce options on your site. Customers who purchase from you need to know that no one can hack in and steal their personal or financial information.
Part of this means setting up basic site construction to protect data. An https designation to authenticate your site is a good start, and using data encryption and other techniques can provide some assurances to your customers. Still, large-scale data breaches in recent years have struck Anthem, the United States Office of Personnel Management, Ashley Madison, and Target; these tactics are useful, but not enough.
While hackers might never be fully stopped, a two-step verification process for your customers can provide an important safeguard to help ensure the people logging in on your site actually are who they say they are. When you set up this log-in system, you can accomplish two important pieces of your security puzzle: you help make your customers’ data more secure, and you do so in a visible enough way to create confidence in what you are doing to protect them.
Unfortunately, these steps are not enough. Hackers include some of the brightest minds in the world, and they have chosen to focus their skills in destructive directions. To combat this, you need to avoid relying on a stationary target. However cleverly concocted that target may be, information that sits in a database without changing will always be susceptible to those who would seek to obtain it.
Two-step verification as companies use it today introduces an additional roadblock to protect this information. It does so by using the username and password only as the first piece of information someone needs to log in. You should still require a strong password here, but once the user enters that information, your site requires additional information: a fluid password that the user receives on his or her smartphone or tablet. The password, often a six-digit number, works only once; each log in requires a new, randomly-generated number to access the site.
This process creates four layers of security to ensure the right person accesses the site. The username should be something the user chooses, so you can avoid patterns that someone can identify and use to get in. The second, of course, is the password, which again should require some combination of upper-case, lower-case, numbers, and symbols to prevent easy guesswork.
This, by itself, has represented the industry standard security layer for a long time. An additional layer many sites provide now is a set of “security questions,” which require users to establish and answer one or more questions to prove their identities even after the password is set up. These have the advantage and disadvantage of being personal to the person who sets them up; if identity theft comes from someone knowing the person whose identity is stolen, it may not be difficult to guess the correct answers to the questions.
A strong two-step verification process adds two more layers instead. The first is the randomly-generated passcode, which eliminates the opportunity to guess at answers to common questions. No one can know ahead of time what number will be generated, making for a much more secure input. Further, this diminishes greatly the potential for human error thwarting your security efforts; because the number changes every time, there is no danger of someone writing it down, carrying the number with him or her, and unwittingly revealing it later.
Finally, the fourth layer of security this process creates comes through the device itself. Two-step authentication requires customers to keep a device present, usually a smartphone, to access their accounts. The customer sets the device to which information will be sent, and sends codes to that device to help prevent fraud or theft. Smartphones have become prevalent enough in both number and use that this goes a long way toward ensuring the device customers need will always be on their person.
The dilemma we face in many areas of life is how to balance convenience and protection. In the world of online transactions, customers’ expectations often tilt toward the former much more than the latter. They expect fast load times and fast access, and tend not to think too much about the security of what they enter. Instead, they focus their attention and sometimes their ire on issues like prompt delivery or the convenience of the online interface.
This represents enough of a problem for your customers. When you allow their behavior to lead to a foreseeable risk of compromising their data, though, you also face the potential for losing their business, as well as losing goodwill and reputation for your own business. Setting up a single layer of security leaves much of the work of protecting customer information with the customers themselves—a group that will often prove unwilling or unable to take up that task.
With this in mind, establishing a two-step verification procedure can go a long way toward overcoming the unsafe behavior of those you cannot control. No process is foolproof, but this can allow you to give some assurances to your customers that you are working to keep their data and their money safe. It delivers the message for you in a very visible way, providing the feel of security along with the fact of it. This dual effect is critical. Any security lapse can do damage to your company, and any accurate assurance you can provide your customers will help strengthen your relationships with them and their willingness to continue to do business with you.
The task of creating secure protocols can get in the way of your customer satisfaction, particularly when you first implement it. Customers tend to dislike change, and when that change effectively slows down what they want to do, you can encounter confusion and annoyance. And at first, many will struggle with the technology involved, no matter how clearly you explain it. Someone who has to pull out a phone every time he or she logs in will sometimes get frustrated, and will likely tell you all about it.
In addition, part of the frustration your customers may express is a belief that all of these efforts will not fully prevent the most sophisticated of attacks. The smartest hackers can circumvent a two-step verification process. It takes more time and effort, and generally only involves the biggest, most lucrative targets, but there is no perfect security process. In fact, many of the large-scale database infiltrations that have occurred in recent years involve sites that have some kind of two-step verification in place. Some people understandably get annoyed when they are asked to take extra steps when they don’t perceive a benefit resulting from those steps.
To overcome these kinds of objections, begin with open communication. If you start your website out with a two-step process, that should head off some of the aggravation people might feel when you switch from a simpler system to a more complex one. But if you are making a change, you should take the time to call attention to what you are doing, and why. Any time you appear to be shrinking from a change, people interpret your reticence as an attempt to hide something. You want to get in front of what you are doing and give a direct message before your customers can infer something else.
When you deliver the message, be as direct as possible. Tell your customers on your website, and in your physical store if you have one, that you are moving to a two-step verification process to protect their privacy and their money. Explain how it works, and assure your customers that it is a proactive move to enhance their security, rather than a reaction to something that went wrong.
By getting in front of the change, you can shape and frame your discussion with your customers. You never want to be in position to play defense when your customers’ opinions about you are involved. You make this kind of move to protect them, and when you wait for them to reach their own conclusions about your motivation for change, few will reach the conclusion you wish.
Finally, don’t hide from the potentially negative aspects of the change. You don’t want to pretend there will be no inconvenience or let your customers believe you have not thought about the concerns they may have. Acknowledge that the process can be slightly more cumbersome than the password-only approach, and come out and tell them you cannot guarantee nothing will ever go wrong. Encourage them to treat their long-in data carefully and work to protect their own information. But let them know this creates a step that can help prevent many kinds of identity theft, and makes it much harder for anyone to get into your system.
Additionally, you cannot ignore older kinds of threats just because you have a new security process. Let your customers know what address you will use for any emails that originate from your company. Every day, phishing scams launch hundreds of thousands of emails that use accounts designed to mimic company names. They ask email recipients to click on a link that downloads malicious software, or send personal information they can use to access accounts. Two-step verification can prevent some of this, but the potential for problems never fully goes away.
When you design a website, you need to do so with the full customer experience in mind. A site with an https: designation, fast load times, rich content, and easy navigation will help you get far, but if you cannot protect your customers’ data from hackers, the rest does not matter. The security measures you take should be visible enough for your customers to appreciate them, but effective enough to back up what you show them.
Like your Internet marketing campaign, your website security is an ongoing enterprise. When you operate a business, you need someone you can rely on to help keep your site safe. 1st in SEO starts by providing you a well-designed, secure website. We can set you up with a two-step verification as part of any e-commerce you run through your site, enhancing your security and giving your customers visibility into the ways you are protecting them.
Moreover, we understand that security only begins at web design. We monitor your site performance and unusual activity on your site, helping you stay on top of potential issues before they get bigger. We understand both the proactive and reactive measures you need to take to protect yourself and your customers, and we help you do so for as long as you work with us.
When you choose an SEO marketing company, you should make sure you are working with someone who understands thoroughly how to get your site ranking highly, but also how to protect you from damage to your reputation with your customers. Contact us today, and we will make sure your website looks good and operates securely.
