Opinions expressed by Entrepreneur contributors are their own.
Alessandro Isolani plays with fire every day. His SanFrancisco-based ebates.comInc., the shopping community he co-founded in 1999, now has 2.5million members purchasing products from more than 500 e-merchantsreferred through its site. Protecting the security of thosecustomers is one of Isolani's most important jobs. "If youblow it on security," the 33-year-old explains, "yourcompany is dead."
Indeed, security issues dog all e-businesses. Merchants need toprotect shoppers' user information. Companies must also makesure people shopping with them aren't ripping them off.Entrepreneurs must not only protect proprietary information, butalso keep out hackers and minimize denial-of-service attacks, whichseek to shut sites down so legitimate customers can't usethem.
Isolani, a former county prosecutor specializing in computercrime, addresses security in four main ways. Take his advice:
 | |||||
 | |||||
 1. Require any merchantseeking referrals to use the Secure Sockets Layer (SSL) protocol tosafely transmit confidential data, such as credit card numbers,using a private key to encrypt data. 2. Don't store anycredit card data on your site. 3. Require members to pickunique user names and passwords. 4. Finally, keep all usertransaction records offline, completely isolated from theInternet. | |||||
 | |||||
| |||||
Isolani feels secure enough to promise to reimburse shoppers forany loss if their credit card information is swiped as a result ofan ebates.com referral. But, despite efforts by e-biz start-upslike Isolani's, there is a lot more trouble to come from poore-commerce security, according to Elad Yoran, executive vicepresident and co-founder of RIPTech Inc., an e-commerce securityfirm in Alexandria, Virginia.
Not all online businesses have the same exposure, of course. Butthere are good, general-purpose solutions. If you are transmittingcredit card data, for instance, SSL is a reliable and populartechnology.
For most sites, authenticating users through usernames andpasswords is an adequate fraud-prevention tool. Names and passwordsshould be encrypted so that they can't be intercepted whensent. If a site is unusually sensitive, the business can assignrandomly generated passwords to users rather than letting them picktheir own, which are often easily guessed. Even better security canbe provided by authenticating users with the help of smart cards,which are devices programmed to contain passwords, usernames andencryption keys.
E-businesses must also protect data such as passwords andusernames from being stolen off their servers. Server security isrelated to the number of features your site has and to whether youshare your server with other e-businesses, says Ed Jenny, an IBMexecutive in Atlanta with the company's small-businesse-commerce division.
Generally, the more features a site offers, the harder it is tosecure. Putting a database online, providing telnet services andeven allowing your developer to upload pages without authenticatingcan all ease hackers' work. Shared servers, adds Jenny, areless secure than dedicated ones.
You can spend a chunk of change on security. Firewalls (devicesthat block hackers) can cost $100,000 or more. RIPTech'ssecurity detection and analysis service starts at $2,000 a month.However, some hosting services include reasonable levels ofsecurity with budget-hosting packages that cost less than $50 amonth.
Many have intriguing extras. IBM usually includes scanning by"ethical hackers"-security experts who test sites byprobing with simulated attacks. But security is never perfect. Inthe first place, security experts say most breaches are stillnontechnical, involving physical break-ins or corrupt employees.And if you seek perfect technical security, requiring users toremember randomly generated passwords and stripping a site of allfeatures that compromise security, you may bore people or turn themoff. Finally, at present, there is no good technical solution todenial-of-service attacks.
The good news is, start-ups, by definition, are better atdealing with these issues. "A start-up is in the uniqueposition of starting from scratch," says Isolani. "And itreally makes it easier if you have this stuff in mind whenyou're designing your site."
Brain Food
To learn the latest on e-business security issues, check out theWeb site for the Computer SecurityInstitute , the world's leading organization for computerand network security professionals.
Mark Henricks, author of Business Plans MadeEasy(Entrepreneur Media Inc., $19.95, ugrpg.com) andMastering Home Networking (Sybex Inc., $29.99, www.sybex.com), writes on business andtechnology issues.
Contact Sources
IBM, (888) IBM-5800, www.ibm.com/smallbusiness
RIPTech, (703) 916-8886, www.riptech.com
