Sitecore Security: 4 Ways to Keep Customer Information Safe
Sitecore is all about improving the customer experience. And nothing kills the customer experience or destroys customer trust quite like being hacked.
Just last week, the news broke that the Equifax data breach was also being investigated by UK officials. It seems that in addition to the 143 million Americans who had their personal information compromised, another 700,000 residents of the United Kingdom were affected as well. This is just another example of a high-profile company having to deal with the repercussions of a massive data breach.
If your organization is utilizing Sitecore for web content management and automated marketing, here are a few steps you can take to ensure the utmost safety for sensitive customer data.
1. Start with proper configuration.
Before you install and configure Sitecore, you need to start with the proper foundation for the solution to run on. Sitecore operates on several different versions of Microsoft Windows. It is imperative that you’re utilizing the most recent release, because each new update contains added security features. It’s also important to stay vigilant about updates. Make it a point to download and install each new update as soon as it becomes available.
Another important aspect of configuration is creating a strong password protocol. Sitecore comes with an out of the box admin password. You’ll want to change this password immediately. User passwords should be changed on a regular basis - annually at the least. Challenge all users to come up with bullet-proof, complicated passwords containing a mixture of numbers, symbols, and both capitalized and uncapitalized letters.
If you add any type of customization to your Sitecore installation, you’ll need to make sure that every aspect has built-in security. This goes for any future customizations or third-party software integrations as well.
2. Be meticulous in setting user permissions and roles.
Before you give anyone in your organization a login, you need to create a visible flowchart of the people who will be using Sitecore and exactly what each person’s role will be. Focus on the specific role rather than just doling out passwords to a group of employees. Limit the number of administrators to the absolute minimum.
Once you’ve decided on role hierarchy, it is a good idea to host training sessions based on particular roles. You wouldn’t want to have one big training session where you tell everyone in the room how to act as an administrator. Remember that employees can get disgruntled and spiteful in some cases. This is why you want to limit extensive knowledge to certain levels. By training administrators separately, you’re actually building in an extra layer of protection.
Speaking of disgruntled employees, make sure that when an employee leaves or is fired (especially when they are fired), their login access is terminated immediately. It’s a good idea to work with both the HR and IT departments to create a strong policy to support this type of security procedure.
3. Utilize separate servers for content management and content delivery.
Your content management system - sometimes referred to as the “back-end” of your website, should reside on an internal secure server. The public-facing aspect (or your website) should reside on a different server. This reduces the chances of having your website hacked and waking up to see controversial or inappropriate content on your homepage.
Of course, this is a more costly form of implementation, but a much more secure option. And it costs a lot less to start with this added security feature than to deal with the fallout of a data breach. (Perhaps you want to Google the Equifax breach again if you’re still not sure it’s worth it.)
4. Ensure security at every customer touchpoint and interaction.
Be your own customers. Seriously, at least quarterly, you should visit your website as a customer. Examine every step you take throughout the customer journey and consider each from a security standpoint. When you sign-up for an account, is the connection secure? Do you see the HTTPS lock icon in the browser bar? What about when you make a purchase and input credit card info? Is the information encrypted? How do you know? What is there to give you reassurance that your sensitive information is safe?
Also, some organizations are actually holding “hackathons” as a way to understand how they might be hacked. By hosting these controlled hacking environments, a company can really see how their security processes hold up in a real-world scenario.
In conclusion, in addition to all of these suggestions, it is equally important to have a robust disaster recovery plan in place for Sitecore. If for some reason your system were compromised, what would you do? How would you restore all of your customer information? A backup plan should be considered the moment you decide to implement Sitecore, or any other type of software solution for that matter. Just remember the old adage...fail to plan and you’re planning to fail.
Do you need customization of your Sitecore or Salesforce solution? Want to build in additional security? We can help. Contact us today.