Recently, a class-action lawsuit was filed against 21st Century Oncology. In it, the medical provider is accused of storing patient data in Joomla. Since we primarily use Joomla as a content management system, this story was interesting, particularly when you look at the lawsuit attorney's comments.
In the article, the attorney is quoted as saying Joomla is a "free … notoriously vulnerable web-based" content-management system. Joomla is free, however it is no more (or less) vulnerable than the most commonly used platforms, such as WordPress, Magento, or even Microsoft Windows. This is important because the notion that Joomla is being described as being at the core of the problem by the attorney is erroneous. The medical provider certainly should not have been storing patient information in an online database in this manner, however the reality of the failure is that shortcuts were taken, likely in an attempt to reduce costs, and the technology professionals behind the implementation didn't challenge the decision.
I occasionally rub clients the wrong way when I bring up the pros and cons of certain implementations, but it's in my best interest that I never have to file a claim on my cyber-liability insurance policy and I would prefer my clients never need to worry. For that reason, I'm prone to challenging client requests when I feel it may risk security. Here's why:
I mentioned it a moment ago when I mentioned cyber-liability insurance. That affects me, but it's my client's business that's at risk if I don't speak up and something happens. Ignoring security because you're "too small a business" is asking for trouble, especially if you're doing any volume of ecommerce transactions. Look at the story about 21st Century Oncology - had their technology team spoken up about where information was being stored, the company probably wouldn't be defending themselves in court against a fifth class-action lawsuit. Even one lawsuit is expensive - imagine having to defend yourself against five.
The single greatest advantage of selling online is that you've launched your potential market beyond the city in which your business is located to the global stage. Many other Western countries, particularly in Europe, have stricter privacy guidelines. If your business doesn't follow basic protections and security principles, you will lose out on those opportunities to do business internationally.
Once word of a business' lack of security and/or privacy protections gets out, the sales will slow. Consumers will become less willing to input their credit card information and that means lower sales. That means less inventory is going out the door and less money is coming in. If that buyer isn't getting what they want from you, they are getting it from another business.
There's more to Web sites, ecommerce, and apps than just getting it done and 2015 certainly showed us that security needs some TLC from technology professionals. There's also more to security than just making sure your technology professionals are following best practices. As business owners, we have to be aware of the risks and take an active role in protecting our business and our customers.