I was just reading an article about security threats to web-based software, and one of our customers emailed me as they were reading the same thing.
This is a topic we think about a lot, and some of the most tricky decisions we make are tied to balancing security with convenience for our employees and customers.
Trusting your employees
From our experience with over a thousand countertop fabricators, the biggest security threat to you is disgruntled existing or recently departed employees at your company. Of all of the security-related problems, this is the only one that’s actually happened in the last decade.
- Disgruntled admin employee deletes all other users. (we fixed this by restoring data)
- Employee calls claiming they’re actually the owner and wants us to change their user to admin (seemed fishy, so we didn’t do it)
- Recently fired employee’s user isn’t deactivated, and they log in multiple times (presumably to copy account info, but there’s no recourse)
So, my first gut-feel recommendation is “hire folks you trust”.
Security by ignorance
Our basic policy is not to view or edit any customer’s data, if possible. In fact, we don’t even reveal our customer’s names unless they’ve agreed to be a reference. The less we know about our customer’s databases, the more we’re protected from the kinds of security threats related to us accidentally revealing too much about our customers.
There are cases where we do actually do more, but it’s extremely limited. Any time we need to do dig into our customers data, either Ted or I give approval first. We keep a log of those circumstances. It’s only happened a handful of times recently, but some examples of that are:
- We help a customer import inventory or account information
- We help a customer clean up old data by cancelling/completing lots of activities in an automated way.
- We make a copy of a customer database to diagnose/fix very thorny bugs.
As part of our infrastructure, we’re constantly monitoring for hacks along with other problems – any time you have a large number of servers, there’s a constant stream of attempts to find holes (we’re constantly seeing pings and login attempts on our servers). Our newest hire (who started this month) is in a “dev-ops” role, which means he’ll be looking at further improvements… once he gets up to speed.
We had an outside security auditor review our servers … there were some issues, but he claimed we were already doing a “pretty good” job. We implemented most of his recommendations, last year. But, that’s an ongoing process, and we realize how important it is to keep looking at our processes.
What you can do
You can take a few precautions to make sure that you’re not opening yourself up to hacking.
- Hire employees you trust. I know I said that already, but it’s got outsize value to your business well beyond security
- Don’t share users. We charge per user, so it might be tempting to share users. But, you give up a huge amount of control and visibility into who’s doing what.
- Use good passwords. Don’t make your passwords blank or trivial, don’t re-use passwords in multiple places, and don’t share passwords.
- Restrict user roles. Instead of making all users admins, you might want to limit what they can do
- Review logs occasionally. We track users in two basic ways. There’s a change log, which tells you what a particular user edited. And there’s a list of login locations.
I think we’re also somewhat protected since we have human-to-human relationships with our customers, which makes it a bit harder to spoof. And, this is a topic we discuss internally from time to time. Any company is vulnerable to online fraud, and we want to make sure we’re protecting both our company and yours.
Want to know more? At Moraware, we make software for countertop fabricators. CounterGo is countertop drawing, layout, and estimating software. JobTracker is scheduling software that helps you eliminate the time you waste looking for job folders. RemnantSwap is a free place to buy and sell granite remnants with fabricators near you. We also sponsor StoneTalk, the podcast for countertop fabricators.