Securing Your Online Certification Program

By: Justin Ferriman April 16, 2019
Filed Under:

Protect your program and your learners’ data.

When it comes to your certification program, you probably have a lot to think about before you start thinking about data security. And, if you do think about it, you may think that your site is too far below the radar to be a target.

However, that’s not how most security attacks work. While some high-profile organizations are targeted, many hackers are simply looking for systems with weak security. Security attacks have many goals, from ransomware attacks to stealing user information. And it’s this second concern that should make you extra careful about your online security.

Because so many users repeat passwords across systems, many data breaches focus on stealing username and password combinations, which they can then use to try to gain access to more sensitive information. With so much at stake, you want your learners to know that you’re treating their valuable data with the care it deserves.

Data security is a long and complicated topic, and the larger your company is, or the more sensitive the data you handle, the more you will need to consult a security expert. But if you’re just getting started, here are a few measures you can take to make sure your sensitive data isn’t exposed.

1. Make an audit of the data you collect.

You can’t compromise data you don’t have to begin with. Because of this, you should take a moment to assess what personally identifiable information you collect from your learners, and how and where that information is stored. Personally identifiable information is that which is matched to a specific user account. This is different from, say, generic user data that you aggregate to measure site performance (such as your traffic volume).

For instance, at the bare minimum, the personally identifiable information you collect includes usernames and passwords. You may also run a poll to gain some demographic information about your learners, but if that information isn’t liked to their account, it’s not identifiable. However, you might also store their home address, their phone number, or answers to security questions such as “what is your mother’s maiden name,” or “what is the name of your first pet.”

Those security questions may not seem like a big deal, but since many websites use the same security questions (and many users answer them truthfully), they can be unexpectedly sensitive information.

2. Pay attention to PCI compliance issues.

Notice in the above section I didn’t mention highly sensitive information, such as credit card data. That’s because handling and storing credit card information falls under PCI compliance regulations, which are a whole other can of worms.

The (very) basics boil down to this: If you are going to process credit card information, you must be sure that information remains secure for its entire life cycle during the transaction. Because creating a PCI compliant system is so complex, most businesses work with a vendor to cut down on their own risk. These vendors handle the actual transaction, but your business would still be responsible for any payment information that went through your website.

SSL encryption is essential for this part of PCI compliance. For the rest, the main thing you should know is that your program should never be storing credit card information—especially in an unprotected state. If you can pull up someone’s account and see their credit card information, you’re non-compliant and could face some significant penalties.

3. SSL encryption on your website.

Put simply, SSL is a cryptographic security standard that ensure the traffic between web servers and web browsers isn’t intercepted and tampered with in transit. Essentially, SSL encryption is a way of ensuring that the website users see and interact with is the same as the on one you have on your web servers, and that the information they enter into that website on their browser can’t be read in transit back to the web server.

There’s a chance your website already has SSL encryption, even if you aren’t aware of it. As one of the most basic security features your website can have, any good web agency will install it as a matter of course on your site. Furthermore, if your website is hosted through wordpress.com, it will be automatically encrypted as part of WordPress’s hosting policy.

That said, there are still a surprising number of websites that do not have this encryption feature. Fortunately, if you don’t know which group you fall into, checking is easy. Sites with SSL encryption will have URLS that begin https://, rather than http://. Depending on the browser you use, there may also be a symbol, such as a green lock sign, to indicate your site is secure.

Installing SLL on your site also offers a mild SEO boost, in case you needed any extra prompting.

4. Use strong passwords and set up two-factor authentication.

An astonishing 10% of online users regularly chooses one of the top twenty-five most common passwords to protect their accounts. These password lists frequently include entries such as “monkey,” “starwars,” and “whatever.” Clearly, many of us think alike.

By contrast, strong passwords are usually over a dozen characters long, include a mixture of symbols, and are not in any way memorable. In fact, they look something like: 7p8#9rqH+YKHgY$V

The key, of course, is to not try to memorize them at all, but to use a password manager that will keep track of your passwords for you. That way you only have to worry about the security of your password manager, and the rest of your site stays safe.

For an added layer of security, you should also consider adding two-factor authentication. The most common form of this sends a text message to your phone with a PIN that you must enter before you can log in. The PIN helps verify your identity, because only someone who has your phone can log in to your account.

Many online applications come with two-factor (or multi-factor) authentication options. If you’re using a WordPress site, you should find enablement settings in the user controls portion of your site.

5. Encourage your learners to protect their accounts the same way.

There’s only so much you can do to protect your learners if they’re not following security protocols themselves. And unfortunately, despite years of education, many users still use the same weak passwords across every account they own.

You can help your learners choose better passwords by setting some criteria for a good password, but the rules many businesses set for password creation aren’t anywhere near sufficient, and many teach users poor ways of forming passwords.

For instance, a strong password is usually over a dozen characters, while most businesses only ask learners to set passwords longer than six. And while many businesses require users to include certain special characters, they just as frequently limit the character set they will allow. You would do better by focusing on a length requirement, and otherwise promoting two-factor authentication.

Security is important—for your reputation, and for your learners.

It’s easy to think that a security breach won’t happen to your certification program, but that’s not a good reason to neglect proper precautions. It’s not just your reputation that’s at stake—it’s also your learners’ personal data. They’re trusting you to keep it safe.

Justin Ferriman

Justin started LearnDash, the WordPress LMS trusted by Fortune 500 companies, major universities, training organizations, and entrepreneurs worldwide. He is currently founder & CEO of GapScout. Justin’s Homepage | GapScout | Twitter