Sunday, January 28, 2007

Internet security and the all important client feedback / contact process

One of the enormous benefits for any law firm in having a web site is the opportunity to secure new business directly from the Internet.

There is nothing quite like receiving a fantastic new case via an online feedback form or e-mail. This is even more satisfying when the case has come to you, not through advertising, pay per click or affiliate marketing, but simply directly from the FREE organic search listings on say Google or Yahoo etc.

The problem that we have as a law firm is that we are not particularly clued up on the necessary security that is required to run an effective online business. For example, our feedback forms are built in PHP and they are very very bog standard in their complexity despite looking quite snazzy on page.

We have had to learn very quickly about the key security issues associated with feedback forms, because in recent weeks our network of legal sites have been attacked by various forms of spam or viruses. We have received enormous levels of link comment spam and have also suffered from something known as PHP injection security breaches. We seem to have been targeted and have had to resolve the problem urgently and effectively.

We have hired programmers to build more secure feedback forms in PHP, that rely on additional security features including image verification. You will have come across this before and whilst the mechanism can be a nuisance, you can guarantee as much as possible to the site visitor and prospective clients, that the information they provide will be safe. You can also prevent robots from infiltrating the code in the way that we have recently encountered.

One of the most effective methods of securing your feedback forms, is to use CAPTCHA coding. You can introduce this without drastically amending your current PHP or equivalent forms and the programming can be extremely cheap.

Another problem that almost everybody on the Internet will come across, is that the moment you post an e-mail address, you can guarantee yourself significant numbers of spam communications, once your address has been harvested. The only way around this problem, is of course to not hyperlink your e-mail address and perhaps work around this by using an image of the text / address. Some businesses will quote "at" instead of using an @ sign. None of these workrounds are very helpful for the site visitors but what else can you do? Id sure like to know.

It would be great to hear from any other law firms that have encountered security problems and managed to overcome them.

We are learning fast, but you get the impression that in the online world, nothing is very secure for very long.


Tessa said...

I have a question and answer section on my web-site with an online form. I have only ever had real questions, but this is probably because they have to click through my terms and conditions first.

Maybe if you had a page with information about your service which people had to click through, this would keep the spammers at bay?

legalspy said...

Hi Tessa
Thats a good point

The main difficulty with that solution is that the injury claims market is ultra competitive and the theory is that if a site visitor has too much to do or too may clicks to make in order to submit an enquiry - you lose them.

Weve learned an awful lot about secure php forms in recent weeks and you can do much to reduce the risks by simply ensuring your programmer understands the issues and places as much code as possible on the server - not on the webpage. If your programmer is unsure about any of these issues - find yourselves a new programmer.

Generalising somewhat - legal websites are pretty slack when it comes to security issues. This is borne out of inexperience (our industry hasnt been too quick to embrace the web) and ignorance.

Sometimes you have to learn the hard way Im afraid!