Cybersecurity – and security breaches – continues to be a hot topic. And small ecommerce businesses, especially ones using an open source platform, are particularly susceptible to hacks and breaches. So what can small ecommerce shops do to protect their sites as well as any sensitive (customer) data? Following are 10 suggestions from ecommerce security experts.
1. Educate employees. “Cyberattacks are becoming more and more sophisticated and it's easy to be fooled by emails, links and attachments that look like everyday business requests,” says Norman Guadagno, chief evangelist, Carbonite. “It only takes one click for malware, viruses and ransomware to in infiltrate your system, compromising important business data.”
So, “the first step in protecting your data from cyber attacks is educating your employees to make sure they’re up to date on the latest methods being used by cybercriminals,” he says. “One of the best ways to do this is by creating real life scenarios to test employees’ ability to detect a phishing email or suspicious links. This will help you gain insight into common mistakes and identify areas for improvement.”
Also consider “hiring a third-party to conduct social engineering or facility breach exercises, [which] can help you understand whether your security policies and awareness programs will actually prevent outsiders from obtaining valuable client information directly from your employees,” says Christopher Roach, managing director & national IT practice leader, CBIZ Risk & Advisory Services.
2. Make sure your hosting company has your back. “Use only trusted providers for your site’s hosting,” says Troy Gill, manager, Security Research, AppRiver, which specializes in email and Web security. “Make sure they take security seriously. For example, do they use encryption?”
3. Use a secure ecommerce platform. “Use a hosted shopping cart,” says Christopher Flemming, principal, Onlinestorehelp.com. “Most hosted carts, like Shopify, Bigcommerce and 3dcart, have gone through PCI compliance audits. Most of them are PCI-DSS Level 1 compliant. And they have a full-time staff patching security vulnerabilities giving you time to do what is most important, market your business.”
4. Deploy SSL encryption. “Ensure all transactions occurring on your website are secure with SSL/HTTPS,” says Dodi Glenn, vice president, cybersecurity, PC Pitstop. “When selecting an ecommerce platform, make sure it can support secure transactions over SSL. This will allow you to conduct financial transactions securely, without risking sensitive information being sent over in plain text.”
Even better, “make sure your entire site is secured with an SSL certificate, not just the payment gateway,” says Nick Leffler, a business branding consultant. “This has the benefit of keeping all user data secure (even their email address) as it passes over the Internet – and Google will be paying more attention to this over time as a ranking factor.”
5. Make sure your ecommerce site is PCI DSS compliant. “Any ecommerce business that processes, stores or transmits payment-card data needs to comply with the PCI DSS (payment card industry data security standards),” says Roach. “Complying with PCI DSS protects a merchant against digital data security breaches across their entire payment network, not just a single card. Using a QSA-certified company to help you comply with PCI DSS standards can help augment your resources, but make sure to evaluate the completeness and accuracy of their testing,” he says. “Failure to comply can result in penalties and fines if a data breach does occur on your end.”
6. Utilize Web Application Firewalls (WAFs). Ecommerce businesses should “utilize WAFs to protect their site from various attacks, such as Cross Site Scripting, Denial of Service or brute force attacks,” says Glenn. “Several companies offer WAF protection for little to no money. [And] configuration of the WAF can be done in a matter of minutes.”
7. Have employees regularly change their passwords. Require “admins to change their password often,” says John Arroyo, CEO, Arroyo Labs, a digital agency. “Most hacks are socially engineered and/or due to weak passwords. Require strong passwords and force them to be changed regularly. This is a low cost method to stay secure. Magento Enterprise, for example, has a password lifetime feature. Set it to 90 days or less.”