More and more customers are making the switch from brick and mortar stores to ecommerce websites thanks to the convenience of online shopping, but there’s still a significant portion of the population who are wary about adopting these new practices.
It’s reported that one third of people worry about making online purchases due to the risk of theft, which is a reasonable concern given that online attacks are continuing to increase. This is why ecommerce businesses should be taking measures to protect their customers, their businesses, and themselves from the risk of security leaks and confidentiality breaches.
Here are some tips to help you reduce the risk for your business.
Proceed with Caution
It’s always better to assume that everything coming to your website is an attack until you’ve verified that it isn’t. This is where SSL comes in, working to encrypt data between the customer’s browser and the business website. Of course, in most cases, the traffic coming to your site will be legitimate, but if it isn’t, hackers may be attempting to compromise your website and can try to exploit bugs using SQL injection and buffer overflow attacks. Correctly sanitising incoming data can neutralise these threats, even if bugs do exist. Only once you have sanitised the data should you allow it through into your business logic.
Protecting User Data
It seems that no one is 100 percent immune to security leaks, and in 2016 alone we saw major confidentiality breaches for the Internal Revenue Service, the US Department of Justice, the University of Central Florida, and many more. While we may not be able to completely prevent an attack, we can minimize the risk by implementing a good password policy, offering two factor authentication if you’re in a particularly high value market, and salting encrypted passwords. It’s also a good idea to limit the amount of data collected; not so great for marketing, but in terms of security there’s a lot less at stake.
Perhaps the most important aspect of all: take backups, and secure them. There’s absolutely no point in implementing any of the above ecommerce security techniques if a hacker can simply steal your backup and have full access to your customer’s information. There’s a little more to securing your backups than you may realize, but it’s not difficult; you’ll want to verify they’re correct (it’s not worth keeping a broken copy of your backup), and you should regularly restore your backups to a test system. After all, why bother having a backup if you ultimately can’t do anything with it?
Know Your Limits
It may not be wise to try and do all of these things yourself. In fact, it’s often advised that ecommerce businesses use trusted and verified third party services to enhance their security. Find someone that knows about these things, and pay them to do it for you. Not only that, but make sure that they’re doing it, and that they keep doing it! Where possible, monitor and keep track of their practices.
How to Manage a Security Breach
There are many different ways to handle an incident, but unfortunately not all of these methods are effective in all cases. Many also overlook some of the less obvious ‘side effects’ of a security leak, such as the long term and widespread damage that can be done to your reputation.
The Investigative Stage
First thing’s first: don’t panic. Your first step is to investigate, and find out what — if anything — has been accessed. You can do this by going through logs, checking audits, looking for servers which have had unusually high activity, and searching for connections that have generated an unusually large amount of traffic, which may point to a hacker attempting to siphon a database to receive confidential information.
Believe it or not, it can actually be quite easy to miss a security leak. Once you’re confident your site has been compromised, pull the network. This isn’t ideal, but it’s the only way to be absolutely sure that you’re preventing more data coming out, and stopping more hackers coming in.
It’s generally advised that businesses that have been compromised remain offline until they can be sure they’re secure. Once an entry route has been identified, secure and test this route until you’re happy that it’s solid. It may be worth asking an external security company to perform a penetration test and to remain offline until they’ve given you the go ahead.
Cleaning Up the Mess
During the early stages of the investigation, it’s important to inform all users that there has been a breach and ask them to reset their passwords. As you continue with investigations, you may uncover specific accounts that have been accessed. In this case, discuss the situation with your legal team who will be able to assist you with the proper notification of the security leak to these specific users.
Unfortunately, a security leak doesn’t just equate to business disruption and a financial loss; it can also wreak havoc on reputation, too. A security leak can cause customers to lose trust in the brand, so what should you do?
It’s important to communicate clearly and quickly. Don’t try to brush this under the rug, own up to it, and own up to it in a timely manner. Assure your customers that you’re doing everything you can to rectify the situation by increasing security, and reassessing internal processes to prevent repeat attacks.
During the day to day operation of any website, automated scanning and probing for weaknesses will be happening. This is completely normal, and is a part of the standard ‘background radiation’ of the internet. Try not to worry about this; it happens, and there’s nothing we can do about it.
While it’s not ideal, it doesn’t mean that anything has happened, or that you’re at increased risk. It’s nothing more than opportunistic hackers searching for sites that have not taken any sorts of precautions to protect their data. So fight back by implementing mentioned security methods, and protect your business.
Alex Reichmann is a counterfeit detection expert and CEO of iTestCash.com.