For any retail business, an ecommerce website needs to be a primary part of the strategy, rather than something that's treated as an afterthought. Nearly two billion people around the world will buy online in 2019, and by 2021, digital sales are expected to account for 17.5% of all retail sales.
But while this will undoubtedly be good news for those businesses that have devoted resources to their ecommerce platforms, it will also attract more unwanted attention. Cyber crime targeting ecommerce retailers has seen a huge surge in recent years, with more than 150 million attacks taking place in the first quarter of 2018 alone - an 88% rise from the previous year.
It's easy to see why, as the huge number of people now handing over personal and financial details online makes online retailers a tempting and lucrative target for hackers. But if you fall victim to an attack that exposes your customers' details, the costs could be huge.
What are the top security threats facing ecommerce stores?
Some of the issues that ecommerce sites face have been the same for years, although as security has evolved, so have the threats. An example is credit card fraud. Over 40% of consumers fell victim to this in 2020, despite decades of effort to tackle it.
Phishing is another common issue that isn’t new, but has accelerated in the last few months. The COVID-19 pandemic saw a 350% rise in phishing attacks in just the first few months of the crisis as cybercriminals used official, coronavirus-related messages to trick their victims. IT consultancy CGI actually saw a 30,000% increase in phishing scams, showing the extent of the issue.
Everything from distributed denial of service (DDoS) attacks to malware are ongoing issues for online retailers, but new threats have also emerged. One example is e-skimming, which involves substituting a piece of code in a website - typically an ecommerce site’s shopping cart - in order to steal data, often payment details.
Similarly, man-in-the-middle (MITM) attacks involve a hacker routing internet traffic through their machine. By doing this, they can gain visibility over everything a customer inputs into your site, including payment details. These are all issues ecommerce businesses need to be aware of, as the fact they involve payments means they are common targets.
That's why you need to take steps to ensure your ecommerce website is as secure as possible from these threats, and we've put together a few key tips every marketer should be aware of.
eCommerce security tips to protect your site
While it's impossible to guarantee 100% protection, as hackers are constantly coming up with innovative new ways to get around even the toughest defenses, by following the tips below, you'll make their job much harder and hopefully convince them to move on to less well-defended targets.
1. Ensure you're using HTTPS
Moving your domain to the secure HTTPS protocol is an essential first step for any ecommerce store, or indeed any company that wants to make security a priority. This ensures any data users enter is encrypted and your site is certified as secure with an independently-issued SSL certificate.
There are more practical reasons for ensuring you use HTTPS as well. Search engines like Google value HTTPS highly and will downgrade results from websites that don't have it, while the most modern browsers will actively alert users if sites aren't equipped with the protocol, and there's nothing more likely to turn away potential customers than a warning that the information they enter isn't secure.
2. Choose the right platform and hosting
You could build an ecommerce portal from scratch, but it's easier, faster and more secure to opt for an existing solution with proven security credentials. The likes of Magento, Shopify and WooCommerce provide tough security protections that offer secure payment gateways and provide frequent security patches.
Similarly, the hosting service you choose will also affect your security. You should be looking for a provider that offers comprehensive backups, so you can recover in the event of a breach, as well as strong uptime guarantees to prevent DDoS attacks. Managed cloud-based services should be able to handle much of the day-to-day maintenance for you.
3. Don't store sensitive customer data
Businesses that have valuable customer data such as credit card details will be especially tempting targets. While such data should be fully encrypted if stored, it's better practice not to keep it at all; if you do suffer a breach, you'll quickly lose customer trust.
The need for storage can be removed by using tokenization. This allows sensitive details to be placed by randomly-generated, unique data strings that can be used throughout the process. As well as ensuring you don't store data, it reduces your exposure to fraud and can cut costs.
4. Be aware of third party add-ons
In 2018, British Airways suffered a data breach that saw the financial details of up to 380,000 customers stolen. Worryingly, this data included credit card CVV numbers, which should not normally be stored at all, indicating that the data was harvested as it was actually being entered into the website.
The cause of the breach was eventually traced to compromised code contained within third-party scripts used on the site. This should highlight how, even if you take steps to secure your own servers, you can still be left vulnerable if third-party systems don't keep the same standards. Therefore, its vital any such tools are monitored and alerts are sent if any changes are detected.
5. Ensure you're PCI DSS compliant
The Payment Card Industry Data Security Standard, or PCI DSS, is a set of rules that help ensure any card processing activities your business makes are secure and not exposed to fraud. It consists of 12 requirements across six broad categories that will guide you through the entire process, from building a secure network to best practices for monitoring and testing.
Compliance with PCI DSS standards will cover all the steps above, and is vital for any good ecommerce site. But as well as ensuring you're following best practices, there are financial and regulatory consequences for not being compliant. If you do fall victim to fraud or a data breach, you'll be liable for any losses and can face fines of up to $100,000 a month from credit card issuers.
6. Use complex passwords and two-factor authentication
Brute force attacks, where a malicious actor uses software to try as many combinations of characters as possible in an attempt to guess a password, are increasingly common. Around 23% of organizations have dealt with this kind of cybercrime in the last year, and the more simple your password, the more likely the attacks are to succeed.
An eight-character password using only lower-case letters can be cracked within five seconds. Adding numbers, upper-case letters and symbols increases that time to eight hours, which still puts your business at risk. However, a 12-character password using all the above variables would take 34,000 years to crack.
Two-factor authentication will also help with this. This involves adding another layer of security when getting into an account, particularly when an unknown machine tries to access it. For example, you could get a code sent to you via text message that has to be input in addition to your password. This means simply knowing the password will no longer be enough for a hacker to access your account.
7. Leverage multi-layer security
Each layer of your site is vulnerable to a different type of cybercrime. MITM hacks affect your network, while DDoS attacks usually hit the application and session layers. The best way to tackle this is to utilize a multi-layered system that protects each part of your site from the most common threats, rather than using a one-size-fits-all solution.
This requires you to have a good understanding of your current security measures, their vulnerabilities and the other options available to you. Putting this type of security in place will drastically reduce your vulnerability to cyberattacks.
8. Secure your payment gateway
Your payment gateway is the most vulnerable part of your site, not because it's poorly protected against cyberattacks, but because it's where the most valuable data - credit card information and sensitive financial details - is exchanged. Securing this is arguably the most important aspect of keeping your site safe.
There are various options to consider when it comes to payment gateway security. As well as using the SSL protocol and abiding by PCI DSS standards, as noted above, it's wise to consider options such as encryption and tokenization, which helps to ensure that sensitive data can only be accessed by the intended recipient.
9. Educate your staff
Phishing has been a constant threat, especially throughout the pandemic. Cybercriminals might assume that when employees work from home they're more distracted and therefore more likely to click on a malicious email, which could be why said clicks have increased by around 300% since the arrival of COVID-19.
Education is the best way to prevent this. Phishing emails can often bypass your site security because they're so similar to the standard messages your staff receive. Your employees must be aware of what a dangerous message looks like so they can recognize and avoid them.