Not a day goes by that the media isn’t reporting on some form of cyber attack or a case of online fraud. In Europe alone, data from a new ThreatMetrix report indicates that digital transactions were hit by 30% more cyber attacks in the first three months of 2018 than in the first quarter of the previous year. And that a whopping 60 million eCommerce transactions were rejected as fraudulent in the first quarter of 2018—a 47% increase over the same period in the previous year. With the volume and magnitude of cyber attacks growing by the day, it’s essential that you treat the security of your online store as a top priority. Because failing to address this opens your business up to a whole host of threats including data breaches, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data and—ultimately—irreversible reputational harm. However, by addressing some essential areas, you can be safe in the knowledge that you have done everything within your power to keep your online store safe and secure. In this article, we’ll look at some examples of best practice and key areas to focus on in your security strategy.
Identification
At the heart of your website’s security are identification and authentication. You need to be sure that the person that someone is claiming to be is, in fact, that person. And what makes this even more crucial in the cyber world is that you cannot see that person—you cannot put their ID card up to their face as you could do in a physical setting. You therefore need a way to identify someone, and you need to define who has access to what. So firstly, you need rules around strong passwords a. It sounds simple, but year-in, year-out, the old favourites continue to rear their heads as the most popular passwords—‘password’, ‘123456’, ‘qwerty’. It might just take one weak password for an opening to occur in your systems. It’s crucial, therefore, that you have strong password requirements in place both for your site’s external visitors and within your businesses itself. And on top of this, you may also consider implementing 2-factor authentication, e.g a password and a phone number. Yes, these represent extra steps for your customers and employees, but in the long-run, they’re going to thank you.
Web Application Firewalls (WAF)
Hackers can attempt to probe your web applications via a whole host of methods. Common examples include SQL injection attacks, which can be used to extract information from your databases, or through cross-site scripting (XSS) attacks, which can be used to take over accounts, change your website’s content or direct visitors to malicious websites. Whatever the method, the results can be disastrous both for your customers and your business. WAFs prevent these types of attacks from occurring by protecting against any sensitive data exposure from your systems. Keeping your customers’ data private and secure is a clear priority for any business—and by monitoring and protecting all incoming and outgoing traffic to your website—a WAF allows you to do just that.
Platform hardening
When it comes to security, you simply cannot leave anything to chance. After all, even the smallest chink in your system’s armour could lead to potentially disastrous consequences. For this reason, it’s crucial that you adopt an ongoing initiative of platform hardening—which is essentially reducing your surface attack in order to be less vulnerable. Within your site, you may have some software or processors that are no longer used and have been dormant for as long as you remember. But from a security standpoint, if one of these becomes weak, then you will need to divert resources to fix this problem. This represents a waste of resources and a waste of vital time. So, remove everything that is useless—otherwise, it’s just posing an unnecessary risk to your business. You may have duplicates for example, that are just taking up extra space but are not actively being used—discard these. And in going forward, regularly evaluate the software you have and think about if it’s really necessary, and check to ensure that everything is up to date.
In conjunction with your platform hardening exercise are your security hardening guidelines. These guidelines are created and used within your business to inform and guide best practice. Some more common applications already have hardening guides in place which your employees can use—see this guide from the Center for Internet Security. But more generally within your business, you can look to introduce some more high-level guidelines around such things as removing default configurations, session timeouts, batching and more. This ensures that everyone within your organisation is up-to-date and that you have a uniform approach to the security of your website.
Encryption
With inconceivable amounts of data being flung through the air at any one second, the need for encryption in today’s world is at an all-time high. You want to be sure that the data you are sending is a) going to the right person and b) not being seen by unauthorised eyes. A key model in security to assess the information security of an organisation is the CIA (confidentiality, integrity and availability) triad. Encryption falls squarely under the heading of confidentiality, which takes on an even greater weight this year with the advent of the GDPR. It is thus more vital than ever that data of any kind (however trivial you think it may be) is encrypted to retain its confidentiality.
You can learn more about securing your site for the GDPR, as well as access our GDPR Fines Guide here!
Risk assessment
With security threats expanding in shape and size all the time, businesses need to implement some form of periodic risk assessment. A formal and regular security assessment will allow you to gauge where you are at risk and where you are not. And within your potential risks, you can then look at what the actual tangible consequences of each risk might be allowing you to focus on what is critical. Carrying out these assessments will not only provide you with the big picture of your current security situation but they’ll also serve to increase awareness of security issues within your company, ensure that you are on top of the latest threats and demonstrate to your customers that security is important to you!
The last word
Security is everything. Without it, you’ll lose all trustworthiness (read: customers) and your reputation will quickly disappear into the abyss. Encrypting all data transmissions, setting password requirements, protecting systems from attacks and constantly reviewing your security setup as part of your audits are just a few of the ways that you can help to protect the security of your business and your customers.
Fortunately, at Vaimo we take the load off you, working behind the scenes to ensure that your security is up-to-date and effective. We have worked with both B2C and B2B clients across various industries to drive forward their digital commerce success. And as part of our services, our dedicated hosting and security teams work to ensure that your security is safeguarded. In addition, we are always developing new cutting-edge modules and applications to deal with security so that our clients can focus on growing and succeeding in the eCommerce sphere.
If you’d like to learn how we can help to drive your digital commerce success to the next level, then get in touch with our team of experts today!
