eCommerce and cyber security
- Types of eCommerce security threat
- eCommerce security best practice
Is your webstore as secure as you think? Get the lowdown on eCommerce cyber security.
One of the most important things for every eCommerce business to get right is data and digital infrastructure security. That means protecting your webstore and your customers from cyber-attacks and security breaches. Consumers must be confident that their personal and payment data will be secure in order to trust your brand and business.
The consequences of not maintaining eCommerce website security with a webstore that’s hosted in a secure data centre can be far reaching, both financially and in terms of damaged reputation.
There are a variety of actions to consider about how security issues in eCommerce can be overcome. Understanding what types of threat you should be guarding against, and ensuring the implementation of eCommerce security best practice, will enable your business to successfully defend against cyber-attack.
More than £2.7 billion was lost to cyber-crime globally in 2019
Types of eCommerce security threat
Having an active and robust security strategy in place will significantly mitigate the risk of a security breach, and a core part of that strategy is understanding the different types of eCommerce security threats.
Malicious code can access session cookies, enabling an attacker to impersonate your customers, gaining access to their personal data, their location, webcam, microphone, and even specific files from their computer or device. XSS attacks can also be used to damage a webstore’s pages, causing reputational damage and even webstore downtime.
The way we mitigate XSS threats is by validating all input. Put simply this means taking webstore page data and ensuring that it’s secure before it reaches the consumer by blocking certain code elements, or not trusting any data that originates from outside the system.
SQL injection (SQLi) targets your webstore database, enabling hackers to interfere with database queries, modify data and delete records. An SQLi database breach makes all data held vulnerable, from personal customer data such as credit card details or passwords, to sensitive business data such as trading terms or intellectual property.
In some cases, an attacker creates a backdoor into a company’s system, leading to a long-term compromise that can go unnoticed.
Over the years many high-profile eCommerce security breaches have been SQLi attacks, leading to reputational damage and regulatory fines.
Using a web application firewall (WAF) to filter data will help combat the threat of a SQLi attack—a WAF inspects all traffic to and from your webstore, identifying and actively preventing cyber-attacks.
SQLi accounted for 65% of cyber-attacks between November 2017 to March 2019
Distributed denial of service
Distributed denial of service (DDoS) attacks are created to take down webstores by overwhelming their servers with requests from thousands of infected IP addresses. This spike in requests overloads the server(s), crashing the site. And every minute that a webstore is down is lost revenue, not to mention the cost of fixing the problem, both financially and damage to reputation.
Tactics for preventing the likelihood of a DDoS, including volumetric attacks, application-layer attacks and protocol attacks, is to develop a DDoS response plan, ensuring that there’s protocol in place to manage a breach.
But perhaps more importantly, the best way to avoid falling foul of this type of attack is to cloud-host your webstore using a multiple server approach, such as Amazon Web Services (AWS).
Cloud hosting services such as AWS have more bandwidth and resources than a private network is likely to have, so they can absorb harmful or malicious traffic before it reaches its intended destination. And cloud-based services are operated by engineers who constantly monitor for DDoS attacks.
Hacker fraudsters use a variety of methods to breach webstore security. Automated bots can quickly find usernames and passwords to gain access to customer accounts and steal their data.
The stolen data is then used by hackers to try and access customer accounts on other webstores to make fraudulent purchases, list fraudulent products and services in online marketplaces or sell the data on the dark web.
The ripple-out effect of this type of fraud emanates from the initial attack, to the customers who had their data stolen, to the breakdown in trust between customer and business, to the loss of revenue when products are purchased fraudulently and the refunds that businesses have to pay-out to affected customers.
Online payment fraud is expected to cost global eCommerce at least £20 billion annually by 2024
Malware is software that's intended to cause harm to a webstore, server or network. This malicious software can take the form of viruses, trojans, worms or other similar forms. Malware can carry out a range of harmful actions from controlling customers' computers to forming bot-nets to performing spam activities.
Malware is often implemented when a customer receives an email that they believe is from your business. In the email is a link that when clicked activates the malware on their computer or device. This malicious activity is known as phishing.
eCommerce Security best practice
Tracking transactions and behaviour
Tracking webstore transactions will help to identify fraud. Regular and often transaction audits can help to reveal suspicious looking data, such as delivery addresses being in a different country to shipping addresses—some IP address tracking can enable eCommerce businesses to block transactions from countries which are deemed high risk.
Predictive analytics and AI machine learning can help detect potentially fraudulent transactions before payment is taken and products are dispatched. AI and machine-learning tools look at thousands of datapoints across millions of transactions to identify patterns that might constitute fraud. What’s more, they can find cases of fraud that no human is likely to spot.
Regular updates and patches
eCommerce security is a cat and mouse game: attackers find vulnerabilities and software engineers patch them—and so it goes on.
Running security updates, implementing patches and bug fixes is crucial to protecting your eCommerce business against cyber threats. These will be issued by your platform provider: Magento, WooCommerce, Shopify etc. and implemented by your development partner.
Regularly reminding your customers to update their passwords not only helps keep their personal data more secure, it communicates to them that your business is security conscious and that you take their data security seriously.
Offering advice on how to create stronger passwords or even, from time to time, forcing password updates will help keep customer data secure. Offering two-factor authentication (2FA) will make life much more difficult for hackers by adding an extra layer of eCommerce website security. Instead of simply inputting a username and password, 2FA requires additional information, such as a fingerprint, an answer to a security question or a code that’s been texted to the customer’s phone.
A secure sockets layer (SSL) connection encrypts data transmission between your customers and your webstore for secure login and checkout. Webstores that use SSL certificates will display a padlock symbol in the URL address bar of browsers.
SSL offers robust protection from hackers because even if your network is compromised and data is stolen, the hacker won’t be able to use the data as it will remain encrypted. SSL encryption not only keeps data safe, it also helps boost SEO ranking and instils a sense of trust in consumers.
PCI DSS compliance
PCI DSS stands for ‘payment card industry data security standard’, and it was introduced to the UK in 2006 to ensure a secure environment for businesses that process card transactions and consumer data.
The consequences for non-compliance eCommerce businesses can be dire. The minimum fine that card schemes could charge is £3000. If your data is compromised the card issuer may require you to certify your compliance using a qualified security assessor, this could cost up to £850 per day and can take up to two weeks to complete.
Train your staff
Perhaps one of the simplest actions that businesses can take to avoid eCommerce security breaches is to ensure that all staff members are security savvy. Training colleagues to recognise potential threats and risks will help to minimise your business’s vulnerability in areas such as:
- Training your staff on how to spot phishing emails and messages
- Investing in anti-malware software and training your staff how to run scans and what to do immediately if malware is found
- Documenting and explaining the protocols around reporting suspicious emails or behaviour
- Ensuring employees are knowledgeable about and ensure compliance with GDPR (Brexit could impact how UK businesses will be required to manage consumer data—find out more).
As the world becomes more connected, with mobile devices, headless commerce and omnichannel shopping, the threat from cyber-attack is an increasing concern for eCommerce businesses. But as threats come along, they are quickly eliminated with security patches and updates. By understanding how security issues in eCommerce can be overcome, and as long as eCommerce security best practice is followed, then your customers’ data is likely to remain safe.
But failure to adequately address cyber threats could result in lost revenue and damage to brand and reputation. For serious security breaches and data loss businesses risk being fined. With this in mind, budgeting properly and implementing a coherent cyber-attack detection and containment strategy is vital for long term eCommerce business success.
Is your eCommerce business as secure as it should be? If you would like to know more about protecting your webstore and digital infrastructure, then get in touch today for a chat with one of our eCommerce experts.
Subscribe to our newsletter for the latest industry news and tips.
Thanks for signing up!
You will receive a monthly digest of must-read insights and key resources to use and share.