It's important to protect your business and customers from the many dangers posed by hackers and fraudsters online. Card-not-present (CNP) fraud isn't the only security risk merchants face online – data breaches are pervasive and even small e-commerce shops are at risk.
In 2018, SMBs made up 43% of all data breach victims, per the Verizon Data Breach Investigations Report (DBIR).
Here are five important but sometimes overlooked steps that you can take now to safeguard your online store and keep your customers' trust.
Invest in a top-of-the-line SSL certificate.
Almost everyone with a website knows they need a secure sockets layer (SSL) certificate to show that their site is trustworthy. What many e-commerce shop owners don't know, especially when they first launch their stores, is that SSL certificates are not all the same.
The free SSL option that comes with many web hosting plans may work well enough for a small site that doesn't have a lot of visitors entering payment information. But for the strongest possible encryption to protect your customers from data theft, and to fully validate your website's trustworthiness, you need an extended validation (EV) SSL. With an EV SSL, your visitors see the green padlock and a green bar with your company name, proving that you have the strongest SSL protection for their data.
Getting an EV SSL requires more steps than getting a free, basic SSL. You'll need to give your certification provider proof of:
- Your business license or registration
- Your DBA
- Your physical address
- Your personal information
- Your signature on the EV SSL agreement
EV SSL fees start at a few hundred dollars a year. This is a worthwhile investment that protects your business and assures your customers that they can shop safely with you.
Get serious about patches and updates.
Timely software updates and patches are a must for every business, especially online stores. One of the top three ways hackers stole customer data from retailers last year, according to the DBIR, was by exploiting vulnerabilities in merchants' web apps. Hackers are happy to exploit other software vulnerabilities, too.
It's tempting to assume that security patch alerts are rare, but they're not. As of this writing, a quick glance at the tech headlines shows security patches deployed this week by Apple, Microsoft, Dell, Atlassian and other major tech providers. Hackers are always probing for weak spots where they can break in, which means that fraud prevention – including code patching – is a constant race to see who can stay a step ahead.
Keep hackers from stealing your customers' payment card numbers and login credentials by keeping all your software up to date. Act on critical update alerts from your providers right away, follow the news on security patches and consider using a patch management service that continuously scans for and schedules patches and updates.
Make malware scans a priority.
With a program for patches and updates in place, your store will be protected against many types of malware. However, cybercriminals are always finding new ways to attack. When they spot a vulnerability that no one else has discovered, they can use it to put malware on your site.
When that happens, you're looking at a zero-day exploit – one for which there's not yet a patch, because the good guys don't know it needs patching. Worse, that zero-day exploit may go undetected for days, months or even longer. During that time, your store can leak data until the vulnerability is found and patched.
There are other malware risks, too. Consider formjacking, a relatively new type of data theft. Formjacking steals data from website forms in a way that's often compared to card skimming at fuel pumps. Formjackers exploit weaknesses in web apps – often third-party tools that stores add to their sites – to insert code that steals customer data as it comes in. Without regular scans of all the code on your site, formjacking can be impossible to detect.
The consequences of formjacking can be severe. In 2018, British Airways was formjacked by cybercriminals who stole payment data from more than 400,000 BA customers as they bought tickets. In addition to damaged customer trust and bad publicity, British Airways now faces a $229 million dollar penalty – dubbed the "biggest data protection fine in history" – from the UK's Information Commissioner's Office.
To reduce your risk of formjacking and to detect zero-day exploits as soon as possible, your site needs anti-malware protection that continuously scans the code for elements that don't belong.
Put password security on your agenda.
We all know we should use unique, secure passwords on all our accounts – especially on our business accounts. We also know that no one should get 500 attempts to log in to your website. Unfortunately, bad password habits are still common, and they can make data breaches easy. If criminals can guess your login credentials, crack them with brute-force bot attacks, or buy them online, you can end up with strangers in your system, rummaging through your company's emails, databases and web apps.
Step up your password game by finding out if you're already compromised. Have I Been Pwned? is a website run by Microsoft regional director Troy Hunt. It has found more than 7.8 billion breached passwords for sale on the dark web. You can use the site to see if your passwords have already been compromised, so you can change them right away. You can also sign up for notifications, so you'll know if your team's passwords are ever stolen.
Next, strengthen your company's passwords and login process. Require everyone with internal access to use a strong password that's not used for any other account. Limit the number of login attempts that employees and vendors can make before they're locked out of the system and have to contact tech support. Though this may be a hassle for forgetful team members, it can prevent brute-force password cracking.
Cast a net to stop spear-phishing.
Phishing today is so much more sophisticated than the badly written cons of a few years ago. Now, criminals may attempt to impersonate you or members of your team in emails. For example, they may pose as you and email
- your employees, requesting urgent wire transfers.
- payroll team, asking them to route your direct deposit to a new bank account.
- customers or employees, telling them to log in to a site (that then steals their account credentials).
- vendors and partners, requesting sensitive information.
Whether they're after money, privileged information, database access, reward program information or customer payment data, phishers are a serious problem. They know how to make urgent requests seem compelling. They know that people won't send login credentials via email, so they've ramped up their use of phishing sites that look legitimate but capture login data. And, their messages can get past secure email gateways that were originally designed to look for links and attachments that contained malware.
If your business is relying on email security tools that don't look for advanced email threats, it's time to shop for better protection, step up your anti-phishing training, and instruct your team not to transfer money or sensitive data without verifying those email requests by phone or face-to-face. [Are you looking for the right internet security and antivirus software? Check out our reviews and best picks.]
Each of these five steps adds a layer of security to your online store and your e-commerce business. But, there's one more layer to add: keeping up with e-commerce security best practices. When you stay up to date on cybersecurity, you protect your customers, your revenue and your brand, and you won't have to worry about overlooking steps that can safeguard your business.