Trust is everything when it comes to business, and there’s no quicker way to lose your customers’ trust than a cybersecurity breach.
The average data breach costs a company more than $4 million according to IBM research, but the reputational damage of putting your customers’ data at risk is even greater. A staggering 81% of customers say they would stop engaging with a brand after a cyber breach. Those are some sobering statistics and show why global spending on information security and risk management technology and services is expected to top $150 billion this year, according to Gartner.
For an eCommerce company, the cyber risks are manifold. Not only are you charged with protecting your customers’ personal information like their names, addresses, credit card details, and more, but as you diversify your technology stack and add more features to your website, you create more vulnerabilities for hackers to exploit.
The reality is cybersecurity has to be a constant priority for all eCommerce businesses today due to the vast amounts of money to be made from a successful hack. While there’s no guarantee of absolute safety (aside from unplugging your server perhaps) there are some practical steps you can take to protect your site from cyberattacks.
“If you know the enemy and know yourself, you need not fear the result of a hundred battles,” wrote Sun Tzu in his seminal treatise on warfare, The Art of War. While the 5th century BC general didn’t know much about cybersecurity, his words still ring true today on the cyber battlefield. If you don’t know what kind of threats you’re dealing with, how can you be expected to keep your eCommerce site cyber-safe? With that in mind, here’s a quick rundown of some of the most common cyber threats.
Malware, meaning malicious software, is basically a blanket term for any type of software designed to harm a computer, network, users or server. Also known as viruses, malware these days tends to be hidden in one or more applications to bypass antivirus defenses. The effects could be anything from stealing your data, your customers’ data, or taking control of your computers and systems. One example was the infamous Stuxnet malware which was immortalized in the documentary Zero Days. This highlight sophisticated virus was used to damage Iran’s nuclear program by destroying nuclear centrifuges remotely, showing the upper end of Malware’s destructive capabilities.
It's important to keep your data safe from hackers
Though it’s similar to malware in many regards, ransomware has the added step of encrypting or blocking your data and holding it ransom. Typically the hackers will deliver a message to the victims of their attack and demand payment in exchange for the safe return of their data, though there are no guarantees they’ll hold up their end of the bargain if you pay up. The 2017 WannaCry ransomware attack is probably the most famous, when ransomware linked to North Korea infected more than 300,000 computers over a four-day period, crippling the IT systems of hundreds of hospitals in the UK for days.
Phishing is perhaps the least sophisticated form of cyberattack, but it has the potential to be the most damaging. In a phishing attack, the hacker will send a fraudulent message (typically via email) to their target in an effort to trick them into revealing sensitive information, typically login credentials. This may sound pretty crude, but if tech giants like Google and Facebook can be scammed out of some $100 million via phishing, you know it’s worth taking seriously.
An SQL injection attack involves a hacker interfering with the communication between an application and its database. If your site is using an unsecured SQL database, a malicious query sent (or injected) to the database can allow the attacker to view and even manipulate information.
Finally, e-skimming has become an increasingly popular cyberattack and is of particular relevance to eCommerce firms. That’s because it involves hackers gaining access to an online store and injecting code into it that allows them to capture the information customers enter when making a payment, giving them access to your customers’ credit card details.
So far, so terrifying right? But there’s no need to despair and start unplugging every wire in your office, as there are some straightforward steps you can take to defend your business from cyberattacks.
This may seem like day one advice, but you’d be surprised by how many people still use “password” as their password. In fact, last year Verizon found that 81% of all data breaches made use of stolen or weak passwords. So as much of a pain as it may be to mandate high standards when it comes to passwords (for both employees and customers), it’s well worth the effort.
For a start, no one in your organization should share a password and you should force all users to choose one containing at least eight characters, upper and lowercase letters, numbers, and symbols. It’s also worth requiring all passwords to be regularly changed, perhaps every six months or so. You should probably also ask your employees to not use the same passwords they use for their social media accounts for anything related to your eCommerce store.
A strong password can go a long way to ensuring security
Again, this may seem like creating an extra hoop to jump through for your employees, but two-factor authentication also puts another hurdle in the path of hackers. It creates an extra layer of security beyond just a username and password. This could be as simple as a security question (the name of your first pet, for example) or slightly more sophisticated by using OTP codes sent to a mobile phone or email address, or even a bespoke authentication app.
Many eCommerce platforms have the option to add two-factor authentication for users, including SmartOSC’s platform partners Magento and BigCommerce. Magento works with four different authentication options, while BigCommerce uses the mobile app Authy. Both platforms offer various customization options, including how regularly users are asked for two-factor authentication and the ability to turn it off, if you so choose.
Good anti-virus software should deal with the vast, vast majority of cyberattacks before they become an issue, so you need it on all your connected devices. It doesn’t pay to scrimp when it comes to anti-virus software, so think of it like insurance and just keep paying for the best you can afford, all the while hoping you never have to use it.
This is especially important when you’re using an open-source and highly customizable platform like Magento, which is why they have a Malware Scan feature to allow you to vet new extensions before you add them to your site.
The importance of regular updates just can’t be overstated. If you’re using outdated software, you’re simply not taking advantage of regular security patches that will keep your store safe. As hackers come up with new methods of attacking software and find new vulnerabilities, developers fix (or patch) these vulnerabilities. But if your store isn’t using the latest version of your eCommerce software, you’re putting yourself and your customers at risk.
About a year ago, more than 2,000 stores running Magento 1 were compromised by hackers. The attackers were able to inject malicious code into the stores partly because they hadn’t been updated to Magento 2, and support for Magento 1 was ended in mid-2020. The lesson here is to stay updated, as if those stores had been running the latest version of Magento, they would have been much safer.
I’ve saved the best, in my humble opinion, for last. What was the first thing you learned to do at school when typing out an essay? Save your work as you go! If you are unfortunate enough to suffer a data breach and lose access to the information you need to keep your business running, having a backup will save you a lot of headaches. It will allow you to pick up where you left off, and bounce back from the setback as quickly as possible.
Cybersecurity is always top-of-mind for software developers and agencies like SmartOSC, because how can your customers buy and how can you sell in peace without being safe?