Modern Retail

10 steps to ecommerce security

When growing an online store and working to maintain trust with your customers, it is critical that security is a constant focus. In the current digital market, many ecommerce brands are built on reputation and the online merchant’s ability to protect their customers from online threats. Much in the same way physical stores are protected with CCTV, metal shutters and theft alarms, an online store must employ similar levels of security to identify threats and keep valuable data secured.

Below is a list of 10 essential security measures. These precautions should be taken to provide a secure shopping environment for users, safeguard you brand’s reputation and comply with security regulations, thereby negating hefty fines:

1. Use a reputable security provider – According to a study by Gartner, the forecasted spending on Internet security in 2019 was $124 Billion worldwide. By 2022, this figure is forecasted to reach $133.7 Billion. These statistics illustrate the sheer value that is associated with enlisting high quality web security providers and the dependence on reliable security. When deciding on the security for your particular store, it is important to familiarise yourself with what products are on offer and what you require to meet your requirements. For ecommerce sites specifically, meeting PCI DSS compliance is crucial, so building your security specifications around that is a good foundation.

2. Research common threats – A big step in protecting your website from threats is to familiarise yourself with some of the most regular hacking methods used. This way you gain an understanding of how you can be at risk and what steps you need to take to ensure you remain protected. Owasp (Open Web Application Security Project) have compiled a list of the 10 most common methods of hacking used. Knowing what you are up against and taking the necessary precautions to proactively defend against common threats can significantly reduce the success of any attempted hacks.

3. Use a CDN – A CDN (content distribution network) uses a network of edge server located around the world to rapidly deliver content to global users. Users can then connect to the server nearest to them geographically, lower data transfer time and reducing the overall strain on any particular server. Delivering content over a CDN offers many advantages such as increased page load speed, maximised website up-time and reduced latency. In addition to these performance perks, a CDN offers a number of benefits to security. By spreading web traffic evenly over a network of servers, you can easily prevent any single server from being targeted by an attack. This can mitigate volumetric DDoS attacks while allowing your business to continue day to day operations.

4. Implement a WAF – A WAF (web application firewall) is an essential asset to protect any online application. By acting like a shield between a web application and all users, a WAF filters every single request sent via web traffic. In an eye-opening study carried out by the University of Maryland, an attempted hack happens 2,244 times per day on average – roughly once every 39 seconds. This statistic shows the overwhelming frequency of daily attacks, and stresses the need for constant application security. By filtering every request sent to a web-server, a WAF can instantly recognise suspicious behaviour and block malicious users, keeping the application un-
compromised and preventing the theft of sensitive data.

5. Full DDoS mitigation – DDoS attacks are one of the most common forms of attacks directed at online businesses, and can potentially be one of the most damaging. DDoS stands for distributed denial of service, and these attacks are directed at a website with the sole intention of taking it offline. To orchestrate a DDoS attack, hackers use a network of remotely controlled computers (often called bots). It is estimated that roughly 50% of all internet traffic is automated, and hackers use these bots to flood a victim server with an overwhelming amount of traffic.

6. Secure DNS management – DNS management is an essential component of any website operation. DNS stands for Domain Name System and is essentially a directory for domain names that are translated into IP addresses. Organising domains is essential to ensure that mail servers divert email to the correct locations and that name servers point to the correct domains. If a third party maliciously gains access to your DNS management they can direct private emails to a different location and alter the entire navigational structure of your site. To keep DNS management fully secure, HTTPShield use 2-factor authentication when logging in to the DNS dashboard. This requires a password in addition to an email confirmation, providing access to those with authorisation.

7. Bolster security at times of high traffic – With the current Covid-19 lockdown, and with people confined to their homes, online traffic has seen a sudden increase in volume. In conjunction to this, the frequency of online attacks have also seen an increase, as larger amounts of data circulate online. To keep an ecommerce site protected at all times, it is important to anticipate when you expect traffic levels to be high. These times can manifest around certain holidays or times of the year, depending on what sort of stock you sell. By proactively boosting security when user numbers are expected to be increased, you can accommodate for the typical rise in attack frequency.

8. Use Captcha – Using Captcha on web forms is a good way to avoid spam users. Captcha distinguishes between a human user and a bot by requiring users to enter a specific series of letters and numbers when signing up to a website. By requiring this additional step for successful sign-up, captcha prevents any automated users signing up, ensuring your customer base remains legitimate.

9. Security Audit – A security Audit is essentially a security MOT for your online store. By systematically probing your network configuration, you can identify any existing weak-spots in your web protection. These potential exploits can then be addressed promptly, before they can be used maliciously by a hacker. Over time, it is likely that performance updates and software reconfigurations may gradually create small vulnerabilities in your existing security. By performing regular audits you can proactively analyse your current defense and resolve any issues, thus guaranteeing the continued safety of your customer’s sensitive data.

10. Train staff on GDPR practices – A staggering number of data leaks or security breaches happen internally and are often caused by basic human negligence. In the past, multiple high profile breaches have stemmed from lost memory sticks, poor password management or even careless email usage. Additionally, numerous cyber attacking methods such as phishing and ransomware links rely on a certain level of social engineering to succeed. By training your current and any new members of you workforce is the basics of Data Protection you can significantly reduce the risks of any of these methods being successful.

Securely maintaining an ecommerce website can be challenging, and without the proper precautions, it is easy to risk inadvertently exposing your website to the growing number of attacks that happen daily. When considering malicious attacks in ecommerce, it is a case of ‘when’ and not ‘if’, and being prepared is the best way of limiting the success of an impending attack. Following these 10 steps will, not only give you an insight into the optimal ways to stay protected, but will ensure that you can mitigate potential damage and prevent data leakage when an attack happens.

Contributor: HTTPShield

HTTPShield offer a full suite of cloud-based security products and services, developed using years of experience working within ecommerce. Their affordable monthly package provides all the necessary security for an ecommerce website, such as a powerful WAF and 24/7 DDoS mitigation. These solutions keep you protected against hundreds of the most common hacking methods, whilst maintaining full PCI compliance – all at an affordable monthly rate. For those still unsure about the world of cyber-security, HTTPShield offer full support and no-obligation advice, to help get you started on the road to fully secure, ecommerce operation.