Ecommerce businesses need to take their cybersecurity seriously. Any company that does the majority of its business online must understand that a cyberattack can have devastating consequences, not only in terms of costing you a significant amount of money, but also damaging your reputation.
In this article, we will take a look at some of the key forms of cybersecurity that all ecommerce businesses need to invest in. But first, it is important to establish the foundations and basics, so we will look at the absolute minimum that an ecommerce business should be doing to protect customer data online.
The things you should definitely already be doing
If you run an ecommerce business then there is a certain baseline of security that you really need to be doing; if you’re not, then you are leaving yourself as open as it is possible to be to cybercrime, and probably also breaking the law with regard to data security and the personal data of individuals.
For example, you should be fully compliant with the Payment Card Industry Data Security Standard (PCI DSS). If you take credit or debit card payments, this is an essential security measure. The standard helps to reduce the risk of credit card fraud by increasing controls around cardholder data.
Additionally, your website should be using SSL. This is a Secure Sockets Layer certificate which authenticates and encrypts connections between your website and your customers. Visitors can feel secure when they know they are on a secure connection.
These should be the foundation of everything that you do online and if you’re not sure if they are currently a part of your system, you need to reevaluate your security measures as soon as possible. However, as has been stated, these are only the basics, and there are actually many other forms of ecommerce cybersecurity practice that you might be overlooking.
Being GDPR and DPA 2018 compliant
A big deal was made about the introduction of the General Data Protection Regulation (GDPR) in 2016, and many businesses including ecommerce companies, were forced to change the way that they work. While press coverage around the issue has certainly reduced, compliance with the GDPR is still essential for any businesses that have customers in Europe.
Additionally, the Data Protection Regulation 2018 brought the same rules into effect in Britain. This meant, in the light of Brexit, British customers would still have the same legal protections as all Europeans.
“In accordance with the GDPR, the DPA applies to all organizations that process any form of personal data,” explains George Glass, Head of Threat Intelligence at cybersecurity specialists Redscan. “It also affects organizations that process sensitive data related to law enforcement and national security.”
Proper cybersecurity practice is a requirement of the GDPR, and businesses that are found to be in breach can face a maximum fine of €20 million or 4% of annual global turnover (whichever is greater).
MFA for staff and customers
One of the most often overlooked, but most effective, security features is that of multi-factor authentication (MFA). MFA affects how users login to a system. Rather than using a single factor to authenticate another (such as a password), MFA opts for multiple forms of authentication in combination (such as a password, biometric data, a code sent to a mobile device etc.) to keep the system secure.
It should be noted that this way of logging in to the system should be something that is required of both staff and customers. For staff, using MFA to get into the internal system makes it far more challenging for hackers and cybercriminals to steal their credentials and get access to the whole system. Knowing general steps to take to ward off hackers is highly recommended and, with regard to customers per se, it is necessary to use MFA to help them protect their accounts from attack.
Shadow IT
Could it be the case that your ecommerce business is suffering as a result of shadow IT. This concept is not particularly well-known, but it can be a major challenge for ecommerce companies especially. Shadow IT refers to any kind of application or software that workers use without the knowledge of the IT team.
Software that is approved by the IT team has been assessed to ensure that it is up to date and that there are no known flaws in the software. The problem with shadow IT is that non-approved apps can contain viruses or backdoors that allow hackers easy access to a computer system. So, staff can be making use of a piece of software to make their working day easier, but have unwittingly made the company vulnerable to cybercrime.
Many ecommerce businesses are simply too small to be able to afford a professional cybersecurity team in house. This is only compounded by the cybersecurity skills shortage, which is making it harder and more expensive to find experienced cybersecurity staff. As such one of the most effective options could be to outsource security to a team of professionals.
