eCommerce has always been attractive for cyber-criminals, but now it is even more so. The pandemic has driven the demand for online shopping to the all time high, making it even more lucrative for attackers. Research shows that cyber-attacks have increased by 37% due to the COVID pandemic.
It can be a great time to become an online entrepreneur, but only if you take eCommerce security seriously. As hackers become savvier, business owners can no longer afford sloppy security, there is too much at stake.
So if you want to know how to bulletproof your website, read on to find the most essential eCommerce security tips.
What are the most popular security threats in eCommerce?
Regardless of the type of the attack, most of them are aimed at one of the following:
- Stealing sensitive data
- Using your website for attacking other websites
- Using your website for black-hat SEO
You may have heard of DDoS attacks, Trojan Horses, Phishing, Code Injections. These are some of the many ways to achieve the above described aims. As for the eCommerce, according to Imperva the most popular web attacks are:
1. RCE/RFI
Both Remote Code Execution and Remote File Insertion are types of attacks when a hacker gets access to a website and initiates unauthorized actions. Eventually, the website can be taken over by predators. In the case of RCE, cybercriminals mess with the website’s code, while with RFI, they insert malware.
To carry out these attacks hackers search for website vulnerabilities and exploit them. As a result, sensitive data can be stolen and website content and functionality can be tempered with or completely hijacked.
2. Data Leakage
Data leakage is the theft of data from a company. It can be a one-time attack or it can be a slow recurring leakage of important data. The stolen data can be abused for credit card fraud, identity theft, blackmailing, etc.
3. Cross-Site Scripting (XSS)
XSS attack happens when hackers insert malicious code into the client-side of a web app. Its main difference from other script injection attacks is in that it targets the web app users and not the web app itself. Hackers exploit the web app vulnerabilities, servers, and plug-ins to gain access to user information.
Biggest eCommerce Security Issues
So why is cybercrime flourishing in eCommerce? Most of the time websites get attacked due to simple negligence. People are not following basic security practices and falling easy prey to hackers.
1. System vulnerabilities
Vulnerable software and its components is the number one cause of cyberattacks. These vulnerabilities become the backdoors through which attackers get access to websites and apps.
As their main motivation is to get the most money with the least amount of time and effort, they like to aim for mass hacking or target huge online platforms. In the case of ‘mass hacking’, criminals go after thousands of websites that run on the most popular eCommerce platforms. They scan these platforms for vulnerabilities and exploit them ‘in bulk’.
In many cases, this situation can be avoided if you choose safe software and update it regularly (more about that below).
2. Weak Passwords
Hackers gladly take advantage of the password fatigue and the general laziness that is so pervasive among users. 70% of the most popular passwords can be cracked in under a second! These are passwords like ‘123456’, ‘password’, ‘qwerty’, and so on.
Therefore, it pays to introduce password best practices among both employees and clients.
3. Not following security best practices
This is an umbrella point that covers many basic security principles, which are relatively simple but are nonetheless crucial for eCommerce security. Skipping these points is sort of like knowing that mouth hygiene is important, but still not brushing and flossing your teeth.
Such security best practices include regular software updates, SSL certificates, firewalls, and many others, some of which are covered in the next sections.
How to protect your eCommerce website from cyberattacks?
Below you will find the list of the most essential eCommerce security steps that will help to protect your business. This list is not exhaustive but rather a good starting point. Every day cybercrime becomes more and more sophisticated, so your eCommerce security strategy should evolve too.
1. Choose secure eCommerce software
Any vulnerability in any type of software used for eCommerce can become an invitation for an attack. Hackers can find a way to attack you through your eCommerce platform (CMS), plugins, theme, and API integrations with third-party websites or apps.
That is why whatever software you choose for your project, make sure it is secure. First and foremost, start with a safe CMS. Stay away from popular open-source platforms like WordPress and Magento, as they are always at the top of the charts of the most hacked software.
Go for a proprietary eCommerce software or, even better, develop your CMS from scratch following all the coding best practices.
Custom eCommerce websites that are built from scratch will nearly always be more secure than canned ones for a number of reasons.
Firstly, the code will be unique, so the attacker will have to work hard to find vulnerabilities that can be used only against you, while in the case of popular CMS solutions, thousands or millions of websites can be compromised at once.
Secondly, only you and your team will have access to the code, while with open-source solutions anyone can get access to the system and study it. So the attacker will have to work really hard to attack you, which is not worth it unless you are a multi-million company.
The same goes for any other type of software that you decide to use on top of your CMS. You need to be sure it is safe before you install it. Check reviews, ask for guarantees from the vendor, or even conduct due diligence.
2. Update regularly
This tip is mainly for canned solutions as they need to be updated, otherwise, they automatically lose their integrity. Attackers constantly scan nearly all off-the-shelf solutions for vulnerabilities to exploit many websites at once.
That is why vendors have to also stay on top of things by regularly auditing and patching their software. So unless you update your system as often as your vendor recommends, your website can be easily compromised.
3. Use HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is a relatively new standard of security for all websites. This protocol protects client-server communication against unauthorized access to personal information, as well as tampering with your website’s content.
If the website doesn’t have HTTPS (just HTTP) most of the browsers will warn a user that the website is an insecure one. That is why Google won’t rank such web pages, as they are below its security standards.
To convert HTTP into HTTPS, you need to obtain an SSL certificate from a trusted party and install it. Then, you need to make sure that all of your URLs have HTTPS.
4. Protect Admin Panel
Your admin panel is the place from which you control the entire platform and get access to all the data, that is why it deserves extra protection. Imagine what will happen if an attacker gets a hang of your finances, user management, content, or client data?
Make sure only authorized people get access to your admin panel by:
- Changing the URL of your admin from an obvious one like www.domain.com/wp-admin to the one that’s harder to crack
- Hide the way to your admin from the HTML code
- Allow access to your admin only from certain IPs
- Use strong passwords and multi-factor authentication
- Install anti-intrusion software.
5. Use Firewall
A firewall will shield your website from unwanted traffic. It is a network security system that controls traffic based on predetermined rules so that only trusted traffic is allowed on your website. When set up properly, firewalls can detect any suspicious activity and intrusion threats.
6. Secure Payment Gateways
Online payment is a very sensitive and risky part of any eCommerce platform. Get it wrong and you risk losing reputation, clients, and money.
This is because payment processing is complicated and a big liability, so only large companies can afford to do it by themselves on-site. The rest uses third-party systems called payment gateways. These systems collect the credit card data and process transactions for a commission or/and a service fee.
Such systems can also be a source of vulnerability, so it is best to use only well-established solutions with an excellent reputation.
7. Perform security scans
You can and should scan your website for viruses and vulnerabilities. Firstly, in many cases, it takes time before people find out their website has already been infected and it is best to find out sooner rather than later.
According to IBM, it takes 280 days on average to discover a breach. Secondly, it pays to discover your system vulnerabilities before attackers do so that you can prevent bad things. There are numerous tools that will help you perform security scans, like Sucuri, for instance.
8. Minimize data
It is important to keep in mind that data is a liability and the fewer liabilities you have, the better. To achieve this you can apply the data minimization principle, which implies that you should be collecting and storing only that data that is absolutely necessary.
Data minimization is part of the General Data Protection Regulation (GDPR) that applies to EU residents. However, even if you are not living in the EU or working with the EU clientele, data minimization is a security best practice.
To minimize data ask yourself these important questions about the data you are collecting:
- Is it adequate? Meaning that this data is sufficient for your business purposes.
- Is it relevant? Or in other words, does this data help fulfill your purpose?
- Is it limited to what is necessary? What can you do without?
How to Apply This to Your Business
eCommerce growth and cybercrime go hand-in-hand. It is a great time to launch an online store, but you need to cover all your security bases first. Choosing the best and the most secure approach to eCommerce development is a good place to start.
Then, if you follow eCommerce security best practices and commit to checking back on them on a regular basis, you are set for success.
