Securing E-Commerce by Investing in Cybersecurity
Every online presence is fair-game for attackers. The recently disclosed breach on top VPN provider NordVPN proved that no one is safe online. E-commerce has always been a favorite target for hackers. They hit online stores not because of the products, but because of all the user data they can steal. Criminals sell stolen user lists online or use it to commit identity theft and fraud. A Business Insider study in 2017 showed that large retailers reported 16 separate security breaches in one year.
Industry behemoths Forever 21, Adidas, and BestBuy, have already felt the effects of cybercrime. If you run an e-commerce business, and you don’t have a robust cybersecurity system in place, it’s time to rethink your strategy. You have a responsibility to protect the personal information your customers entrusted to you.
Top Cyber Threats to E-Commerce Stores
To better understand what to look out for, you need to know what the threats are and how it affects your business.
Threat 1: Phishing Attacks That Distribute Malware
Phishing is a type of attack cybercriminals use to trick users into clicking a malicious link or attachment. When an unsuspecting user clicks any of the two options, it distributes a trojan or malware to gain a foothold in an organization. Once inside, the criminals can download sensitive user information or commit corporate espionage.
A trojan masquerades as a legit program. It acts as a backdoor for an attacker to gain access to a system. Cybercriminals inject files or popular programs with malware. Once malware installs itself, it can replicate and corrupt or steal sensitive data.
Threat 2: Business Email Compromise
Email remains the tool of choice for hackers, constituting 96% of all phishing attacks. Business Email Compromise (BEC) or “CEO Fraud” is another type of phishing attack that targets organizations. According to the FBI, BEC scams are responsible for over $12 billion in company losses for 2018 alone.
How a BEC Attack Works:
- The attackers use social engineering to target a person who either handles the finances or has the power to release funds.
- They then impersonate the owner, CEO, or CFO, demanding that the target wire funds ASAP.
- Instructions will be given not to call or text because of excuses such as on an airplane or in an important meeting. There’s no way for the target to verify anything.
- The fake email will usually have words “urgent” and “ASAP,” and is not digitally signed. The footer may have “Sent from my iPad” or something similar, to cover up any misspellings or wrong grammar.
BEC phishing attacks are more sophisticated than their distributed malware cousins. Cybercriminals take their time when attempting a BEC attack because the financial rewards are massive. They would spend weeks researching and getting to know their targets using social media channels and email.
Knowing the attacks need to be precise, cybercriminals have a variety of tools at their disposal. They use email lookup to get the correct information on the target, CEO, or CFO. They also use domain spoofing and typosquatting.
Threat 3: Stolen Data and Fraud
The top eight industries reported losses of $57.8 billion due to potential fraud in 2017. The culprit of this mess? Hacked user data.
One of the worst things that can happen to any e-commerce business is when user data falls into the wrong hands.
Hackers love to target central servers that different businesses use to store customer data. If you use a third-party solution, make sure the company has best-in-class security and safeguards to keep your data secure. The nightmare isn’t only about customer emails, addresses, and credit card numbers used for fraud, but also the loss of trust.
How to Protect Your E-Commerce Website From Online Threats
Prevention is always better than treatment. Here are a few tips on how to protect your investment from cyberattacks.
- Don’t collect or save user data if it isn’t needed to complete a transaction. Make sure that your website is compliant with PCI DSS, especially if you’re processing payments online. Choose a payment integrator that encrypts and stores credit card information for you. This service ensures that your site keeps no sensitive payment data.
- Only use a trusted and proven e-commerce platform such as Shopify or BigCommerce. These platforms host your store and work behind the scenes to ensure that your transactions and user data remain secure.
- Run regular security tests on your e-commerce website to identify possible vulnerabilities. Conduct weekly security audits on all computers in your network and install the latest security software. Ensure that your operating system has the latest security patch.
- Always use HTTP plus SSL (HTTPS). SSL stands for “Secure Sockets Layer” and is the security standard for establishing an encrypted link between a browser and a web server. By enforcing HTTPS use, all data passed between the browser and web server remains private. Your users’ sensitive personal and financial information is secure during the purchase process.
- Hold monthly staff meetings on how to detect phishing emails and other types of online fraud. Make sure everyone knows the basics of staying protected online. Restrict social media use and other dangerous websites by blocking the URL in the router.
- Always update and patch any extensions and applications running on your website. Hackers love to target vulnerabilities. They often use web crawlers to scour the net for sites with applications that remain unpatched. Keep your backend and website software updated and patched regularly.
- Buying a domain name is not enough to protect your brand. Trademark your company name and logo to prevent copycats from impersonating your website.
- Always use strong passwords and enforce two-factor authentication use in your organization. Change passwords every three to six months.
If all this seems a bit too much for you, consider hiring an IT security professional. You’re going to need an IT department sooner or later, especially as your e-commerce business grows. Getting a permanent hire or a consultant is a long-term investment in your cybersecurity efforts.