Last year will go down as the year of the security breach.
Reports of attacks and breaches made headlines across the world as many companies learned firsthand the damage a high-profile breach can inflict on a brand. Of the several lessons learned, the biggest may be that security needs to be top-of-mind for any online business -- regardless of size.
In fact, small companies stand to lose the most because they typically lack the dedicated security staff and expertise of a business ranked in the top half of the Fortune 500. While breaches at smaller companies may not make the headlines -- if they're detected at all -- the sheer number of small e-commerce sites in operation is just too tempting for hackers to ignore.
A recent study found that not only do the number of bots (automated applications that crawl and scan websites) on the Internet outnumber human visitors, but smaller websites actually receive a disproportionately higher percentage of automated bot visitors -- up to 80 percent of all traffic on sites with fewer than 1,000 visitors a day. Malicious bots probe sites for vulnerabilities, effectively automating web hacking.
The rise of automation has broadened the scope of attacks, making small businesses just as vulnerable as Home Depot or Target. Today, all online businesses are at risk. You don’t have to be a Fortune 500 company to protect your business and customers from malfeasance. The following are simple measures any business owner can take to thwart attacks and prevent breach.
1. Mind the gaps
Vulnerabilities are just that: exploitable weaknesses that allow attackers to penetrate systems. Fortunately, many of these vulnerabilities are well known and easy to patch. Specifically, there are two vulnerabilities all e-commerce business owners should be aware of: SQL and Cross Site Scripting (XXS).
Many sites, based on how their e-commerce application was built, are vulnerable to SQL injection attacks. Criminals probe web applications with SQL queries to try to extract information from the e-commerce database.
Cross Site Scripting attacks can occur when applications take untrusted data from users and send it to web browsers without properly validating or “treating” that data to ensure it isn’t malicious. XSS can be used to take over user accounts, change website content or redirect visitors to malicious websites without their knowledge.
Because attacks on these vulnerabilities are directed at web application, a web application firewall (WAF) very effective in preventing them.
2. Denial of service
Some criminals are taking a brute force approach and flooding websites with traffic to take them offline -- called a distributed denial of service (DDoS) attack. For e-commerce sites, a DDoS attack has a direct impact on revenue. A single DDoS can cost more than $400,000, with some sources reporting costs of up to $40,000 per hour. With attacks ranging from mere hours to several days, no business can afford the risk of a DDoS attack.
Often times these attacks are accompanied by a ransom note demanding funds to stop the DDoS attack; other times the attack is merely a smokescreen, giving hackers time to probe the site for vulnerabilities.
In either case, rather than fall prey to extortionists, e-commerce sites should enlist DDoS protection to detect and mitigate the attack before it impacts their bottom line. DDoS protection is often available from hosting providers, so small businesses can ask their website hoster for options.
3. Two-factor authentication
Stolen or compromised user credentials are a common cause of breaches. eBay reported that cyber attackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay's corporate network. Criminals use social engineering, phishing, malware and other means to guess or capture usernames and passwords. In other cases, attackers target administrators, whom they discover on social networks, using spear phishing attacks to obtain sensitive data.
Stopping this problem is as simple as implementing two-factor authentication. This second factor is usually a code generated via an app or received via text on a phone owned by the user. Two-factor authentication has been around for a while, but just as better smartphone cameras opened up a whole new market of photo editing and sharing applications, so too has the escalation in breaches increased the number of options for two-factor authentication.
Today, there are a number of great two-factor authentication solutions that are both easier to use and very effective at keeping hackers out. Many are free, including Google Authenticator, and are packaged as handy apps on smartphones. With the increasing risk of breach, it’s more important than ever that any application dealing with customer data be protected by two-factor authentication.
4. Scan your site
Web scanners are an important tool for detecting the SQL injection vulnerabilities and XSS mentioned above, as well as a host of other vulnerabilities. Information from these scanners can be used to assess the security posture of an e-commerce website, providing insights for engineers on how to remediate vulnerabilities at the code level or tune a WAF to protect against the specific vulnerabilities.
However, in order to be effective, businesses need to use them regularly. It’s important to subscribe to a service that scans on a periodic basis -- not every three years.
5. Keep your 'friends' close
According to research by the Ponemon institute, third party providers -- hosters, payment processors, call centers, shredders -- have a significant impact on breach likelihood and scope. You wouldn’t trust your money to a bank without rigorous, proven security measures in place. Nor should you trust a software vendor without security practices in place.
When seeking new providers, make sure they're compliant with security best practices like the Payment Card Industry’s Data Security Standard (PCI-DSS) and cloud-security certification SSAE16. Don’t be intimidated to ask cloud software vendors how they’re managing security and what certifications they have. If they have none, you should think twice about working with them.
Don’t overlook this. No matter how good the product, if the software introduces risk to your business, it’s not worth it.
Today the risk of data breach is greater than ever, for large and small businesses alike. But security does not have to be complicated. By using the right tools, partnering with the right vendors and implementing safeguards, online businesses can reduce risk and keep out of the headlines.