How to Secure Your E-Commerce Website: 6 Basic Steps
Grow Your Business, Not Your Inbox
Small to midsize businesses (SMBs) have a wealth of solutions from which to choose when creating a profitable e-commerce website and accepting payments. The key advantages of e-commerce websites include the ability to provide 24/7 access to international buyers and enabling quick and secure online sales. For National Small Business Week (NSBW), we take a look some ways in which you can quickly and effectively secure your e-commerce website as well as protect your customers' data. All it takes is five easy steps.
Before we get started, however, a little background. Online shopping offers a huge earning potential for SMBs because it's easier than ever for them to compete directly with larger organizations by using current e-commerce tools and technologies. According to research firm Statista, roughly 270 million Americans will make an online purchase this year, spending a total of $548 billion.
All of that money doesn't change hands invisibly, however. E-commerce websites are essentially portals for promoting a company's brand and products, and they're also a conduit for getting customer feedback. E-commerce software solutions, such as Editors' Choice picks Shopify and PinnacleCart, offer comprehensive features to get your online ventire running quickly. But they're also ravenous data-gathering engines. Product descriptions, transaction data, customer interactions: it all touches your e-commerce engine and your website. Therefore, protecting that data needs to be a primary consideration.
Large online e-tailers and storefronts enjoy the luxury of having their own in-house IT security providers or consultants. This may not be the case for SMBs or startups bootstrapping their businesses on limited budgets. Making their lack of resources even more painful is the new malware trend towards automation. By automating their threat software, hackers can target large swaths of corporate and e-commerce targets rather than attacking them one at a time. That means the SMB space is now a rich field of opportunity for criminals as it contains massive quantities of valuable data when viewed in aggregate and that data often isn't protected as well as the stores of larger organization. That's why recent studies, like Verizon's 2019 Data Breach Investigations Report have found a marked increase in the number of SMBs experiencing a breach.
Other studies agree. According to the 2018 LexisNexis True Cost of Fraud Report, based on the 200 risk and fraud executives, SMBs reported an average of 249 fraud attempts per month in 2018, which is up 11 percent from 225 one year earlier. Also, 67 attempts were successful while 182 were prevented.
So, maintaining your customers' data safety is key to maintaining not just trust but also a positive perception by website-ranking institutions, partners, product suppliers, and more. Let's look at five steps to take to secure your e-commerce website.
Step 1: Promote good password hygene
While passwords are experiencing competition from technologies such as facial recognition and multifactor authentication (MFA), they're still the standard access keys to most software. We need passwords for every service or website we log onto so, for many users, it just seems easier to use the same password for multiple services. The problem with this approach is that, once the reused usernames and passwords have been taken by hackers, they can be applied to various services, leading to widespread fraud.
"Even if your e-commerce site has perfect security, your weakest link could be your customers," explained Patrick Sullivan, Senior Director of Security Strategy at Akamai Technologies. "As a whole, human beings tend to have pretty poor credential hygiene, so there's a high likelihood they'd reuse those same credentials at other sites, and a fairly high likelihood one of those sites that they've reused those credentials has been breached."
There are various password managers that can take the pain out of having to remember dozens of passwords to different websites and services. While managing multiple passwords is increasingly challenging, there are some great tips on how to recall insanely secure passwords to be found online.
E-commerce website managers should require the use of complex passwords and two-factor authentication (2FA) from users and customers. This can ensure that users don't rehash potentially compromised credentials, and it goes a long way towards making sure that those requesting access are who they say they are. If you really want to manage your organization's authentication technology holistically, then check into identity management systems, which can manage that function across multiple services and software platforms.
If you're sticking with passwords for now, then remember they should require a minimum number of characters (at least six, preferably eight to 10) and use numbers and symbols. It is also advisable to force users change their passwords regularly.
Step 2: Use HTTPS
HyperText Transfer Protocol Secure (HTTPS) is the online protocol for secure communications over the internet and one of the easiest ways to help secure your e-commerce website from fraud. Designated by a closed green lock icon on the browser address bar, HTTPS websites are deemed authentic and secure because they're certified. This means the website really is what it's claiming to be and not a counterfeit website placed online to fool users so that bad guys can grab access credentials, credit card data, and more.
To enable HTTPS, SMBs need to acquire a Secure Socket Layer (SSL) certificate. Receiving an SSL certificate is the first step, this now needs to be implemented carefully in your e-commerce solution. This SSL Certificate Buyer's Guide covers this process in detail. While most e-commerce website hosts will have an SSL certificate for sale, it pays to shop around with third parties as some vendors offer a better price and additional security capabilities.
The advantages of using HTTPS go beyond security and trustworthiness. Google gives secure HTTPS websites a higher search ranking, leading to more visitors. Conversely, Google also labels unencrypted websites as "not secure," which makes them appear sketchy and unsafe. These days, there's few faster ways to get a potential customer to pass your website by.
Many savvy online shoppers will shy away from a website that is deemed insecure or that doesn't have the "HTTPS" designation. According to the 2018 Global Fraud and Identity Report by consumer credit reporting company Experian, 27 percent of online shoppers abandoned a transaction due to lack of visible security.
HTTPS is now enforced on US government websites, which could mean it's just a matter of time before it is a standard requirement for e-commerce websites, too. It is challenging for existing e-commerce websites that aren't HTTPS-certified to add the feature if it wasn't built in originally. SMBs planning their e-commerce websites from scratch have the advantage of designing their solutions with HTTPS security in mind. But even if you face the difficulty of implementing HTTPS after the fact, rememeber that it's far better to start such a migration now, on your terms, than to have it become a de facto standard or even a law and then be forced into it on someone else's timeline.
Step 3: Choose a secure e-commerce platform
E-commerce platforms are usually picked for their storefront-building convenience, range of design, and functionality, but security features need to be top of mind, too. Look for proven e-commerce solutions that provide encrypted payment gateways, SSL certificates, and solid authentication protocols for sellers and buyers.
"The good news is cloud-based security platforms have really made security more accessible to smaller and [midsize] companies. You can get some of the benefits of better automation from these tools," Sullivan said. "You get the benefit of some of the machine learning, and curated rule sets that some of the cloud-based platforms have put in place. Take a look at cloud-based security options, particularly those that have intelligence built into them."
Sullivan suggested thinking of the long-term viability of a e-commerce platform and to consider how often updates and security patches are added to ensure the long-term security of the service. He also said that SMBs should consider scalable e-commerce platforms that can grow and accommodate a business's future needs. "Think about the ongoing life cycle of that software that you introduce into your e-commerce platform," Sullivan added.
Step 4: Don't store sensitive user data
Customer's personal data and privacy are of paramount importance and we're seeing major technology companies such as Apple and Google rally around their focus on keeping users' data private and safe. Consumer privacy is even more critical in e-commerce. Businesses need customer data to improve their communications and product offerings as well as make it easy to return purchases. The danger is that website hacking, phishing, and other cyberattacks target this user data.
The first rule is to only collect data that's useful for the purposes of fulfilling the transaction. Businesses should avoid the tempation of collecting more customer data than is absolutely necessary. This avoids inconveniencing your customers and the possibility of losing that data in a breach or a hack. The most embarassing emails that companies have to write to their customers are the ones explaining that they've lost users' critical personal and financial information.
The above rule applies specifically to customer credit card information. There's no need to store them on online servers, which can be a violation of the Payment Card Industry Data Security Standard (PCI DSS), which serves to enforce consumer data protection in the payment card industry.
Cybercriminals and hackers can't steal what isn't there, so keeping the valuable personal and financial information of your users should be kept secure and off of online servers. If you have to store certain data, then make sure it's protected in a safe, online storage repository that observes best practices when it comes to keeping information safe. This should include having stringent access controls, regular audits, and, most importantly, total data encryption.
Step 5: Employ your own website monitor
While most e-commerce website hosting services will have some kind of monitoring tool set available to their customers as part of the basic package, that's no reason to ignore more robust third-party website monitoring tools. You want to look into these options because tools like those offered by LogicMonitor and New Relic have much deeper management features that'll not only help keep your website running more reliably, but also more securely.
The ability to build your own dashboard and utilize features such as application health monitoring and performance benchmarking will definitely keep your site running smoothly, especially if you can monitor it from anywhere using the mobile clients these tools also often offer. But using deeper features, even if you're not an IT professional, like a robust audit trail for any feature modifications or a code-level root cause analysis engine, can help business operators as well as IT and security professionals track down security problems as they're happening or even before they have a chance to occur. Anyone who has made a website into a business should at least investigate such tools and determine whether their capabilities can keep the site and its data more secure. If they can, then most of them are cheap enough that an investment is essentially a no-brainer.
Step 6: Maintain a Security-Focused Mindset
E-commerce security is never a one-and-done deal. Threats and hacking methodologies evolve at an alarming rate, and maintaining an awareness and a security-focused mindset is the necessary preventive method. Once the security of an SMB's e-commerce website has been compromised, it is often too late. All a business can do at that poing is costly and embarrassing damage control.
"Now you're having to manually work with your customer and have probably damaged that customer experience," Akamai's Sullivan said. "You have to reset their account and deal with fraudulent purchases. This is very expensive from the human perspective since you need somebody working with them to figure this out. That's the direct cost of fraud."
Most of the hacking and website breaches today aren't even done by humans. According to Sullivan and reports such as aforementioned Verizon report, autonomous computer programs or "bots" are responsible for a lot of the damage currently being done. "Up to 30 percent of a website's traffic are bots probing for vulnerabilities," Sullivan said. "For over six months in 2018, the retail segment saw more than 10 billion botnet attacks. Most were bots trying to find information on consumers that have reused their usernames and passwords somewhere."
The real challenge for all businesses is effectively implementing e-commerce authentication and security measures in a frictionless manner so the customer experience is not impacted—and then staying on top of evolving threats without breaking the budget on security. How do you do this? Look for managed e-commerce platform manufacturers or website hosters that place an emphasis on security. Sometimes, these services will stay on top of changing security threats for their customers and even recommend fixes to bleeding-edge threats. By putting security at the core of their online shopping service experience, SMBs can confidently offer customers safe and satisfying e-commerce experiences.