This topic is large and wide around the globe and it affects everyone. Consumers may have their details stolen, Businesses could lose revenue for their business and governments/banks could suffer greatly due to data breaches. While there are standards to meet on hosting a website (GDPR, PCI Compliance, etc.) changes occurring at all levels of the Internet opens up opportunities to exploit by the dark forces.
Motives are mostly aimed at obtaining data to convert into cash such as obtaining client data (Email lists for Marketing to be sold), a database of credit cards (Fraud), or client credentials to mining additional data. There are other motives such as creating chaos or disruption in a targeted way (such as DDoS attacks). This activity undermines consumer confidence with online purchases, and all the while consumers take precautions – there are still methods to which they can be taken advantage of.
There are several areas of security to ensure you have a tight ship. The main area is the Hosting of your website/database and how it is configured/coded. Your payment gateway and its protocols/encryption and the methodology of your website takes payment to be processed.
This is a significant burden to the business owner to ensure that compliance and the necessary work to protect their online business is done correctly. However, with today’s tools, you can have your cybersecurity measures in place and be confident that you can focus on managing your business without losing sleep over it.
Securing the web code and servers
This is a summary checklist of each area to look out for – most of which will apply. There will be differences between Cloud Ecommerce systems vs. Hosted ones. A lot of the precautions are around your access and protection methodologies.
- Your Password: Protecting it may be a challenge in remembering them, but it is your business that’s riding on its security. The password has to be difficult to crack, capital letters, numbers and symbols included in the password is often recommended as a strong password.
- Data Encryption: It is good practice to store your data at the highest level of encryption. AES 256-bit encryption is currently available and is military grade.
- Admin Panel link: If you are using WordPress, Magento, BigCommerce and the like – these Hosted systems have a default Domain.com/admin link. Have the link be changed from “admin” to something more obscure that only your staff knows only. Additionally, configure the store to remove the path from being crawled by search engines to ensure it remains obscure.
- Enhanced authentication: Two-factor authentication is becoming commonplace today. This requires a second step after the password has been accepted and ensures that a device receiving code can authenticate the person registered to that account. This is done with the likes of iTunes, government sites, banks, and various finance apps. If for some reason anyone tries to gain entry without your permission and knowledge you will be alerted and you can stop them at the door.
- Software Patches: Especially for Hosted solutions, there are various patches from apps/plugins as well as the main system that have to routinely be done. Given that these can affect the stability/compatibility of your website if done without testing depending on customization and integrations done to date is a concern. A maintenance schedule is a good way to handle these, and while it is good practice to patch early and often, assessing the risks by reading the release notes by the developers on what type of patch it is crucial. Security patches are displayed clearly and should be a priority and should be considered outside of a regular maintenance schedule.
Cloud server security: Cloud-based hosting will have different features for enhanced security. Consulting with their support staff is important to ensure that every access to your store is secured. FTP is an older feature and in some cases is still being offered. However, other features can enhance security which is as follows:
- Assign different access rules, especially when various staff members have access, restrict their access to their specific needs, not admin-level permissions.
- If two-factor authentication is offered, use it.
- Sign-in/out protocols with activity delay checks are important so that accounts cannot be left open and accessible if left open in a browser/app.
- Authenticate the devices that can access the accounts by whitelisting them.
- If you have a static IP – configure the IP to which you will be accessing the server and deny all other foreign IP access. Always make sure you have 2 for redundancy configured.
Reviewing with the support staff on these points as well as any additional features they offer is key to making sure you have your management tools in place and secure.
Technical server security: At the development level, the engineer needs to take various precautions to ensure that their work and access to the server is secure, and also not leave any “holes” in the development effort before deployment of the site.
- HTTPS is a key requirement for any deployed system and there are guides for developers on how to use, manage and ensure that uploaded code is done securely.
- Staging vs. Live sites – both require HTTPS and the same precautions. Using source control (Bitbucket or other) and code reviews on changes is a good practice to ensure that the noted intended changes are done. Using SSH (A tunneled port configured to a specific IP) it gives developers a secure connection to copy files into the server from their local computers.
- Deployment tools that securely transfer files should be considered – see a list here - https://stackify.com/software-deployment-tools/
- Keeping their deployment software up to date, including their OS – for the same reason of keeping up with patches and fixes.
- IP and port review – this has to be done to make sure no open ports are left unchecked, or IP’s from previous developers are left behind.
- Developers should have a process/methodology in their development and deployment (not just tools), such as in Agile, using industry best practices – see guidance here - https://stackify.com/deployment-best-practices/
- Securing the server with WAF (Web application Firewall), IPS (Intrusion Protection System), IDS (Intrusion Detection System) for a wide and multi-layered approach that compliments each other.
- Some tools will test and scan your website to ensure that no gaps are left to chance. Testing your website is a key insurance policy to achieve the security goals you have set for yourself.
- Change the database access ID/Password (with back-up as necessary) during scheduled maintenance.
- Securing DB backups as needed.
- Follow access rules for your team and anyone associated with the website.
- Limit privileges wherever possible to the least amount of members.
- Remove all ambiguous, undefined and anonymous accounts that have access to any part of the website.
- Enforce unsuccessful login limits with time delays.
- All development systems should have access security, with the likes of LastPass automatically logged out until it is required to access the server.
- VPN usage can help secure your communication through tunneling to the server and is encrypted if you require a terminal onto the server.
- Vulnerability research with cause/effect test cases should be made as part of the testing of the system. This brainstorming can find unforeseen gaps that may have exposure.
- Making it easy: How about just focusing on designing your store, and leaving the security, hosting and the bulk of the heavy lifting that developers do with the hosting company? Shopify may be your port of call.
- Is already PCI Compliant https://www.shopify.co.uk/security/pci-compliant
- Has a Security Response process and team https://www.shopify.co.uk/
An article covering the safety of Shopify can be found here
While many business owners focus on their drive-in marketing, sales, profitability, operations, logistics and many more important areas of the business. All that effort could come to a grinding halt by being hacked. A report by Cimcor Inc reported in January 2019 that 60% of small businesses close their doors within six months from being hacked. Business Insider has revealed in August 2018 that 80-90% of login attempts made on retail sites are hackers using stolen data. The probability is high, your website will be tested and the legal consequences of being breached can be severe. Every part of your operation needs to consider security, it is worth the time and dedication to be spent in this domain and it is a great investment to secure a great future and business growth.