Just as the age of digital has brought to us borderless trade and increasing connectivity, along with it has risen the trend of cybersecurity threats. Online retailers will be one group of website owners that has to keep web security best practices firmly targeted in their crosshairs.
Over the past 15 years, there have been more than 8,000 data breaches recorded while incidences of new threats such as Ransomware and formjacking continue to rise.
This makes the digital space perilous for online retailers and enough safeguards must be put in place for defense.
There are many who mistakenly think that online retail is very similar to physical retail, but in terms of potential business impact of a security breach, the consequences can be far worse. If a physical store is robbed, often the key damages arise from financial or material effects within the store.
However, starting an online business means you often must deal with consequences that will likely affect your customers as well, and hence your business reputation. For example, to make a sale online, retailers need to record customer data, both personal and financial, in order to process payments and shipping. It is this data that cybercriminals are after.
If the attack is of a disruptive nature, then regular website operations might be impacted. This, in turn, will cause a reputational loss for the business when customers are unable to access the site. These and many more factors can cause far-reaching effects to online retailers.
In order to try and avoid issues from arising from cybercrime, we’re going to look at web security best practices. As with all things associated with security, there will be two main aspects to web security; attack prevention and damage mitigation.
Over 2019, websites came under an average of 62 attacks per day. With the millions of websites online, that means that hundreds of millions of attacks were attempted daily, on average. The takeaway here is that no site online is safe and that sites which process customer information are doubly at risk.
In order to avoid falling victim to these attacks, there are many things the average online retailer can do as preventive measures.
Examples of weak vs strong passwords
One of the most popular means of attacking a website is to use an automated tool to carry out either a brute force or complex attack on the username and password system. If successful, this is an easy way for cybercriminals to gain entry to the administrative areas of a website where they can do untold damage.
Strong passwords are passwords which are more complex and of certain lengths. The longer a password is and the more types of characters it is made up of, the more difficult it will be for cybercriminals to crack.
If you’re afraid to create and use more complex passwords out of fear that you’ll keep forgetting them, using a tool like Norton Identity Safe can be helpful. This app and others like it help you keep stored passwords safe and secure so that you won’t have to worry about forgetting them.
The padlock sign on Chrome indicates to users that this website is safe. Clicking on it will show more details on the certification.
Secure Sockets Layer (SSL) certificates are indispensable today, especially for online retailers. They are the means to help assure your customers or visitors that any data they provide to your site is encrypted and safe. This includes everything from their personal data to payment information.
SSL has become so important to web users that major browsers such as Chrome and Firefox do their best to ensure that the presence (or absence) of an SSL certificate on a website is made clear to visitors. In fact, there is a notification on the address bar of the browsers specifically for this.
There are various types of SSL certificates and not all of them are expensive. In fact, the best idea would be start off with a free SSL certificate from a place like Let’s Encrypt. Once you’ve gotten the hang of installing and administering that, you can reassess your business needs and choose the right certificate for your use.
Aside from the measures you take on your own, choosing a hosted ecommerce platform like 3dcart, or the right web hosting provider for other applications can also make a difference in your web security. If you haven’t already, look for web hosting solutions that are secure and ideally, those who offer additional tools which can help with your security.
Take for example the case of InMotion Hosting, which is both a secure web host and also offers users who use the WordPress Platform access to the JetPack tool. This is a fantastic all-in-one solution which helps not just increase the customizability of your site but also helps harden it against web attacks.
Secure web hosts generally have high levels of security on the server side, which makes it even more difficult for cyber attackers to target sites being hosted with them.
Overview of a 2FA implementation (Source: Washington University)
2FA (2-Factor Authentication) is an additional layer which can be added to your authentication process. For example, if you were to try and log in to your website, a 2FA system would require that you provide another means of identifying yourself.
Some 2FA systems make use of Short Messaging Systems (SMS) to provide you with a code to enter, while more complex 2FA used by some financial institutions require that you possess a physical dongle or card that is used to generate the second authentication code.
This method of login authentication is extremely secure and how it is implemented is entirely up to you. There are many 2FA systems available. As an example, if you’re using the WordPress platform, some of them are free and can be found on the plugin repository. If you’re using an eCommerce software like 3dcart, you can set up 2-Factor Authentication for your online store within its options panel.
Software is always released with bugs. Some may be known, but others may not yet have been found. Over time, these are discovered, and developers often issue software updates to patch the security loopholes which may be present in their applications. Security loopholes in software that aren’t updated are one of the means by which attackers can gain access to a website.
With that in mind, you first have to make sure you’re using secure software for data exchange and for handling sensitive information and transactions. You can use virtual data rooms to store and share confidential information and collaborate from various devices and locations without exposing anyone or any data to security risks.
You should rely on the provider of your third-party software to keep their products secure and updated regularly, but when it comes to the software on your site, you need to take matters into your own hands.
Keeping all the software on your website up to date should be a key priority for any website owner. This includes both on the server and for your own site personally, so do pay attention to security bulletins that web hosts will circulate from time to time.
On the personal front, keeping your own web software up to date is usually your responsibility. Most web applications release regular updates which can be implemented through your web control panel. For example, WordPress has an internal updating system which you need to keep an eye on from time to time.
CDNs like Cloudflare help you offer a more stable and faster website plus mitigate DDoS attacks
Content Distribution Networks (CDNs) are a good way to help speed up the way your website sends data to your visitors, but they can also act as a strong mitigator against Distributed Denial of Service (DDoS) attacks.
CDNs work by having a massive network of servers around the world. If you’re connected to that network, your site will be able to handle more visitors than a site running without, since you can make use of some of the resources on the CDN servers to service your own site visitors.
This same system helps you absorb the blow of DDoS attacks, depending on the severity of the attack. Basic CDN usage is free and can be gotten from a variety of providers such as Cloudflare. If you’re looking for better DDoS mitigation plans, then you’ll likely have to upgrade to one of their paid plans.
No matter how secure your website may be, you also must bear in mind that information going to and from the website also needs to be kept safe. For example, can you imagine if you were trying to log in to your site and that information was intercepted midway? The attacker would then have access to your username and password!
There are two main ways of keeping your connection safe. The first is via Secure File Transfer Protocol (SFTP), which mostly applies when you’re trying to transfer a large number of files to your web server. The second method will encrypt all communications from you to anywhere else on the Internet, and that is via Virtual private Network (VPN).
Both methods will help keep data that is being passed around by you safe. Even if somehow the communication were to be intercepted, encryption of the data in those communications will make it unlikely that anyone would be able to know what information you’re sending or receiving.
The last two items have more to do disaster recovery than prevention. No matter how safe you try to keep your website, things happen, and a determined attacker can always make it through your security measures. Even software itself can get corrupted at times or otherwise cause some problems.
This is the situation where performing regular backups can help. Although there are many web hosts who have backup systems in place, I would strongly advise you to implement your own as well and to keep copies of your data offline in an alternate location.
When things go wrong, it usually does so quickly. Business continuity is vital for Online Retailers and having a plan to recover from any potential problems can be a major help in your recovery efforts. Draw up a list of possible scenarios – this can be used to help strengthen your security measures as well as serve as a recovery manual.
By deciding ahead of time in less stressful situations the best way to move forward, you are in fact reducing the potential impact of any disaster which may befall your site. When problems arise, simply refer to the checklist you’ve created and recover from the problems as quickly as possible.
Always include vital numbers you can call, such as technical support for your web host, any developers you might have worked with, or even key employees in your organization who may be useful in relation to specific security procedures.
Web security can be a daunting task and even the experts get it wrong from time to time. However, as with any form of security, your aim is not for total defense, but to make it as difficult as possible for any attacker to cause problems.
Cyber attackers often go after soft targets simply because they have such a huge market to choose from with the millions of websites online. By increasing your defenses to the point where they may decide your site is not worth going after, you’ve already won the battle.
Do note that this list of best practices I’ve provided is by no means exhaustive and that there are many other security factors for you to consider.