Security is one of the least considered areas of ecommerce, until something goes wrong. If you have an attack, it can cause a huge amount of damage to your business. That is why Thrive Digital have teamed up with security experts at North IT to provide you with a list of things you need to do to ensure your company and customers’ details are kept secure.
Let’s start with the basics: do you have a working SSL certificate? If you are operating an ecommerce site (or indeed any site that collects sensitive data) you need to have an SSL certificate.
SSL (or Secure Sockets Layer) is a security protocol used for establishing an encrypted link between a server and a client. It simple terms, this means that sensitive data is encrypted before it is sent into the ether, helping to protect it from hackers.
2. Strong Passwords
Quite simply, strong passwords are harder to hack than weak ones. The more random characters in a password, the harder it is to crack. You can put all the security measures in place you like, but if someone in your organisation is using a weak password, it is like securing Fort Knox with a Christmas cracker padlock – it won’t keep that bad guys out. Use random characters, passwords based on words in the dictionary are easier to hack.
3. CAPTCHA Boxes
CAPTCHA boxes help to ensure that it is a person, and not a computer, trying to get into an account. They help to stop programs that use automated password guessing cycling through passwords until they access the accounts. Having a captcha box appear after 3-5 entries helps to protect your (and your customers) details.
CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart, in case you were interested.
4. Irrelevant Data
Collecting data that is non-essential, especially if that involves uploading information, leaves you open to attacks. For example, images can contain malicious script that when executed on your server can leave your website vulnerable.
5. Ecommerce Software
Consider what software you are using. Don’t use risky or out of date e-commerce software, because it won’t incorporate the latest patches (or may indeed include malware). If your software is no longer supported, has stopped being updated, or indeed you have stopped updating it; you could be at risk.
6. Secure Computers and Networks
It might seem obvious, but making sure that computer hardware and networks are secure will keep confidential information safe. If an employee leaves a work laptop on the train, how secure is it? Make sure devices are password protected with strong passwords, and there are systems in place to prevent to networks from unknown locations.
If you are with your hosting company because they are the cheapest, you may not be safe. If your host is not providing these 3 things, you may want to think about changing.
SFTP – A secure way of uploading data onto your hosting account. FTP is insecure as it does not encrypt the connection so passwords and files are transmitted in plain text, people can listen in on your connection in public WIFI or use a man-in-the-middle attack to capture the insecure information. Backups – If you are hacked, and not backed up, you may have lost your site. Meaning a lot of down time and expense.
Server Maintenance – Hosting companies should be providing maintenance to ensure that any vulnerabilities are fixed, and they are on top of any upgrades and patches. Lack of adequate server maintenance led to a massive breach at JPMorgan Chase, which could have been prevented with a simple fix.
8. Credit Card Info
Don’t store credit card information yourself. Large companies who specialise in secure data storage spend vast sums of money to ensure that they are good at it. Unless you can spend millions, then let the experts do it. We recommend using a service like SagePay.
9. Vulnerability Scanning
Have on-going vulnerability scanning for off the shelf software solutions, or penetration testing if there is any custom code. This will ensure that any issues with your systems are flagged up, allowing the holes to be closed.
10. Security Training
Providing security training to employees will reduce social engineering risks. If employees are aware of the issues and taught to prevent them, they are more likely to take decisions that protect sensitive information.
You can check if your details have ever been leaked by entering your email address here.