Statistics on cybercrime and online fraud make for some frightening reading. Business Email Compromise scams are now targeting 400 different companies every day, with organised criminal gangs routinely stealing from banks, bitcoin exchanges and business databases. Hackers are increasingly targeting zero-day vulnerabilities in new systems, while the cloud provides a ready backdrop for mass DDoS attacks and even state-level sabotage and subversion. And ransomware attacks are increasing almost as quickly as the average ransom that’s being charged to unlock sensitive or irreplaceable data.
For the humble customer, debating whether to make an online purchase from a new retailer, the risks of data theft and fraud have never been so great. Yet as webmasters and administrators, there are plenty of steps we can take to ensure our ecommerce sites are safe to use.
These are ten of UK2’s top recommendations for keeping customers – and their data – safe…
- Choose a premium hosting service. While modesty is a virtue, we must acknowledge UK2’s secure servers with their in-built redundancy. We also offer SiteLock – a sophisticated cloud-hosted monitoring system for websites and email accounts, which identifies and protects against threats or vulnerabilities.
- Adopt a trusted ecommerce platform. With the network infrastructure locked down, online checkouts should form the next line of defence. Market leaders include WooCommerce and Magento, though their popularity draws unwelcome attention – so ensure any patches or updates are automatically enabled. Insist on CVV codes, too.
- Use third party financial data storage. Third party payment solutions securely handle customer transactions, storing data for quicker visits in future. This is managed by companies dedicated to optimising and maintaining the sanctity of customer data. Huge fines and reputational damage will ensue if your ecommerce site is plundered.
- Regularly update software and plugins. WordPress plugins deliver robust and cost-effective security enhancements. However, they require frequent updates, particularly if they’re free or open source. All software updates should be automatically enabled, ensuring new vulnerabilities can be patched as soon as they’re identified.
- Adopt site-wide HTTPS. Secure Socket Layer certificates encrypt data exchanges that can only be viewed between sender and recipient devices. Google now flags HTTP-only sites as non-secure in its market-leading Chrome browser, so apply HTTPS to the whole site. It’s also advisable to encrypt sensitive communications like email.
- Change passwords to obscure combinations. Incredibly, some administrators still use clichéd terms like ‘admin’ and ‘0000’ as their usernames and passwords. Automated tools can quickly spot default usernames and passcodes, so choose complex strings that would take a quadratic computer to crack – like 51t3adm1n15trat10n.
- Geolocate ecommerce customers. Knowing where transactions are taking place often highlights fraud, such as someone in Africa attempting to buy six iPads in the UK. Geolocation anti-fraud software compares IP addresses with cardholder details. A fraud risk score is calculated, and ecommerce sites can then run additional identity checks.
- Backup data on a daily or weekly basis. The majority of ecommerce sites subjected to severe or total data loss will fail. The importance of duplicating hard-won customer contact details and order histories simply can’t be overstated. Create automated backups with RAID, or manually copy data onto the cloud or an external hard drive.
- Go belt and braces. Go all-out by eliminating flawed platforms like Java or Flash from your site. A physical firewall represents a good investment, while a content delivery network learns to recognise malicious traffic. Servers can be configured to prevent DDoS attacks, and cybersecurity consultants will identify system weaknesses.
Discuss data protection in blogs and news pages. The nine steps above should provide far greater protection against criminals and hackers. Now it’s time to announce this to your customers – after all, they won’t necessarily know (or care) what’s taking place behind the scenes. They just want your site’s security to be as robust as possible.