Recent research has revealed that the security of a website is the second most influential factor in dissuading shoppers to purchase an item online, following price.
The vast majority (84%) of shoppers said that they would not make a purchase from a website that didn’t appear secure, while almost a third (30%) said that buying from a preferred site is the single most important factor in their decision-making.
Based on the findings, Neil Christie, commercial director of cloud solutions company iomart says that “it is crucial for retailers to understand exactly what it is that makes a site secure and trustworthy in order to attract new customer.”
He adds: “There are still challenges regarding how to best demonstrate a commitment to data protection to your users. Plus, the majority of websites – even those that are already highly secure – have the potential to make further improvements quickly by implementing simple steps which are often overlooked.”
There are a number of actionable steps and changes that eCommerce stores can take to improve the security of their online platforms.
iomart’s guide on how to ensure data protection while maintaining best practice includes general security recommendations, types of activity to monitor, prevention of malware and ransomware-attacks, and advice on responsible commerce.
Top five cyber recommendations for eCommerce
Monitoring file change activity
Files being added, changed or deleted is one of the earliest detectable signs that a website has been compromised. So, monitoring file changes is a highly effective method for identifying malicious activity.
If you notice an unexpected file change, consult with your web developers (and any other staff with sufficient access) to confirm whether they made the change. If they did, great! No further action is required. If they didn’t then you’ve identified a problem early and can take the appropriate steps to resolve it.
Create a custom admin path
A common method of attack is to exploit standard configurations of websites to access admin pages and carry out automated brute force attacks to find correct username and password combinations.
By default, your admin path will be something like ‘website.com/store/admin’. Simply changing your admin path to anything other than this default format will immediately make it harder for anyone to access your admin page and initiate an attack. You can change the admin path to anything you like. But ideally, you should use a random letter string, e.g. ‘website.com/store/thpgdh’, as this will be harder to guess.
Use an advanced web application firewall
An advanced web application firewall gives you an extra line of defence against vulnerabilities from outdated software. When a new update is released, the firewall will act as a “virtual patch”, keeping your website secure until you have time to roll out the latest update. This provides protection against zero-day vulnerabilities.
When properly configured and managed, an advanced web application firewall also provides protection against three other major threats: SQL injection, application vulnerability exploits and injected code.
Educate your teams
Every single person within your organisation should be aware of malware and how to protect against it. Create a guide of best practices for email, backups and web development. Then share with all staff and make it part of the induction process for new starters. Having everyone on the same page, with clear guidelines on what should be flagged as suspicious, will reduce the risks of someone accidentally introducing malware to your systems.
If you’re not sure what to include in your guide, check out this advice-lead article on turning your staff into your best defence against ransomware and use that as a starting point! We also recommend holding regular training sessions to refresh knowledge of these best practices.
Monitoring unprotected credit card holder data
Monitoring file changes and website activity are both defence mechanisms designed for the early detection of security threats and breaches. Payment card data is typically the most sought-after information in malware attacks.
In many cases, attackers will store the payment card data they intercept in an unencrypted file somewhere on your website ready to harvest in bulk at a later date. By carrying out regular Primary Account Number ‘PAN’ scans you can be alerted to any unprotected credit cardholder data. This almost creates a trap for the attacker as, once alerted, you can remove the unencrypted data, find the source of the malware and remove it before the attack is able to extract the personal data.