The Clearsale Blog

Is Your E-Commerce Business Overlooking These Security Basics?

Is Your E-Commerce Business Overlooking These Security Basics?

It's important to protect your business and customers from the many dangers posed by hackers and fraudsters online. Card-not-present (CNP) fraud isn't the only security risk merchants face online – data breaches are pervasive and even small e-commerce shops are at risk.

In 2018, SMBs made up 43% of all data breach victims, per the Verizon Data Breach Investigations Report (DBIR).

Here are five important but sometimes overlooked steps that you can take now to safeguard your online store and keep your customers' trust. 

Invest in a top-of-the-line SSL certificate.

Almost everyone with a website knows they need a secure sockets layer (SSL) certificate to show that their site is trustworthy. What many e-commerce shop owners don't know, especially when they first launch their stores, is that SSL certificates are not all the same. 

The free SSL option that comes with many web hosting plans may work well enough for a small site that doesn't have a lot of visitors entering payment information. But for the strongest possible encryption to protect your customers from data theft, and to fully validate your website's trustworthiness, you need an extended validation (EV) SSL. With an EV SSL, your visitors see the green padlock and a green bar with your company name, proving that you have the strongest SSL protection for their data.

Getting an EV SSL requires more steps than getting a free, basic SSL. You'll need to give your certification provider proof of:

  • Your business license or registration
  • Your DBA 
  • Your physical address
  • Your personal information 
  • Your signature on the EV SSL agreement

EV SSL fees start at a few hundred dollars a year. This is a worthwhile investment that protects your business and assures your customers that they can shop safely with you.

Get serious about patches and updates.

Timely software updates and patches are a must for every business, especially online stores. One of the top three ways hackers stole customer data from retailers last year, according to the DBIR, was by exploiting vulnerabilities in merchants' web apps. Hackers are happy to exploit other software vulnerabilities, too.

It's tempting to assume that security patch alerts are rare, but they're not. As of this writing, a quick glance at the tech headlines shows security patches deployed this week by Apple, Microsoft, Dell, Atlassian and other major tech providers. Hackers are always probing for weak spots where they can break in, which means that fraud prevention – including code patching – is a constant race to see who can stay a step ahead. 

Keep hackers from stealing your customers' payment card numbers and login credentials by keeping all your software up to date. Act on critical update alerts from your providers right away, follow the news on security patches and consider using a patch management service that continuously scans for and schedules patches and updates.

Make malware scans a priority.

With a program for patches and updates in place, your store will be protected against many types of malware. However, cybercriminals are always finding new ways to attack. When they spot a vulnerability that no one else has discovered, they can use it to put malware on your site. 

When that happens, you're looking at a zero-day exploit – one for which there's not yet a patch, because the good guys don't know it needs patching. Worse, that zero-day exploit may go undetected for days, months or even longer. During that time, your store can leak data until the vulnerability is found and patched.

There are other malware risks, too. Consider formjacking, a relatively new type of data theft. Formjacking steals data from website forms in a way that's often compared to card skimming at fuel pumps. Formjackers exploit weaknesses in web apps – often third-party tools that stores add to their sites – to insert code that steals customer data as it comes in. Without regular scans of all the code on your site, formjacking can be impossible to detect. 

The consequences of formjacking can be severe. In 2018, British Airways was formjacked by cybercriminals who stole payment data from more than 400,000 BA customers as they bought tickets. In addition to damaged customer trust and bad publicity, British Airways now faces a $229 million dollar penalty – dubbed the "biggest data protection fine in history" – from the UK's Information Commissioner's Office. 

To reduce your risk of formjacking and to detect zero-day exploits as soon as possible, your site needs anti-malware protection that continuously scans the code for elements that don't belong. 

Put password security on your agenda.

We all know we should use unique, secure passwords on all our accounts – especially on our business accounts. We also know that no one should get 500 attempts to log in to your website. Unfortunately, bad password habits are still common, and they can make data breaches easy. If criminals can guess your login credentials, crack them with brute-force bot attacks, or buy them online, you can end up with strangers in your system, rummaging through your company's emails, databases and web apps.

Step up your password game by finding out if you're already compromised. Have I Been Pwned? is a website run by Microsoft regional director Troy Hunt. It has found more than 7.8 billion breached passwords for sale on the dark web. You can use the site to see if your passwords have already been compromised, so you can change them right away. You can also sign up for notifications, so you'll know if your team's passwords are ever stolen.

Next, strengthen your company's passwords and login process. Require everyone with internal access to use a strong password that's not used for any other account. Limit the number of login attempts that employees and vendors can make before they're locked out of the system and have to contact tech support. Though this may be a hassle for forgetful team members, it can prevent brute-force password cracking.

Cast a net to stop spear-phishing.

Phishing today is so much more sophisticated than the badly written cons of a few years ago. Now, criminals may attempt to impersonate you or members of your team in emails. For example, they may pose as you and email

  • your employees, requesting urgent wire transfers.
  • payroll team, asking them to route your direct deposit to a new bank account.
  • customers or employees, telling them to log in to a site (that then steals their account credentials).
  • vendors and partners, requesting sensitive information.

Whether they're after money, privileged information, database access, reward program information or customer payment data, phishers are a serious problem. They know how to make urgent requests seem compelling. They know that people won't send login credentials via email, so they've ramped up their use of phishing sites that look legitimate but capture login data. And, their messages can get past secure email gateways that were originally designed to look for links and attachments that contained malware. 

If your business is relying on email security tools that don't look for advanced email threats, it's time to shop for better protection, step up your anti-phishing training, and instruct your team not to transfer money or sensitive data without verifying those email requests by phone or face-to-face. [Are you looking for the right internet security and antivirus software? Check out our reviews and best picks.]

Each of these five steps adds a layer of security to your online store and your e-commerce business. But, there's one more layer to add: keeping up with e-commerce security best practices. When you stay up to date on cybersecurity, you protect your customers, your revenue and your brand, and you won't have to worry about overlooking steps that can safeguard your business.

Original article at: https://www.business.com/articles/e-commerce-security-basics/ 

You may also like

ClearSale Wins Comparably Awards for Best Work-Life Balance and Happiest Employees

ClearSale Wins Comparably Awards for Best Work-Life Balance and Happiest Employees

Fraud protection leader recognized by career site for a second time this year

3 Ways Tech Can Benefit Remote Teams

3 Ways Tech Can Benefit Remote Teams

Ecommerce businesses are used to an ever-evolving digital connection between them and their customers. But 2020’s COVID-19 pandemic has resulted in that digital connection making its way into the..

Shopping Habits by Gender: What’s Changed in 2020

Shopping Habits by Gender: What’s Changed in 2020

Do men hate shopping online? Are women more worried about fraud?

ClearSale Becomes Shopify Plus Certified App Program Partner

ClearSale Becomes Shopify Plus Certified App Program Partner

The fraud protection leader has been selected as a premier app provider for the highly regarded commerce platform.

Account takeover is the biggest fraud threat U.S. consumers haven't heard of

Account takeover is the biggest fraud threat U.S. consumers haven't heard of

Account takeover fraud is a huge problem, but most US consumers don’t know about it. Only 36% of US consumers say they are familiar with account hijacking fraud, even though it’s one of the..

How to Know It’s Time to Create a Mobile App for Your Online Store

How to Know It’s Time to Create a Mobile App for Your Online Store

We rely on our mobile devices for everything—our banking, our gaming, our arguments with that really boisterous neighbor. Naturally, we use our mobile devices for shopping as well.

Are Virtual Events the Future of Retail Experiential Marketing?

Are Virtual Events the Future of Retail Experiential Marketing?

Over the years, retail brands—including those in e-commerce—have turned to immersive experiences as a way to engage customers, build a community, and strengthen their brand experience. Whether..

U.S. shoppers say they'll trade privacy (but not convenience) for better ecommerce fraud protection

U.S. shoppers say they'll trade privacy (but not convenience) for better ecommerce fraud protection

As more consumer spending shifts to e-commerce, merchants need to strike a balance between fraud protection and customer experience. A recent survey just before business closures swept the U.S...

What does effective B2C marketing look like now? Messaging is only part of the story.

What does effective B2C marketing look like now? Messaging is only part of the story.

As more consumers shop online, many companies are pivoting their marketing strategies to focus on digital channels. But smart marketing now requires more than simply reallocating resources for..

Want to write
for our blog?

Please review our writers' guidelines
https://www2.clear.sale/press/clearsale-guest-blog-guidelines
and then email guestwriter@clear.sale with your pitch!

Subscribe to our blog