Skip to main content

Protecting Your Website Against Cyber Threats

Just because you run a small eCommerce site, don't think that you are too small to escape the attention of cyber criminals.  The facts are that 43 percent of all cyberattacks in 2018 were against small businesses. 

Thankfully, most cyberattacks can be prevented with some basic security strategies.  Let's first take a look at the types of security threats you need to look out for.

  • Malware Infections.  This is a term  that covers worms, viruses, ransomware, Trojan horses, spyware and more.  They can erase your data, infect the people that visit your site, steal your customer's data or even hold your site hostage in a "ransomware" attack. These could be uploaded to your site, but mostly results because someone downloaded an infected file.
  • Distributed Denial of Service (DDoS) Attacks.  This crashes a site by overwhelming it with an onslaught of automated traffic.  Essentially, a hacker will cause thousands (or tens of thousands) of independent units to visit your site all at once.  This ties up your server to the point your real visitors can't access it.
  • Brute Force Attacks.  Though less common, criminals use a software application to cycle through thousands of password combinations to try and find one that allows them access to the administrator permissions.  Using 'Admin' for your username and '1234' for your password is just asking them to break in and create havoc.
  • Injections.  This uses a snippet of malicious code that tricks your site into doing something it shouldn't do, like exporting a database containing your customers' information.
  • Cross-site Scripting.  In this scenario, an attacker sends user-supplied data to a web browser before validating it.  This diverts legitimate shoppers away from your site to theirs costing you business.
  • Zero-day exploits.  Software developers are always testing to look for potential exploits a hacker could use to gain a backdoor into the software.  When they discover a vulnerability, they issue a patch to plug prevent the cybercriminals from getting in.  When a hacker finds it  and gain entry before the developers can issue a patch - that's a zero-day attack.
  • Customer-end Vulnerabilities.  While this technically isn't a direct threat to the administration functions of your site, you could get blamed by your customers.  If your customer loses their password or chooses one that is easily guessed, a criminal could gain access to their account and make fraudulent purchases or gain access to their personal information.

The good news is that there are things you can do to keep your eCommerce site safe and most of them are simple to implement, in expensive and require no technical knowledge.  Let's look at the most common.

  • Choose the Right eCommerce Website Software.  There are a lot of choices from choosing a drag-and-drop template based program from a hosting company, to using a CMS software program you host yourself, to hiring a company to build it for you.  The right platform will help protect you from most threats, including malware, DDoS attacks, injections, cross-site scripting or zero-day exploits.  Shop around and compare features.
  • SSL Encryption.  If people are buying products directly from your site, then you need to make sure your checkout flow is encrypted with SSL.  This gives your site 'HTTPS' status instead of 'HTTP' and displays a green lock icon in the browsers URL field.  This secures any information transferred between your customer's browser and your website server, helping to protect your customers data.  All good website host will offer the option to purchase an SSL certificate or include one in the hosting plan.
  • Only Collect the Customer Data You Need and Store it Offline.  The less information you collect, the less there is for a thief to steal.  When processing credit cards, use an encrypted checkout tunnel which doesn't use your own servers to ever see your customer's credit card data.  And one of the best strategies is to rely on a secure third-party for customer data storage.
  • Use a Malware Scanner Regularly.  Most malware infiltrates your site unnoticed and start controlling user behavior or collecting user data.  Using a malware scanner can alert you when your computer is infected.  Some even provide you with simple instructions on how to remove it.   Using programs such as CAPTCHA or Honeypot can help determine legitimate users to your site.
  • Require Customer Best Practices.  Require a minimum length for all user passwords with suggestions on how to make them stronger.  Many sites require a combination of uppercase, lowercase and special symbols.  Provide feedback to show when they meet the requirements.  You may also consider educating your customers on best practices for cybersecurity, such as logging out of their accounts, using private networks when possible and how to avoid some common online schemes.
  • Require Employee Best Practices.  Educate your employees on creating strong passwords and require them to be changed at regular intervals.  Make sure they know the risks of downloading or installing malware and other ways hackers try to trick employees into giving up security information.
  • Monitor Your Website Activity.  There are a variety of apps and online tools used to monitor what users are doing when accessing your site, including Google Analytics.  There are also security monitoring tools that can scan your website daily for suspicious activity. Make sure you have automatic notifications turned on.
  • Keep Your Site Patched and Updated.  Pay attention to new updates for any software used for your eCommerce site.  Turn on automatic updates so you don't miss a notice when they come out.
  • Back Up Your Data Regularly.  Let's face it.  Software sometimes gets corrupted and your site can crash.  Ransomeware could also attempt to hold you hostage. Use automatic backups to make a copy of your website daily and store a copy of your database off-site (most use cloud storage). Most modern website software includes this as a standard feature.
  • Be Careful What You Download and Integrate.  Many modern website softwares allow you to download new plugins and tools to enhance your site.  Make sure they come from reputable sources, as cybercriminals can use these as bait to implant malicious scripts on your site.  

There is no such thing as a foolproof website is a hacker really wants to get in.  But most criminals are lazy and will go after the low-hanging fruit.  If you are aware of the tactics they use and follow good security practices, you will prevent the vast majority of infection and hacking efforts against your site.