11 e-commerce cybersecurity tips

Credit card fraud, stolen identities, ransomware, phishing. We have all read about cybercrime in recent years. Consequently, according to Symantec, Belgium ranks 33rd worldwide among countries most affected by hackers. If you think that as a small business you are not a target for of cybercriminals, you are thinking wrong. Anyone can fall victim to cybercrime, and e-commerce is one of the most attacked industries. How do you protect your e-commerce Web site from hackers? Here are 11 essential cybersecurity tips to secure your Web site or Web shop.

According to a study by Willis Towers Watson, 66% of all cybercrimes result from careless or unknowing employees. They download unknown programs from the Internet or accidentally open a fake email containing malware. Therefore, as an employer, make your staff more aware of cybercrimes and establish a list of best practices. Some of these best practices are:

• Use strong passwords or a password manager such as Lastpass (No personal information, unique passwords everywhere, long complex passwords with a combination of numbers, letters and special characters)
• Never open personal emails at work
• Do not open emails from unknown senders
• Do not use personal USB sticks at work
• Do not download unknown files
• If you work from home use a VPN to the secure company network

Email security is especially important. According to Verizon research, 92% of all malware is still spread through emails. Phishing also happens mostly through emails. Therefore, it is important that your employees are well aware of all the possible dangers of the Internet.

Even when your employees understand what they can and cannot do, sometimes there are employees with bad intentions. For this reason, it is important to use access management. Access management ensures that files are only used by the right people . This ensures that not everyone can access all files, making it more difficult to steal files.

It is also important that accounts and permissions are revoked when they are no longer needed. Imagine firing an employee but not deleting his/her account. If this employee is of ill will, they can log back into the system afterwards and steal or delete your files to get revenge on your company.

If hackers delete your files, it could have dire consequences for your business. Therefore, it is important that you make regular backups of all important files. This can range from the files for your website to your customers' database.

The PCI DSS is a security standard for payment card data. When payments can be made with payment cards, it is recommended to comply with PCI DSS guidelines. These guidelines inform how card and transaction data should be kept secure. If you are using a provider such as Shopify for your e-commerce, it is also advisable to check if it complies with PCI DSS guidelines.

If you give users the option to pay by credit card, it is better to require the CVV code. Cybercriminals often have the credit card number but not the card itself. Mandating the CVV already makes it harder for cybercriminals to pay with stolen credit card information.

Your users provide a lot of information on your e-commerce Web site. This is sensitive info that you need to manage carefully. That's why you shouldn't keep unnecessary information such as credit card numbers, CVV codes or credit card expiration dates. If you do want to track this data, use tokenization and end-to-end encryption.

When you visit most Web sites, this is done through the http protocol. However, this protocol does not encrypt your data, so anything can be read if this data were to be intercepted. HTTPS is the secure version of the HTTP protocol that encrypts your data using a TLS connection. To use this, you must purchase an SSL certificate and add it to your website.

A DDoS attack is carried out by sending a very large amount of requests to a server. This causes the server to overload and become inaccessible. When this happens to your website, it can cause your website to be offline for a certain period of time, thus causing you to lose potential revenue.

You can protect yourself from DDoS attacks in several ways. There are some configurations you can perform on your network infrastructure. There are also anti-DDoS hardware and software solutions available. Because there are different DDoS techniques, you better combine different measures to protect your shop/website even better.

Monitoring your transactions detects if credit card fraud is taking place. When a user makes multiple purchases, but all of them are made with a different credit card, something is not right. If this is noticed in time, you can cancel or pause the order until the user is contacted.

You can also start asking questions when the billing address and the delivery address do not match. In this case, you should not immediately cancel the order, but may need to be more attentive to this account in the future.

This monitoring can be done automatically with tools that check all transactions and flag suspicious users or transactions and possibly provide a notification so you can decide what to do with it. Some tools that can detect fraud are:

• Subuno
• Riskified
• Signifyd
• Sift Science

You can take as many security measures as you want, if your customers choose an easy password they are still an easy target. That's why it's helpful to require your customers to choose a strong password that follows some rules such as

• Combination of numbers, letters and special symbols
• Password with more than x-number of characters

Allowing your customers to use 2-factor authentication is also definitely recommended. 2-factor authentication ensures that they use another method of authentication in addition to their password. Three possible forms are:

• Something you know (e.g., a password)
• Something you have (e.g., an application, hardware key,...)
• Something you are (e.g., a fingerprint, iris scan, facial recognition,...)

The most common way to identify someone is by using “something you know,” since you need a password for everything. For a website, the most common way for 2-factor authentication is a combination of “something you know” and “something you have” by using one of the following options.

• An application such as Authy, Google Authenticator, LastPass Authenticator, …
• A text message
• An email
• A hardware key such as YubiKey, HALBERD, Titan Security Key, …

By now you are probably thinking “why should I get hacked?”. This is a perfectly normal question. However, the answer is not so far-fetched. When you have your Web site hacked, you immediately know where the leaks in your security lie. For this, you can use a penetration tester.

A penetration tester is going to try to attack your Web site just as a hacker would, only the penetration tester has no bad intentions. He is hired by you and his purpose is to inform you how he was able to attack your Web site and how you can fix these problems or vulnerabilities. By doing so, you prepare yourself and make your website more resistant to the real cybercriminals!

Due to the large amount of possible attacks, there is always a risk that your web shop will fall victim to cybercrime. If you follow all these tips, however, your e-commerce website will already be a lot safer. This security also gives confidence to your customers, and this confidence can make them return to your website faster.