1. Educate your employees
According to a study by Willis Towers Watson 66% of all successful cybercrime is the result of employees. A big part of these employees doesn’t do this intentionally, but because of a lack of knowledge. This can range from downloading unknown files from the internet to opening a false email that’s infected with malware. Because of this lack of knowledge, it’s important to make a list of best practices and give your employees a small course about their online behavior. Some of these best practices are:
- Use strong passwords (No personal information, unique passwords for everything, long and complex passwords that are a combination of numbers, letters and special characters)
- Don’t open personal e-mails at work
- Don’t open e-mails from unknown senders
- Don’t use personal USB-sticks at work
- Don’t download unknown files from the internet
- When working remotely, a VPN should be used to connect to the secure company network
Especially the security concerning e-mails is important. According to an investigation from Verizon 92% of malware is still delivered and spread through e-mails. Phishing is another technique that’s mainly used by e-mail. For this reason, your employees should be educated about all possible dangers, and their consequences, on the internet.
2. Use Access management
Even when all your employees understand what they should and shouldn’t do, sometimes there are employees with bad intentions. Because of this, it’s important to use an access management system. Access management should make sure that files can only be accessed by people that need to use these files for their work. This makes sure that it’s harder to steal a lot of files because employees can only access what they need and nothing else.
It’s also important to revoke accounts and permissions when they’re no longer needed. Imagine you fire an employee, but his account isn’t deleted. This employee can log back into your system and steal or delete files just to take revenge on your company.
3. Make back-ups
If your files are deleted by an external actor like a hacker or by an employee with bad intentions, this could have some serious consequences for your company. That’s why it’s important to make regular back-ups of all your important files. Those files can range from your website files to your client database.
4. Check whether or not you are PCI DSS compliant
The PCI DSS guidelines are a security standard for data collected from credit cards. When credit card payments are possible on your website, it’s advised to be PCI DSS compliant. These guidelines inform you about how to securely store credit card and transaction data. If you use an e-commerce provider like Shopify for your e-commerce, it’s advised to check whether they are PCI DSS compliant.
5. Require CVV-code
When customers can pay with their credit cards, it’s safer to require their CVV-code. Cybercriminals often have access to the credit card number but not to the actual card. By requiring the CVV-code, it’s harder for cybercriminals to make payments with stolen credit card information.
6. Keeping essential information
Because users enter a lot of personal information on e-commerce websites, it’s important to be careful with their, sometimes sensitive, information. It’s advised to store only the necessary information and no information like users’ credit card numbers, CVV-codes or expiration dates of credit cards. If you do want to keep this information, you should use techniques like tokenization and end-to-end encryption.
7. Use HTTPS and TLS/SSL
When you visit most websites, this is done through the HTTP protocol. This protocol doesn’t encrypt your data, which means everything can be read when the data is intercepted during transport. HTTPS is the secure version of the HTTP protocol because it does encrypt your data by using a TLS connection. To use HTTPS for your website, you have to buy an SSL certificate and add it to your website.
8. Protect your website from DDoS-attacks
A DDoS attack is executed by sending a huge number of fake requests to a server. This causes the server to be overloaded and making it unreachable for valid requests. When this happens to your website, it can cause your website to go offline for a certain period. This results in the loss of possible revenue.
You can protect yourself from DDoS attacks in different ways. There are a couple of configurations that you can apply to your network devices. You could also buy anti-DDoS hardware or software solutions. Because there are multiple DDoS techniques, it’s advised to use a combination of different protective solutions to make your website more secure.
9. Monitor your transactions
By monitoring your transactions, you can detect if credit card fraud is taking place on your website. When a user does multiple purchases, but all of them are done with different credit cards, there is a big chance that something is wrong. If this is caught in time, you can cancel or pause the orders until you’ve contacted the user.
Even when the billing and delivery address don’t match, you could start asking some questions. Because this is less suspicious than the previous example, you shouldn’t immediately cancel the order, but it might be a sign to pay more attention to this user in the future.
This monitoring can also be done automatically with tools that monitor all transactions and mark all suspicious users or transactions. These tools can even be configured to notify you, so you can decide what the final decision will be. Some of these fraud detection tools are:
- Sift Science
10. Help your customers
You can take as many safety measures as you want, but when your customers use easy password, they’re still an easy target. Because of this, it’s useful to force your customers to choose a strong password that follows certain guidelines like
- Combination of numbers, letters, and special characters
- Password of at least x-amount of characters
Giving your clients the possibility to use 2-factor-authentication is also a good choice. 2-factor-authentication allows customers to use another method of authentication in combination with their password. The idea of 2-factor-authentication comes from the different ways a user can verify his identity. There are three methods to do this and 2-factor-authentication forces a user to verify his identity through two of those three methods. The three methods are:
- Something that you know (e.g. a password)
- Something that you have (e.g. an application, hardware key, …)
- Something that you are (e.g. a fingerprint, iris scan, facial recognition, …)
The most used method to identify someone is through “something that you know” since almost every website requires you to use a password. For websites, the most used method for 2-factor-authentication is a combination of “something you know”, your password, and “something you have” by using one of the following options.
11. Let your website get hacked
At this point, you’re probably thinking “Why would I let my website get hacked?” and this is a valid question since everything we’ve talked about is to prevent this from happening. That being said, the answer isn’t that far-fetched. When you let your website get hacked by someone, you immediately know where the holes in your security are. The way to test this is by hiring a penetration tester.
A penetration tester will try to attack your website just like a normal hacker would do this, the only difference is that the penetration tester doesn’t have any bad intentions. Since he is hired by you, his goal is to identify vulnerabilities and inform you about them and how to fix them. This makes sure your website and your customer data is more secure in the future.
Due to the large amount of possible attacks, there is always a chance that you and your website will be the victim of cybercrime. If you follow all these tips, your website will be a lot safer and it may dissuade future attackers. This safety also inspires trust towards your customers and this trust can cause them to return to your website in the future.
Don’t forget to sign up for our newsletter at the bottom of the page if you’re interested in more e-commerce news.