Whether you’re an individual or an established enterprise, when you venture into eCommerce you intrinsically accept specific responsibilities. Your customers, employees, and vendors count on you to follow best practices in keeping your website and your data safe and secure.
Some are lulled into a false sense of security, thinking that they’re not in the crosshairs of hackers. It’s a misnomer that hackers and other bad actors only target websites that belong to large companies and well-known brands. It’s actually quite common for malicious individuals to take the opposite path. They often target websites because they have easily identifiable vulnerabilities discovered by automated scanners. Much like Google crawls websites in order to add them to search results, hackers crawl websites looking for sites with security holes.
Why Do Hackers Bother Targeting eCommerce Websites of All Sizes?
Different attacks target different outcomes for the perpetrators. For instance:
- Stealing credit card data during the checkout process
- Redirecting traffic to other websites
- Installing malware on the computers and devices your shoppers use to visit your website
- Using your hosting account as a platform to send out spam e-mails
- Hijacking your site or data in order to ransom it back to you
- Industrial espionage, such as stealing your customer and order data
- General mischief, including making social or political statements
In many cases, a smaller website may be a softer target for hackers to penetrate since it may not be up-to-date with the latest security patches and protection, and may not be monitored as consistently for signs of intrusion. In essence, hacking the eCommerce website of a Fortune 500 company may simply be too much trouble for most hackers… but your website may not be.
Am I Completely Safe if I’m on a SaaS Solution?
With a SaaS solution like BigCommerce or Shopify, much of your security is maintained by your eCommerce software provider. However, you still have eCommerce security responsibilities. Here are a few of the top areas that should be part of your security plan:
- Least Privilege Access: Employees and vendors should only have access to your eCommerce admin and related accounts if they need it. Access should be turned off if and when they no longer need access. Even so, access should be limited to the resources that they need. For instance, an employee who helps to fulfill orders does not need access to change the coding on your website or adjust credit card processing settings.
- Coding: Your store includes editable coding, such as for your theme, which is customizable. You are responsible for the quality of your website coding. If your developers don’t follow best practices, you may be susceptible to certain types of attacks.
- Apps: One of the most overlooked risks relates to Apps that you choose to operate in your store. Apps are typically hosted and managed by 3rd parties. While it’s easy to assume that app developers are taking appropriate measures to safeguard your website and data, it’s not always the case. Be selective in which apps you use, and try to limit your use of apps to only use addons that are providing essential functionality to your website.
- Integrations: If you’re using a platform to connect data to and from your website, it’s important that you’re doing so with security in mind. This includes using secure systems and secure protocols, including the use of SSL certificates to encrypt data in transit.
- Add-ons: If you have a portion of your website managed by another software, such as a blog powered by the WordPress CMS, you need to be sure that these portions of your site and updated and secured. If hackers penetrate such assets, they can redirect your customers elsewhere or otherwise damage your reputation and customer relationships.
- Headless Commerce: One of the trends amongst SaaS eCommerce businesses, is the deployment of more flexible frontend CMS systems, like WordPress and Drupal. In such instances, you need to make sure that your frontend website is secure and protected. Any time that you’re selecting a host for a system or site that will be part of or interconnected with your eCommerce site, make sure the host has a focus on eCommerce websites and mission-critical applications.
What if I’m on an Open Source Platform?
Open-source eCommerce platforms like Magento allow you to tailor your website to meet the flexible needs of your business while simultaneously allowing you to wow your shoppers with more unique experiences. However, with a more flexible and robust system, there’s a trade-off. You, your developers, and your web hosting provider are responsible for working together to address additional safety needs, such as:
- eCommerce Security updates: As software updates and security patches are released for your eCommerce platform, you’re responsible for testing these and applying them to your live website.
- Extensions/Plugins/Modules: Additionally, you need to apply updates for extensions, plugins, and/or modules that you’ve installed. As with apps, it’s best to minimize your use of such addons to limit your exposure to potential security threats. It’s also important to be selective about which addons you select, such as by procuring software that has undergone code review by an independent 3rd party, much the way that extensions in the Magento Marketplace undergo a review before Magento makes them available to the public.
- Hosting updates: Like your eCommerce software, your hosting account needs to be kept up to date. That means that everything from hosting software like PHP to SSLs that encrypt data need to be maintained.
- Firewalls: Your site needs to be behind firewalls. Whether your host is using physical firewall appliances, virtual Web Access Firewalls (WAF), or preferably both, these need to be configured properly and kept up-to-date to block new threats. There are CDNs like Cloudflare that include a WAF helping you to improve both loading speed and security with one combined solution.
- Auditing: Your eCommerce site should be audited for security issues periodically. As your website and hosting account are updated, and as security standards and protocols evolve, it’s easy for a weakness to appear in your armor. It’s best for both your web host and developers to participate in this process.
- PCI Compliance: It may seem obvious, but regardless of the requirements placed on your business, your eCommerce website should be PCI Compliant. This is a standard for how credit card data is kept secure. Let’s face it, your data should be transmitted and stored securely. Keep in mind that PCI Compliance is not the same as holistic security and auditing. Just being PCI Compliant does not guarantee that your site is safe and secure, but it is a great step in the right direction.
- Monitoring: Proactive security is not enough to protect your business. You also need reactive security. In other words, if a hacker takes advantage of something that your proactive shielding can’t detect, or if you accidentally leave a door open to hackers, you want to detect signs of their activities as quickly as possible, clean up any damage, and close up the security hole as quickly as possible. Most attacks aren’t instantaneous, so you may be able to repel an attack before any serious damage is done to your website, your clients, or your reputation.
- DDoS Protection: In some attacks, your site will be bombarded with fake traffic. The goal is to overwhelm your website hosting environment in order to slow down or take down your website. These attacks can be sustained over time, so they can be a major issue for your business. In general, your eCommerce hosting environment should be set up to handle traffic spikes and DDoS attacks.
In the security world, as with most things in life, an ounce of prevention is worth a pound of cure. A data breach or hijacking can be tough to recover from. Shoppers are already wary about identity theft and other risks online. Once they see your website as problematic, that stigma may impact your customer lifetime value (CLV) and other metrics that are crucial to the health of your business. You should have a specific security plan tailored to your business in order to minimize risk and maximize your chances for a stable, secure, and growing business.
Robert is the head of partnerships at JetRails, a mission-critical eCommerce hosting service that provides Headless Commerce website hosting for BigCommerce users. Robert has over a decade of experience in helping merchants benefit from sound eCommerce and Digital Marketing strategies, assisting organizations of all types and sizes to grow and succeed via digital commerce. Robert is a frequent author and thought contributor in the eCommerce industry, and is the host of The JetRails Podcast.