With modern platforms such as WordPress, WooCommerce, Magento, and Shopify, it’s now easier than ever to create an online store. However, many online retailers are not cybersecurity experts and might not be sure where to get started with securing their site.
The endless possibilities of e-commerce have saved lots of small businesses and been the inspiration for many millions more that otherwise wouldn’t have existed or been viable. The sector continues to grow at an impressive pace and looks to become the dominant force in retail before very long.
Yet…all e-commerce ventures inevitably handle customer data and are therefore subject to regulations such as GDPR, which mandates that personal data such as names and addresses must be kept secure. When you add in the fact that all online shops also have to deal with payments of one sort or another, the value in a bad actor hacking these businesses becomes obvious, and it may bring in the additional challenge of PCI compliance, which mandates regular penetration testing.
Penetration Testing is one very effective way to find out about security issues in your site, so that they can be addressed. If you want to know more, you can check out our “What is PenTesting?” article to find out more, but in short – we test your site for security issues and give recommendations on how you can better secure it.
A lower cost alternative to a full manual penetration test, is a vulnerability scan. These can still find basic and common weaknesses in websites, so they’re a good starting point if you’re new to all this – or a good alternative if budgets are tight and you’re not yet big enough for penetration testing to be mandated.
The consequences for screwing up your security can be pretty severe, for example there are monetary fines that can be issued for a breach of GDPR, but also there’s the potential for pretty significant brand damage is your customers find out that you’ve not been keeping their data safe enough.
The “It will never happen to me, we’re such a small business” approach just doesn’t work. Smaller e-commerce companies have just the same problems as much larger companies – such as having to keep your software up-to-date, having to lock down your site’s configuration so that hackers can’t break in, and needing to make sure passwords and other credentials are secure.
Additionally, many small business owners have no idea how to make a website secure. We frequently hear that the owner thought their hosting provider provides all the cybersecurity they need, and in fairness “secure hosting” is a common marketing term within the hosting industry. However, this protection may be very limited, such as only covering the host server and not your e-commerce platform, leaving large parts of security firmly your responsibility – or only checking the security during the initial setup, and then leaving you on your own.
So, how can we help small business’s stay safe?
We offer cybersecurity testing for all major e-commerce platforms, WordPress, Magento, PrestaShop or something else – we can give guidance on locking down your site, perform a security test for you, and help you secure your site and customer data. This scales to your business size and requirements, so even if you’re a very small retailer, we can put together something appropriate for your needs.
All that said, what can you practically do today to review and improve your website’s security? Updates, passwords, and notifications.
Updates: hopefully in 2022 everyone knows that you should install security updates, as they address known security vulnerabilities that can lead to your systems being compromised. But more than that, you should install them quickly. With popular platforms such as WordPress and Magento, if a serious security vulnerability is found and becomes publicly known, hackers will very quickly start scanning the web for sites that are affected. The faster you can install that update to address the issue the better. In fact, platforms such as WordPress now offer automatic updates for both the core system and plugins to ensure those issues are addressed as quickly as possible.
Passwords: weak passwords and password guessing are still a very common way that sites get compromised. In the very least you should be aiming to make stronger passwords to secure you accounts. Ideally, you’d go one step further a look to enable multi-factor authentication on your accounts.
Notifications: something that often gets missed when talking about cybersecurity is security notifications. When a new issue is found in a product that you use, how do you get informed about it? Well whether it’s following the right accounts on twitter or subscribing to a newsletter about security updates, it’s worth having something in place to make sure you stay up to date. For example. Adobe has a Security Notification Service for notifications about their products.
Penetration Testing: how often should you test?
The truth is, it’s very unlikely you’ll even get a strong answer from an organisation as to how frequently you should test. Even organisations like the NCSC, who offer guidance to UK businesses on how to stay secure, don’t give a direct answer to the question. However, they may comment [...]| Play | Cover | Release Label |
Track Title Track Authors |
|---|