10 ways to secure your ecommerce site from cyber-attacks

shipworks-blog_cyber_attacksBy guest author Sheza Gary, project strategist

If you’re running an ecommerce site, you know one of the most important things is your site security. You’re collecting sensitive information from your customers, including their mailing address and credit card information. If a hacker steals any of that data, your reputation as a secure, trustworthy business is going to take a huge hit, and you’re likely to lose many customers. To make sure that doesn’t happen, here are 10 things to do to protect your ecommerce site.

1. Use the right hosting

Finding the right webhost is the first step to setting up a secure ecommerce site. Some web hosts are designed for hosting business sites, while others are more general and used mainly for personal blogs and the like. The former type has much more security than the latter. You also want to make certain you get a dedicated hosting plan because it’s more secure. Having a dedicated server all to yourself adds additional security since shared users can lead to security breaches and other issues.

2. Encrypt your data

Encrypting your data when transmitting it is vital to avoid eavesdropping and other types of cyber-attacks that can intercept the transmissions and read what you’re sending. Using SSL certificates to protect financial information is a must since it will make certain any data you’re sending is only readable by the recipient. It’s also important that you encrypt all stored data so that it cannot be lifted from your server.

3. Use a secure platform

There are many different ecommerce platforms out there you can choose from, but some are much more secure than others. You want to look for a platform that makes use of an object-oriented programming language, has strong security credentials, and provides a number of different security tools. Anyone who has access to your ecommerce platform needs to use a secure password and should change that password on a regular basis to help decrease the chance that it could be stolen or hacked.

4. Comply with PCI regulations

If your business accepts credit or debit cards, whether online or offline, it must comply with the regulations outlined by the PCI Security Standards Council. These regulations ensure that any financial data stored by the business is secure. If you’re not complying with all of the PCI regulations, you may face large fines in addition to leaving customer information vulnerable to hackers.

5. Don’t store data if you don’t need it

If you don’t need to store a customer’s sensitive financial data, then don’t. Doing so only creates a target for hackers and can cause customers to get very upset with you if their data is stolen. In fact, the PCI Security Standards Council states that you should never store credit card or debit card information on your personal server. Only keep the information required to process a refund or a chargeback, and regularly clear out that information so hackers cannot find any information to take. Also make sure you always verify CVV2 codes and addresses for all online purchases to further proof your system against hacks and online fraud.

6. Strong firewalls

A strong firewall will help protect you against viruses and Trojan horses. It also alerts you whenever there’s something suspicious occurring on your network. This extra security can also help defeat SQL injection and cross-site scripting hacks. Make certain your firewall is up-to-date and is configured correctly, of course, or it may not actually provide you with that much protection.

7. Secure your network

Likewise, users should have strong passwords for logging into your network and should change them about one every three months or so. You also need to make certain that all of your firewalls, antivirus programs, and other software are updated regularly. If you become aware of an issue in any of these programs that hasn’t yet been addressed by the software manufacturer, it may be a good idea to use a different program until that security issue has been resolved.

You also want to install an intrusion detection system (IDS) that will alert you when someone is trying to access something they should not. IDS software can notify you when an outside user is trying to gain access to your system or when a user account is trying to get to information that has been restricted, a strong indication that the account has been hacked.

8. Train employees

Employees need to know how to keep data safe and how to deal with any potential hacking scheme. This includes more than just knowing how to create strong passwords. Your employees need to know how to identify phishing emails, suspicious websites, and spam emails. They also need to know about your disaster recovery plans and what to do in the event of a hack that steals customer information.

9. Strong passwords are required

Some users may complain that they can’t remember complex passwords full of upper and lower case letters, numbers, and special characters, but you need to insist that they follow these rules. You also need to make certain that your customers do the same. While no one necessarily likes remembering these strong passwords, they do greatly reduce the chance of being hacked. While customers may grumble, they will appreciate the fact that their sensitive financial information is protected.

10. Test your system

Once you have your network as strong as possible, you need to test it by hiring someone to perform penetration testing. This testing, sometimes referred to as ethical hacking, involves someone attacking your ecommerce site as if they were a hacker. If they’re able to gain access to your customer information, you know your site isn’t as prepared as you’d like it to be. Ethical hacking will give you an idea of all of the weaknesses you still have to shore up and is a vital step before you make your ecommerce website live for customers to use.

About the Author: Sheza Gary has been a project strategist since 2009 and also involved in the launching of startups and tech companies in New York for over five years. She has a keen interest in writing about her own experiences with business plans and upcoming business supporting technologies. She loves public speaking. You can follow her on Google+.