It was Sept. 20, 2015. Online retailer Newegg, which specialize in computer hardware and consumer electronics, just recently began accepting Bitcoins, only to find out from customers—on Twitter—that it had become a victim of a hack. The DDoS [distributed denial of service] attack took down the Newegg site for five hours, and the hacker tried to extort Newegg for bitcoins.
Newegg reportedly generates over $2.5 billion in revenue annually, and this little downtime must have cost them a lot. Fortunately, being big also gave them a massive advantage: They had enough people and resources to dedicate to fixing issues quickly.
Many smaller ecommerce businesses are not that lucky. Compare the case of another e-commerce business: Distribute.IT.
Co-founder Carl Woerndle received a call at 5 p.m. on a Friday to let him know that his company’s network had been breached. The company, founded in 2002, had grown rapidly, acquiring over 30,000 recurring clients in just nine years. The company had experienced minor attacks before, but this attack was different. Not only did it send company personnel into a spiral, leading to them spending several 72-hour sessions trying to fix the issue, only for the hacker to get back in, but that particular hack brought about the end of their business.
Unfortunately, for many e-commerce businesses, suffering a hack induces a situation similar to that of Distribute.IT. Interestingly, statistics from The U.S National Cyber Security Alliance found that 60 percent of small businesses that suffer a cyberattack do not survive more than six months.
As one of the most notable ecommerce security breaches, the breach in which over 50 million credit cards data was stolen from Home Depot is still fresh in our minds. Don’t think that only big corporations are targeted by hackers, though. Research shows that 69 percent of businesses were hacked in the last year, and all indications point to the fact that hacking will only keep increasing.
Tons of articles have been published on generating traffic, boosting sales and conversions, optimizing UX and other aspects of building a successful ecommerce business. Very few have been written about surviving a hacking disaster, the very thing that could wipe out a business—especially a small business—overnight. Here are some tips to protect your ecommerce business from being hacked:
Don’t store credit card information on your server: If Sony or Home Depot are unable to protect their customers’ credit card information, don’t assume you will do a much better job than them.
“Just last week two websites we operate…were hacked. Someone managed to break in and insert code designed to steal credit card information. They didn’t succeed because we don’t keep any credit card info on the site.” Those are the words of Tom Harnish, a senior scientist whose websites were hacked with the intention of compromising his customers’ credit card information.
One of the best things you can do to ensure you are protected in the event of a hack is to minimize the risks on you; Yahoo!, Sony and even the U.S. government website have been hacked. Chances are you will be too, and much more easily. Keeping customer payment information such as credit card data will only expose you to unnecessary risk. Instead, use a trusted a reliable third-party service that specializes in payment processing.
Use Cyber Insurance: Very few businesses are aware that their e-commerce business can be insured, or that this is something very essential they shouldn’t joke with. A good case for having cyber insurance is the Sony hack that happened a few years back that compromised personal information of 77 million users. Besides the fact that experts estimated the hack to have cost Sony about $24 billion in revenue, Sony spent about $170 million of their own money to clean up to hack.
You probably don’t have $170 million stashed somewhere to save you in the event of a hack, and while you are highly unlikely to suffer a hack of Sony’s magnitude, the fact remains that a hack will still cost you a lot of money to fix—possibly more than you have—and that doesn’t account for the revenue you will lose due to your business being down as well as your damaged brand as a result of the hack.
Ensure Personal Employee Security: In one of the biggest hacks ever, personal information of 145 million eBay users were hacked. What very few people realized, however, was that an hack of this magnitude was only possible because the hacker compromised the credentials of a few eBay employees.
It is essential to restrict individual employee access to areas of your website where information can be easily compromised or where something can be changed on your servers. When dealing with employee security, ensure the following:
- Educate all employees, especially those with key access, on how to secure themselves
- If possible, use multi-party authorization—a form of authorization in which one or more authorized user needs to approve the action of an employee before it can take place—to limit the impact a compromised employee account can have on your server.
- For employees with access to sensitive areas of your server, do not allow a BYOD [bring your own device] policy. If you do, ensure adequate security measures are in place.
Ensure Server Security and Perform Regular Checks: In most cases, your e-commerce business is only as secure as your server is. Take regular measures to ensure that your server is secure and protected. More importantly, do regular PCI [Payment Card Industry] data security scans to discover issues and vulnerabilities that hackers can take advantage of to get into your server.
John Stevens is the founder and CEO of Hosting Facts, which provides reviews on website hosting companies.Favorite