Running a successful eCommerce site does not only require plenty of business savvy, but also a great deal of security work and awareness. Unfortunately, the security level amongst retailers is remarkably low. Detectify, a Swedish security company founded by some of the world’s best security researchers, have worked with eCommerce clients for many years. In this blog post, they will give you some intel on the state of eCommerce security, and what security measures you need to have in place.
The majority of retailers have set strategies for web performance, marketing, SEO, UX, CRO, and busy holidays like Black Friday and Christmas. They prepare for traffic spikes and large order volumes – but security is often left out of the picture. This is something the security experts at Detectify are determined needs to change, considering the increased user demand for secure digital solutions, and regulations like GDPR that are put in place to protect customer data.
Many online stores lack HTTPS
To put it short and simple; the state of eCommerce security has room for improvement. Many online stores do not even have the most basic of security measures like encryption in place (encryption is often referred to as SSL or HTTPS, where the S stands for secure). Detectify looked into the HTTPS configurations of 915 popular Swedish online stores, and only 37 % of the sites they analyzed forced HTTPS, a devastating result that illustrates the state of eCommerce security in many countries and markets. The results were picked up by media and many of their readers because the general assumption amongst online shoppers is that online stores are safe and protected by default. Read more on how to implement HTTPS in this guide.
Businesses like eCommerce stores depend on their online presence. A security breach can take a toll on brand reputation as well as revenue and recovering from the bad will it creates is difficult and time-consuming. There are many common traps that are easy to fall into, Detectify has summarized them here: 7 of the most common eCommerce security threats.
Using a CMS doesn’t mean you are safe
Some people claim that you are safe by using a popular CMS instead of customized platforms. While that is true in most cases (I’ve previously written a blog post explaining why you should avoid hosting and building your own platforms), using a well-known CMS doesn’t necessarily mean you are safe.
The CMS can be an attractive target for hackers, posing a serious security risk. For example, Magento is a popular Content Management System (CMS) for eCommerce sites. There are many basic tips on how to stay safe, like:
- using the latest version
- adding two-factor authentication
- managing your admin panel in the correct way.
However, this is still not enough – the rapid changes in web security combined with volume of code being pushed live on a daily basis require a new way of work. New vulnerabilities and issues emerge all the time, so you will need a solution like Detectify to help you secure your website.
Other tips and tricks
- Use Responsible disclosure and Bug bounty programs to take help from independent security researchers. This means you allow ethical hackers to report vulnerabilities that they have found on your website, and show gratitude with recognition and/or monetary reward. A simple “Thank you” is fine to start with, before adding money to the mix.
- A simple way to start is to add a security contact on your site so that people know where to turn if they come across a security flaw, such as Security@example.com.