Today, it’s easier than ever to engage in online commerce. Software for handling credit cards or e-check transactions is more available and more accessible to use than in the past. Software packages, including licensed software and off-the-shelf open-source solutions, make standing up e-commerce platforms quick and straightforward. However, when dealing with customer data, especially that which can handle a financial transaction, you are at some risk of data breach or loss, which you must protect against.
While a thorough guide would take the course of a book to cover, this post is meant to enlighten you on the most critical areas you should focus on when starting your e-commerce enterprise. If you are already live with a commerce-based platform, you should ensure you check off all of these boxes or formulate a plan.
First: Cyber Insurance
First off, every business should carry some level of insurance that covers cyber-related matters. One of our clients happens to specialize in this area, and they have a good write-up of what cyber insurance entails. Read it! To summarize, though, it covers areas such as data breach, media liability, extortion coverage, and network security liability. Each of these areas is important, and in the case of e-commerce, data breach insurance is essential. Before you do anything, have a policy in place, understand what is and isn’t covered, and to what level of liability. Peace of mind goes a long way, and protection if and when you need it can save your company.
The #1 focus for website owners and operators in e-commerce security should be consistently maintaining their website presence. This means the core software – the CMS, the commerce capabilities, any libraries in place, and any integrations to third-party applications. Software is consistently updated to provide coverage for discovered vulnerabilities, gaps in security, or other flaws that malicious actors could attempt to use to penetrate your software and access data. Consistent updates regularly protect you from known threats. In combination with some other strategies we will mention below, regular maintenance is essential to securing your platforms from third-party intrusion.
This also applies to your server software, which we’ll cover in the next section. All too often, we forget that services such as AWS, which provide dedicated instances, may not offer the services required regularly to keep them safe, secure, and up to date.
Hosting & Environment
It’s vital that your hosting environment is secure and properly configured. The safest way to host on-premises e-commerce software is via a dedicated server “instance” – provided you properly utilize that option. These days, cloud services such as AWS make this easy by giving you a virtual server dedicated to your own application. This uses shared computing power but allows for proper separation between your software and those of say, another company. To explain a bit more in-depth, shared hosting providers would put many clients on a single server in the past. As such, if one was attacked, it could take down the server or allow attackers access into other areas of the server, such as other clients. These days, a dedicated instance is a way to ensure you are correctly firewalled away from everyone else and that you have the level of control you require over how your server is managed.
It also means that you are on the hook for maintenance and upkeep. This is a necessary expense, particularly if you are doing any level of transactions that justify the cost or your business relies on the software being managed. Much like my previous point, a hosting environment that is properly configured and maintained is a critical ingredient to a safe and secure commerce application.
Website Security Scans & Monitoring
If your commerce application was custom built or utilizes off-the-shelf software, you must run third-party scanning to monitor your website. Scanning and monitoring are a few different things all at once. First, you need to watch your site for consistent operation. This means uptime, server load, CPU usage, drive space availability, and in particular, how key components are operating, such as Databases and Web Server software. Secondly, you need security scanning. Scanning solutions look across your file base and front-end website to ensure no malicious code exists. The third layer of this service is consistent server security updates. And finally, all of this needs an emergency response plan, which I’ll review a bit later in this post.
Adhering to PCI compliance is a crucial component of your store’s ongoing safety and security. Today, you can gain PCI compliance via two means. First, you can proceed with the process via self-attestation. This means running a scan across your site, remediating any issues that exist, filling out a self-assessment, and then completing a PCI Attestation of Compliance. This process can be time-consuming, but worth it, and some financial institutions or insurers may require it.
The second pathway is to have a third-party attest to your compliance level. This usually involves a very detailed audit, remediation advice and findings, and then your adherence to those suggestions to attain attestation. This is also a more costly approach.
Either way, we suggest you take this seriously and consider going through the process to protect your site, customers, and company. Also, keep in mind, depending on your business both in terms of scale and capabilities – you may have other regulatory requirements you must adhere to.
Almost any larger enterprise that works with us requests a copy of our Infosec policies. You should have them handy, too. For larger enterprises, IT and Legal teams work to assemble these policies. For small businesses, some services are somewhat self-service that can help you craft your documents and create a library of policies.
Of course, the creation of policies is one thing – it’s adherence that matters most. Work to live up to the policies in place, educate employees, and conduct training. You are handing the personal data of customers, and that data was entrusted to your care, so you must be responsible for handling, storing, and securing it.
Emergency Response Plan
Everything we mentioned above is not useful unless you have a plan in place for a potential event such as a data breach. It’s critical to your business that you have a procedure in place which can handle such an occurrence and that you have this policy on paper, should anyone ask you for it.
An emergency response plan should contain phases, which are typically something along the lines of identification, remediation, appraisal of the damage, notification, and further investigation. However, it all depends on the particular company, legal requirements, and other factors. This topic can cover an entire post to itself, and to an extent, we already have one for downtime response. This is an excellent post for emergency security response, which provides a summary of steps you should take if you suspect a data breach has occurred.
By no means is this an exhaustive guide to securing an e-commerce application, but it is a litmus test for you to gauge your preparedness. Have you completed or are you considering any of the above items? If yes, then you are taking the necessary steps to responsibly run your commerce site. If not, you need to immediately engage in a plan to complete them in a timely fashion. The risk to your business is real, and these days, data breaches and software infiltrations are at an all-time high. Don’t put a small dollar investment ahead of safety, which could cost you dearly in the long run.