Services Blog- Hummingbird Networks

5 Ways to Improve Ecommerce Security Before this Holiday Season

Written by James Lay | Oct 11, 2016 1:30:00 PM


The growing number of cybercrime incidents is a major concern for the e-commerce sector. In 2015 alone, thousands of small and medium-sized businesses were hacked, with millions of customer and business records being lost in the process. In fact, it is believed that breaches cost us between $375 and $575 billion annually.

This tells us one thing – cyber crime is real. And, it’s dangerous. If you’re hit, you might go out of business never to come back again.

To this end, every e-commerce company should be working hard to better secure their business from cyber criminals. To help you with this, we’ve identified five key tips you need to consider:

5 Ways to Improve Ecommerce Security


1. Close holes in your website

This should be the very first step when trying to secure your e-commerce business. You need to make sure that the site is hack-proof by scanning and fixing any existing vulnerabilities, particularly SQL injection and cross-site scripting.

SQL injection refers to an attacker executing a malicious SQL statement (commonly known as payload) to control a web application’s database server (or Relational Database Management System - RDBMS). This basically means that SQL injections can be used to launch an attack on any website or web application.

By using SQL injection vulnerability, under the right circumstances, an attacker can bypass a web application’s authentication or authorization mechanisms and retrieve contents of an entire database. An SQL injection would allow an attacker to add, modify, and delete records on the victim database, possibly affecting the integrity of customer information, trade secrets, and Personally Identifiably Information (PII).

Cross-site scripting (XSS), on the other hand, occurs when a web application collects malicious data from a user. This is what usually happens when an attacker sends an email with a malicious hyperlink to your inbox. When you click on the link, a malicious web application is launched on your computer that then helps the attacker collect as much information as they want.

You need to vigorously patch your system to completely eliminate these loopholes. Also, scan your site regularly to reveal any other vulnerabilities and take steps to fix them right away.

2. Don’t hang onto more information than you need

Many e-commerce sites have numerous complicated forms that a consumer must fill in before making even the most basic of purchases. Often, these forms require all kinds of information, some not even relevant to the sale. This is a major risk both to your online store and your customers because this is the same information data thieves are looking for.

For this reason, although the marketing department might want this information for purposes of relationship management, abstain from storing too much data, especially if you don’t actually need it. Remember that the law requires you to protect all the information passed to you by the consumer. If this information is compromised in any way, you will be held responsible. Storing a lot of data, therefore, places an enormous burden on your shoulders.

Interestingly, the same insistence on asking for too much information upfront is also one of the main reasons online businesses lose sales. As consumers become more aware of the threat of sharing their information online, a majority of them are choosing to overlook companies that ask for too much personal and financial information.

So, keep your forms short and only ask for information that is likely to help you at that stage. In most cases, just the name and email address should be sufficient. If you need additional information, later on, the consumer will be more than willing to provide it.

3. If you’re collecting sensitive information, deploy SSL

Secure Socket Layer (SSL) is the standard technology for establishing an encrypted link between a browser and a web server to ensure that all data being sent between the browser and the server is private and integral. 

For e-commerce merchants, there are two main advantages of using an SSL connection. The first one is that the information being sent across the link is encrypted in such a way that only the intended recipient can understand it. This is important because information passed from the browser travels long distances before reaching the server. A computer along the path can intercept the data and view the credit card information, usernames, and passwords being sent. When SSL encryption is used, this information becomes unreadable to everyone else apart from the intended recipient. This protects it from data thieves and hackers.

The second main advantage is that SSL connections provide authentication, or a guarantee, that you’re communicating with the right server, and not a criminal’s server. This is important because the internet as it currently is cannot be trusted. There could be criminals along the way pretending to be you just to try and intercept your customers’ information. An SSL connection assures that consumer that they are indeed communicating with your server which can go a long way in increasing their confidence in your services.

4. Enable two-step authentication

All e-commerce dealers expect staff and other users to provide a username and password in order to access the e-commerce website. This is called basic authentication. In fact, that’s where network security starts. However, in today’s insecure world, you can’t stop at that. To secure your business and your customers’ information even further, you need to start using two-step authentication.

Also known as two-factor authentication (TFA), two-step authentication requires an extra layer of authentication in addition to the username and password, such as a unique single-user code received via SMS or authentication app.

When a user initiates a transaction, you can send them the unique code to their phone and ask them to input the code in order to proceed with the transaction. Both Google and Yahoo use this when you’re changing your password. For even increased security, the code can be set to expire within a certain period of time, such as 10 minutes.

Using two-step authentication lowers the chances of identity theft because the thief would need more than just a username and password to access a victim’s account.

5. Staff training

Lastly, and perhaps most importantly, train your staff on cyber security to arm them with the knowledge needed to avoid getting fooled into clicking malicious links or giving away crucial information that might help an attacker gain access to your site.

Recent studies show that staff members are the weakest link in the security chain. They carry sensitive company information on unsecured devices and then use the same devices to engage in risky activities such as playing Pokemon Go over the internet. You need to help these staff members realize that this is a big risk. And this can only be done through a detailed security policy and thorough training.

Keep in mind that cyber security is an ongoing journey with no end. As long there is information that can be stolen, hackers will always try to steal it.  Your job as an e-commerce dealer is to make yourself a hard target. Even if you become a target, make it impossible for the thieves to penetrate your system. They're humans after all. They will give up and look for easier targets.