Security features have nothing to do with your sales directly. What is more, you can still sell loads without caring about security at all. The absence of it makes everything easier for both you and your customers in terms of operations. The transactions with the pre-saved card details are faster, passwords like ‘123456’ are easier to remember. Moreover, the maintenance of the online store gets cheaper because heavily-loaded security for even a small-sized business costs a bomb.
MOST NEWSLETTERS SUCK, OURS DOESN’T
Join us for the latest in Digital Media Marketing
So, why should you care?
One day, you might wake up to the online store that is filled with spam links, pages blocked with ransomware, the password to your admin account is invalid, and your customer support inbox is filled with hysterical emails about accounts being suspended and sudden attempts of unauthorized transactions. It was fun while it lasted, but as a fact, how could customers continue trusting you after that?
Besides that you would spend countless days in a cold sweat trying to restore the access to your store or to find out how to remove the malware, the customers you put in danger would turn their backs on you. Guess this is not the way you imagine your business to work.
Maybe, you have a sustainable business or thinking about starting one. And until now, you haven’t been concerned with how your store is protected. It is obvious that you can sell as long as you have a shopping cart system installed and operating payment options that include card transactions.
This article is a collection of tips on where to start or continue to work with your security status as an online business, and therefore, be an active seller, not a bankrupted one.
Scan your store for vulnerabilities
And do it not once, but on a regular basis. It can and will save you from a lot of headaches.
Depending on your hosting solution and CMS platform, you can find both free and paid solutions for scanning your store, aiming specifically the weak spots of the system you use. Security is available in all forms and shapes, from a plugin to an independent service.
Of course, general scanning that is designed for an average store may not pick up all the peculiarities of your business or miss some issues that can be found during a manual check. Anyway, you will still get notified about:
- what security updates and patches are missing.
- Recommendations on what you can improve, like passwords and phishing protection.
- You get a general health status for your site: was it attacked, infected or so on.
Living with an outdated system is waiting for the worst to happen. Just take some time to google, and find a tool that will work for you. Then, put scanning in your schedule. If it can be triggered automatically, configure it that way. This is the least you can do to make the store safe.
Purchase an SSL Certificate and move to HTTPS
How does your store even operate if you haven’t got one? Sure it is not a ‘must’ must for the website to serve as a store, but then on most up-to-date browsers, your website will be highlighted as ‘unsafe both in the address bar and sometimes even at the page itself. Customers tend to trust those warnings. And they are not wrong: staying on HTTP without an SSL certificate means the data interchange between a user and a browser is not properly encrypted and user’s input and actions during that interchange (usernames, passwords, payment details, and other information) are transported as ‘plain text’. Anybody can interfere, and it can be interrupted without a notice, stolen and used against the user.
SSL-secured websites are marked and treated by browsers as ‘safe’, which provides both visual and technical reassurance that your store is safe to use. An SSL certificate does cost money, but so do your products. Your customers trust you their precious cards numbers, so do them justice.
As a bonus, you get better visibility in Google search results with HTTPS, as Google considers the data encryption method a ranking factor.
Follow the security guidelines of your CMS platform
According to the studies, there is a hacker attack happening nearly every minute. No matter what platform you use to fuel your online store, its developers are for sure aware of the security issues and other problems that cause inconvenience to your team and customers. The platform with quickly patched security breaches is stable and secure, and that means, commercially successful. So, the updates are here for a reason, and it would be irresponsible to ignore them.
Apply security patches and version updates as soon as they arrive. They cannot wait: the news about security breaches in online stores spread quickly, and before you know it, there will be hackers on your virtual doorstep, hungry for your customers’ money or ready to break your site for the sake of it.
Before investing money in pricy and long-term security solutions, research the security instructions for your CMS. There are probably the options to protect your store without extra components. For example, Magento has a whole Security Center, where you can find ‘best practices’, news about recent breaches and information and instructions to official security patches, enough for any store to operate safely.
Another human-related issue that can do you dirty is not paying attention to official documentation that comes with every purchased third-party software, application or extension. Make sure you made yourself familiar with any user guides or installations that are applied. A poorly configured plugin won’t help you sell and can break your site, making it vulnerable and malfunctioning.
Choose a secure hosting option
Hosting is not only where you keep your data, but it also influences the main impression your store leaves: it’s loading speed. If your online store loads for more than 5 seconds, you probably lost the customer who was waiting.
Hosting is also how well the passwords, orders and personal information of your customers are secured. While planning moving to another hosting or establishing it for the first time, keep in mind that your hosting should not only meet the requirements of plain data storage. You need the one that supports the functionality of an online store or explicitly the CMS you are using. eCommerce hosting service is geared to provide the fastest speed and comfortable shopping cart experience. If your solution is not hosted and the choice is yours, consider only two points.
- Dedicated hosting provides maximum security, as you are the only owner of the server and do not share any access with third parties.
- In terms of security, it is preferable to have 24/7 hosting provider support. If there are issues, you can quickly find out which side is to blame and to fix.
Secure customer information from yourself
Never keep the payment details on your servers, even if the retention rate is high and you want to make the life of your customers easier. Ask for the card details, use it for a transaction, and get rid of it. Everything that is permanently put on your server has a risk to be published or stolen due to a data leak. Never store any piece of information that can cause serious damage, for example, credit card details. Even if the intruders got in any functioning customer account, they shouldn’t be able to use it for any purchase. If they got into your admin area or on your server, they shouldn’t be able to steal the credit cards information or redirect your revenue into their pockets.
Make sure to implement tokenization of sensitive information. That means, before receiving any sensitive data from your customers, make sure to encrypt it with a randomly generated number of symbols. If this symbol combination is stolen, it is useless until encrypted by the same system that generated it. Anyone with malicious intent who would get their hands on this token, won’t be able to use it.
Change your password right now
Your admin panel is more than just the back office of your business, it’s where all your statistics, payments, and confidential information about orders and the people who placed them. A weak password to admin area is the easiest way to take over any website. A second of hesitation to come up with a complicated password, and you have a ticking bomb. Sometimes, if the admin account is shared among a few employees, the password is one word or a sequential string of digits, sometimes as short as 4-5 symbols. Sure it is easy to share and remember, but how long will it take for password guessing software to crack your code? Statistic says it’s less than a minute.
- Use a random password generator to have an unexpected password that is not easy to remember.
- Keep it longer than 8 symbols.
- Come up with forced password requirements like special characters, digits and different letter cases at least for your admin team.
- Enable forced password change once a few months for the employees.
Add more layers to the authentication
Business nowadays requires online shopping to be accessible, but accessible shouldn’t mean ‘careless’. You can grant safe access to admin panel and to customer accounts by adding a second factor to the user identification. The first factor is the combination of a login and a password. To make sure the person who is asking for access is real, the system should ask a person for the information only this person knows, basically, a code word.
The device that both your customers and admins always have is a phone. How to use it in terms of multi-factor authentication?
- Make a list of IP addresses and devices that are allowed to access your admin area.
- Allow both your staff and your customers add their phone number to double-check their identity on login.
- Verify emails for admin accounts to be able to restore access.
Configure automated backups
95% of security fails are caused by a human factor. You can pay multiple service providers to install firewalls in your store, but this is nothing if you configured something wrong, lost important data and realized that there is no going back. A backup is a secured copy of all information, databases, orders, and customers you have, and with it, you can restore your website from scratch. Backups are helpful if you lost a piece of information after an update or found an error.
Can you imagine what your employees have to undertake if something is wrong? If you don’t have an answer to this question, start preparing an emergency plan. It is a general instruction on how to behave when your store is under attack, and how to deal with the consequences. Usually, you need to have four steps thoroughly planned:
- Response. Stopping the harmful actions.
- Disclosure. Notifying your customers as soon as something can threaten them.
- Recovering. Having the contact of the right employees or specialists that can evaluate and fix what is broken.
- Review and follow-up. After the effects of the attack are removed, you should conduct an investigation and find out how the intruders gained access to your store and what your security policy is missing to prevent the attacks from happening in the future.
Sell thanks to security, not in spite of it
Security measures are not about inflating the number in ‘total revenue’ field. It is about keeping your store a safe place for as long as possible, so you have time and resources to grow your business. Treat security as a part of the selling process, not as a burden
Author’s Bio: Oksana Mikhalchuk is Content Manager at NEKLO, a software engineering company with a primary focus on eCommerce development for Magento. Oksana is dedicated to writing about marketing, web design and, of course, everything Magento-related.
How you can sell online more with security features?