As the holiday season quickly approaches, we have to warn you about who’s coming to town.
No, not Santa Claus. Not your in-laws either.
We’re talking about cybercriminals.
Hoping to strike while you’re wrapped up in the hustle and bustle of the busiest shopping period of the year, these hidden hackers are gearing up for attack. Because with increased site traffic, orders, and customer inquiries demanding your attention, cybercriminals know it’ll be easier to slip in under the radar.
Experts are predicting another record-breaking year for holiday ecommerce sales, so the last thing you want is to have your business operations slowed down or even halted by a cyberattack. And lost sales are just the tip of the iceberg. If attacked, you’re also facing potentially crippling remediation costs, reputation damage, government fines, and irreversible data loss.
If none of those things are on your holiday wish list this year, it’s time to start putting protections in place.
It’s not easy knowing where to start when it comes to building a comprehensive ecommerce cybersecurity program, so we teamed up with our partners at Rewind to create a list of our best tips. Check out the tips below, or watch a replay of our recent webinar covering this topic.
Holiday season cybersecurity tips for ecommerce businesses
There are so many avenues for cyberattackers to go about compromising your business. The best way to keep them at bay is to take a holistic approach to security that protects your customers, your site, and your bottom line. Here are some tips to help you get started.
Protect your customers
Ensuring your customers are protected from a cyberattack goes hand in hand with protecting your own business assets. Though more consumers have grown accustomed to shopping online amid the pandemic, concerns around identity theft and the security of their personal and financial information are still at an all time high. These concerns can prevent shoppers from completing a purchase, so it’s essential to earn their trust.
Offer protections with purchase
Risk of identity theft has risen on a global level since the coronavirus outbreak, and it’s only expected to get worse. Many shoppers are concerned that their personal information could be stolen as a result of making a purchase online.
Put customers at ease and show them you have their back in case the worst happens by offering purchase protections. With services like TrustedSite Certification, you can offer Shopper Identity Protection to protect customers with up to $100,000 in the event that they experience identity theft within 90 days of their purchase. This service allows you to place to TrustedSite’s Shopper Identity Protection trustmark on pages where identity theft concerns often derail the purchasing experience, like the shopping cart and checkout, helping to increase trust and boost conversions.
Highlight official communication channels
This holiday season, cybercriminals will use all kinds of social engineering tactics to target shoppers. Many will pose as a business or person a shopper trusts and trick them into giving out their personal information.
You can help mitigate this risk by letting customers know which contact information belongs to you. This way, they will be less likely to mistakenly contact an imposter and expose sensitive information.
Highlight your official contact information in places where customers will be most likely to see it, like your site header and footer, and ensure that information is consistent throughout your social media profiles.
Another way to reassure your customers that the contact information you provide is legitimate is by having it verified by a third party. With a free TrustedSite Certification plan, you can earn the Verified Business certification and get up to 4 types of contact information verified including phone number, email address, physical address, and contact form.
Don’t send spam
Phishing campaigns are expected to be out in full force this holiday season. These emails have gotten more sophisticated over the years and can trick even the most vigilant recipients.
Help customers identify which emails are truly from you by only sending purposeful information that they’ve agreed to receive. If you consistently send emails that aren’t relevant, it may make it more difficult for them to distinguish between a phishing email and one that’s actually from you.
You can show customers that you don’t send spam by earning TrustedSite’s Spam-Free certification. Many sites have seen an increase in email signups by earning this certification and placing the Spam-Free trustmark near their newsletter form. When customers see this trustmark, they can click it to see a history of emails you recently sent and the domains you send from, helping them feel more secure about signing up to receive your communications.
Encourage multi-factor authentication
Another way to protect customers is to require multi-factor authentication (MFA) on account logins. MFA is a technique that requires two sets of information from the user to prove they are who they say they are. Customers often use the same password for multiple accounts or low-strength passwords, so MFA helps prevent cybercriminals from gaining access via methods like brute force and man-in-the-middle attacks. There are tons of MFA solutions available on the market, and some such as miniOrange are affordable even for small businesses.
Protect your site and applications
Websites and web applications are some of the most attractive targets to attackers looking to get inside your business. So much so that last year web apps were involved in 80% of all breaches. Before the holiday season arrives, putting protections in place to secure your site and applications should be at the top of your to-do list. Here’s our best advice for getting started.
Practice attack surface management
More and more businesses are shifting operations to the cloud. While this provides great benefits like more flexibility and fewer costs, having more internet-connected assets also means attackers have more potential gateways to get inside a business.
Keeping track of those gateways and keeping them secure has proven to be a challenge because these days businesses can have hundreds or even thousands of internet-connected assets such as websites and web applications, servers, networks, firewalls, third-party tools, and certificates. The practice of attack surface management has emerged as a way of keeping tabs on these assets and identifying weaknesses that could leave them vulnerable to an attack.
Attack surface management can be broken down into three recursive components:
- Discovery - You can’t protect what you don’t know about, so the first step in attack surface management is to find and catalog every asset associated with your business.
- Fingerprinting - Next, you need to get a complete understanding of your assets to identify any open doorways that would be attractive to an attacker, such as vulnerabilities on firewalls and web applications.
- Monitoring - Developers constantly make changes to websites, and new vulnerabilities are found all the time. Continuously monitoring your attack surface puts you in a position to remediate issues before a data breach can occur.
Audit access levels
Your business likely utilizes third-party apps and services to improve the user experience and performance on your site. But third-party apps with read and write permissions can wreak havoc on unsecured data, so it’s important to regularly audit the apps and individuals that have access to your site.
When evaluating users that have access to your site, always follow the principle of least privilege and only grant access to those who require it explicitly for their job. For example, marketers don’t need access to your backend, and your developers shouldn’t have access to sensitive customer information (unless specifically required for their work).
When evaluating third-party apps on your site, one thing to keep in mind is whether the company provides adequate support. During the rush of holiday shopping, the last thing your team has time for is waiting for customer service to respond to your inquiries. Choose apps with published security and support policies so that your team doesn't wind up in the dark during peak periods.
Regularly backup data
Ransomware attacks have made major news headlines on multiple occasions over the past year. These attacks can be absolutely detrimental to your business if your data is seized by a cybercriminal and you don’t have a recent backup on hand.
If your site is hosted by a platform like Shopify and BigCommerce, keep in mind that they don’t provide a complete backup of your data. They are solely responsible for backing up their platform–not your store. This means that you’re at risk of losing your products, pages, images, metadata, custom fields, and blogs if you haven’t implemented a backup plan.
Rewind offers automatic daily backups and on-demand data restoration so that if something does go wrong, you’ll be able to restore your site within minutes, which means no downtime, lost sales, or unhappy customers during the most important shopping period of the year.
This holiday season, don’t jeopardize your bottom line by leaving security risks on the table. With this increased traffic period, cyberattacks are inevitable, so start planning the steps you’ll take to protect both your customers and your site now. And remember, TrustedSite and Rewind are here to support your security program in any way you need.