The Most Common Ecommerce Security Mistakes — And How to Avoid Them

By   ISBuzz Team
Writer , Information Security Buzz | Jan 06, 2016 06:00 pm PST

If there is one concern that all ecommerce site owners share, it’s security. A major security breach could prove fatal to a small business, thanks to the costs associated with reimbursing customers, paying fines, investigating the breach, and fixing security lapses. In fact, the vast majority of small businesses that fall victim to a data breach never recover, and end up going out of business.Image

For an ecommerce retailer, security is an even greater priority, given that there are so many places where things can go wrong. Unfortunately, though, all too many ecommerce sites make mistakes that put their customers’ information —and their business — at risk. By focusing on these common weak areas and making changes to enhance security, you reduce your chances of a costly breach and give you customers greater peace of mind when shopping with you.

Mistake #1: Security Is Not the Same as Compliance

Ecommerce retailers have to contend with a long list of compliance regulations related to the collection, storage, and use of customer data. Often, small businesses use website builders for ecommerce because those companies handle the compliance concerns for them; after all, most small businesses do not have the resources to fully meet all of the compliance standards themselves.

However, what many entrepreneurs fail to recognize is that guidelines like the PCI-DSS are just that: Guidelines that should be considered the minimum best practice. When you adhere to these guidelines, the chances of you falling victim to cybercrime decrease, but simple compliance does not equal security. The risks change all the time, and to secure your business, you must go beyond basic compliance to identify and mitigate those risks on an ongoing basis.

Mistake #2: Not Conducting a Risk Assessment

Not all businesses face the same risks. Even those within the same general industry face different threats and have different security needs. In other words, security is not a one-size-fits-all proposition, and as a result, many businesses are inadequately prepared to address the risks they face.

Before investing in any security solution or developing any protocols, then, it’s vital for your business to conduct a risk assessment. You must identify the specific risks in every aspect of your business, as well as the potential consequences and losses associated with those risks. When you do that, you can better prioritize your security activities and more effectively protect your data.

Mistake #3: Not Conducting Security Tests

Once you have implemented security protocols, are you sure they work? Unless you have conducted tests, you really have no idea whether your security is effective or not. Therefore, it’s important that you conduct regular tests of your security, and act on the results of those tests in a timely manner. It won’t do you any good if the testing reports sit on your desk for six months; security issues must be handled right away.

Image 1Mistake #4: Not Protecting Against Phishing Attacks

Phishing is one of the most common sources of data breaches. Often, criminals attack businesses by sending phishing messages to employees to steal their login credentials, and then use that information to inject the site with malware that gives them access to even more information.

While the best way to protect your business against these attacks is to train your employees to recognize phishing messages and use antivirus and intrusion prevention software, you also have a responsibility to your customers to protect them against phishing attacks. Again, user education is key; this means reminding your customers that you’ll never ask for sensitive information via email or text message for example. You can also protect your customers by using a single login URL for all logins — the simpler the better — and by directing all logins through SSL to verify that the login isn’t being redirected.

Perhaps the biggest mistake that small ecommerce businesses make is underestimating the value of their data to criminals. Don’t fall into the trap of believing that your size makes you immune to hackers and data breaches. Small businesses are among the most common targets for cybercriminals, often because of the false sense of security that entrepreneurs have about their desirability. The fact is, any data is valuable data to a criminal, and often, the information they steal from you can help them access even larger targets. For that reason, not to mention the potentially devastating costs of a breach, it’s important that you make security a priority and take every precaution to protect your customers and your livelihood.