October is European Cyber Security Month! So what better time to review the steps you’re taking to keep your customers and brand safe online? We’ve put together our ultimate guide on how to improve, and then maintain, the security of your eCommerce websites.
Why is Cyber Security Important in Retail?
Consumers are increasingly aware of trust signals and security when making online purchases. 84% of shoppers will not make a purchase from a site that is not secure (Blue Corona, 2018) and trust was beaten only by price when ranking the most important attributes for deciding where to buy a product. 30% of consumers rated buying from a preferred website as the single most important factor in their decision-making (KPMG, 2017).
For retailers then it is crucial to understand what makes a site secure and trustworthy in order to attract new customers, as well as to protect their existing ones. Whilst security best practices are not a new concept in eCommerce, there are still challenges regarding how to best demonstrate a commitment to security to your users. Plus, the majority of websites - even those that are already highly secure - have the potential to make further improvements quickly by implementing simple steps which are often overlooked.
That’s why we’re proud to collaborate with iomart partner, Foregenix, to produce this guide to cyber security, outlining the actionable checks and changes you can make to improve the security of your store. Foregenix is a leading independent cybersecurity company focused on keeping the world’s payment systems and eCommerce sites secure.
They help merchants, payment processors, government agencies, banks and other operators to ensure they’re securing their environments effectively while complying with industry security standards. Combining decades of forensics knowledge with breakthrough technology, they deliver world-class customer support.
Together we have over 30 years’ experience in delivering security solutions for online businesses.
The guide will cover the following topics:
- General security recommendations
- Activity to monitor
- Preventing malware and ransomware attacks
- Responsible commerce
10 General Security Recommendations
This section outlines the top 10 steps any retailer can take to improve their website security. Each one is relatively simple to implement, but together they provide a multi-layer defence which protects you against attack or customer data loss.
1. Keep software up to date
Whether your site runs on Magento, WordPress, Drupal or any other platform it is crucial to make sure you are working with the most up-to-date version. You should make it a priority to update the platform, and any associated plugins, as soon as possible when a new version or patch is released.
Tens of thousands of websites use these platforms. So criminals put a lot of time into trying to exploit any vulnerabilities. Fortunately, these platforms also have teams of experts working hard to produce patches which resolve vulnerabilities before they can be exploited.
It’s reported that 85% of eCommerce store breaches are due to Magento stores running outdated code and extensions. So, keeping your store up-to-date really is one of the simplest, most effective ways to improve your security.
2. Use strong, unique passwords
The majority of people know that they should be using random, complex passwords, with a unique password for each of their accounts. Eight or more characters, a mix of upper and lowercase letters, numbers and special characters is now standard advice when creating a password. However, worryingly, password security is still overlooked in many cases.
A report on Inc.com revealed that an estimated three billion passwords were stolen in 2016 alone - that’s almost 100 every second. So taking the time to create long, unique and complex passwords is still a critical step in securing your website.
We recommend making each password a minimum of 12 characters - the usual advice to include numbers, uppercase and lowercase letters, and special characters still applies, as does the advice to use a different password for everything.
For critical systems e.g. your email, we also recommend regularly changing your password. Every 30 days is usually sufficient.
If you’re worried about remember your passwords, then you can use a password manager. Just make sure that has an extremely strong password too!
3. Create a custom admin path
A common method of attack is to exploit standard configurations of websites to access admin pages and carry out automated brute force attacks to find correct username and password combinations.
By default, your admin path will something like ‘website.com/store/admin’. Simply changing your admin path to anything other than this default format will immediately make it harder for anyone to access your admin page and initiate an attack.
You can change the admin path to anything you like. But ideally, you should use a random letter string e.g. ‘website.com/store/thpgdh’ as this will be harder to guess.
4. Use role-based user permissions
If multiple people require logins for your website, then strict management of user accounts is another key method for improving security. We recommend implementing all of the following rules:
- No shared accounts - every person accessing your website should have their own user account.
- Know each user - accounts should not be anonymous, every user should be personally identifiable, so you know who was responsible for any changes.
- Assign only the permissions required for their role - users should only have the access level they require to do their job e.g. on WordPress a copywriter typically only needs author privileges, not admin access.
- Reduce permissions if they are no longer needed - Feel free to temporarily increase privileges e.g. if a copywriter is covering for an editor, upgrade them from author to editor access. But make sure you reduce their permissions again once the work is completed.
- Two-factor authentication (2FA) - To really enhance the security of your user accounts, add 2FA for all logins. Users have to complete a second verification check to access your website. For example, they may have to enter a security code sent to their mobile phone as well as their password. This means that even if an attacker steals a user’s password, they will not be able to log into your website. Most popular platforms have plugins or extensions which allow you to enable 2FA.
Taking these steps will give you greater control over the changes made on your website and will make it easier to find the source of any unexpected activity.
5. Use an Advanced Web Application Firewall
An advanced web application firewall gives you an extra line of defence against vulnerabilities from outdated software. When a new update is released the firewall will act as a “virtual patch”, keeping your website secure until you have time to roll out the latest update. This provides protection against zero-day vulnerabilities.
When properly configured and managed, an advanced web application firewall also provides protection against three other major threats - SQL injection, application vulnerability exploits and injected code. If you’re unsure about how to configure and manage a firewall, contact our team for advice.
6. Carry out regular vulnerability scanning
The internet is constantly evolving, which means new vulnerabilities will evolve too. So how do you make sure that the defences you have in place are protecting your website against emerging vulnerabilities? You carry out vulnerability scanning.
Vulnerability scans are typically non-intrusive tests where different types of traffic, queries and requests are sent to your website to assess whether any vulnerabilities are present. As these tests are easily automated and relatively inexpensive, we recommend you run a scan at least once every quarter to maintain the security status of your site.
7. Carry out penetration testing
Penetration tests take things one step further than vulnerability scans. They are intrusive as they involve hiring a specialist who will actively try to breach your website, mimicking the behaviour of an attacker. These tests give you more real-world insight into the security of your site.
The hands-on nature of these tests means they are more expensive than vulnerability scans, but they are also extremely valuable, so we recommend that penetration testing is carried out at least once a year.
8. Get an SSL certificate
SSL stands for Secure Sockets Layer and is the standard technology for safeguarding data over an internet connection. Using SSL protocol encrypts information on your website, securing data that is being transferred between two systems e.g. bank card details during the checkout process. This prevents attackers from intercepting or modifying the personal information transferred on your website.
Websites that follow this protocol have an SSL certificate. This is symbolised by a padlock icon in the address bar and the web address beginning with https rather than http (s for secure of course!)
Due to this visual signal, an SSL certificate isn’t just a great way to improve the security of your website, but also to demonstrate this security to potential customers. Many web browsers will now flag http sites as insecure. So, if you haven’t already, getting an SSL certificate should be a top priority.
9. Ensure you are PCI DSS compliant
Payment Card Industry Data Security Standard (PCI DSS) provides a set of guidelines which act as the gold standard for processing payments and securely handling the sensitive information required to do so.
PCI compliance is widely recognised as a trust signal, and failure to comply can result in fines from your card transaction processors. It is the only regulated process in the world to help protect your business against card payment fraud.
To remain PCI compliant, you must pass an annual assessment - this involves either a self-submitted questionnaire or an audit by an assessor, depending on the size of your business. PCI DSS covers 12 areas including data protection, access control and monitoring. So lots of the topics covered in this guide are relevant to these standards.
For more advice on PCI compliance, get in touch to speak to one of our experts.
10. Use an AVS
This tip relates specifically to improving security during the checkout process. Enabling an address verification system (AVS) can help to reduce fraud. The tool cross references the billing address entered on your website with the billing address on record at the card holder’s bank. If the addresses do not match, additional security procedures can be implemented e.g. asking customers to enter a special security code registered with their bank.
AVS is often effective as when criminals harvest card details, they can’t always access the associated billing address. Of course, as with most preventative measures, AVS is not a fail-safe. But when combined with the other recommendations in this guide, it is another step in the right direction for securing your website and protecting consumers.
Activity to Monitor
Keeping your site secure isn’t just about implementing specific protocols and procedures. In this section we cover the importance of monitoring different areas of your website to understand what ‘typical behaviour’ looks like and to help you identify any suspicious activity.
1. Monitoring file change activity
Files being added, changed or deleted is one of the earliest detectable signs that a website has been compromised. So, monitoring file changes is a highly effective method for identifying malicious activity.
If you notice an unexpected file change, consult with your web developers (and any other staff with sufficient access) to confirm whether they made the change. If they did, great! No further action is required. If they didn’t then you’ve identified a problem early and can take the appropriate steps to resolve it.
A small change could be easily missed in amongst the many day to day updates. Fortunately, there is a range of software available which will automate file change monitoring for you.
2. Monitoring website activity
For online retailers, keeping a minimum 12-month record of your security log data is already required for PCI DSS compliance. But you should really be logging all of your website activity to best detect and protect against security threats.
By monitoring and reviewing this activity regularly, you will establish patterns of what activity is normal for your site. This will make it easier to identify any suspicious changes in activity e.g. multiple hits per second from the same IP address. Investigating and reacting to malicious activity quickly could save your files.
We recommend analysing your log activity at least once a day. But ideally, you will use activity monitoring software which will alert you to any threats in near real-time.
3. Monitoring unprotected credit card holder data
Monitoring file changes and website activity are both defence mechanisms designed for the early detection of security threats and breaches. However, monitoring can also help you limit the damage to your site even if an attacker does manage to evade your earlier defences.
Payment card data is typically the most sought-after information in malware attacks. In many cases, attackers will store the payment card data they intercept in an unencrypted file somewhere on your website ready to harvest in bulk at a later date.
By carrying out regular Primary Account Number ‘PAN’ scans you can be alerted to any unprotected credit card holder data. This almost creates a trap for the attacker as, once alerted, you can remove the unencrypted data, find the source of the malware and remove it before the attack is able to extract the personal data.
Foregenix shared some of their research findings from 2015 with us, which highlight the need to be vigilant about suspicious activity. In around 90% of website breaches they assisted with, malware had been introduced to:
- Provide a backdoor for future access and the ability to create, modify or delete data, files and configuration on the system
- Gain access to databases
- Load other malicious software
- Enable stealth reconnaissance
- Steal credit card/personal data
Benj Hosack, Co-founder and CCO at Foregenix, confirmed that this is still the case in 2019.
“Still in 2019 we see that Malware is one of the essential tools for threat actors to steal and harvest customer data from websites. Businesses trading online should be especially careful in protecting customer data, as not only can they lose business and customer trust after a breach, they can also be heavily penalised by the card brands and the Information Commissioner’s Office, or the equivalent authority in other countries.”
Unusual activity may be a precursor to a full-scale malware attack, caused by the initial introduction of malicious software onto the site.
Which leads us smoothly into the next section of this guide...
Five Tips for Preventing Malware and Ransomware Attacks
As the saying goes, prevention is better than cure. Whilst monitoring enables you to respond quickly to any threats, and therefore reduce the potential damage, it is also important to consider the steps you can take to reduce the likelihood of an attack in the first place.
Let’s start with a quick definitions recap. Malware is literally shorthand for malicious software and refers to any software designed to covertly install itself on a system. Ransomware is a specific type of malware, an attacker blocks systems access or shares personal data, with the goal of eliciting a ransom payment. You can learn more about what malware is and how it spreads on the Foregenix blog.
1. Beware of email attachments
Attachments and links in emails are a common method that attackers use to spread malware. So avoid opening or downloading attachments from unknown senders.
Some spam emails will look immediately suspicious, they may contain spelling mistakes, poor formatting or bizarre greetings like ‘Dear Account Holder’. However, attackers are becoming increasingly sophisticated, so it is worth being extra vigilant. Even if an email looks legitimate, take the time to check that the sender’s email address matches the known email address for that company or person.
If you’re uncertain, don’t click any links or open any attachments. Instead, contact the person directly or access any accounts mentioned via your web browser to confirm that the contents of the email are genuine.
3. Educate your teams
Every single person within your organisation should be aware of malware and how to protect against it.
Create a guide of best practices for email, backups and web development. Then share with all staff and make it part of the induction process for new starters. Having everyone on the same page, with clear guidelines on what should be flagged as suspicious, will reduce the risks of someone accidentally introducing malware to your systems.
If you’re not sure what to include in your guide, take a look at our article on turning your staff into your best defence against ransomware and use that as a starting point!
We also recommend holding regular training sessions to refresh knowledge of these best practices.
4. Make use of security scans
Security scans are a quick and simple way to check whether your site is secure and keep it that way by identifying any risks of breach.
An initial vulnerability scan can determine whether there is any externally detectable malware on your website. It will also assess the setup of your website, looking for missing patches, SSL issues and more.
After this initial scan, recommendations can be made to address any active threats or potential risks. It may be that you need a digital forensics investigation following a breach or that your Magento store would benefit from an upgrade from M1 to M2.
Once any existing issues have been resolved, you can implement continual security scanning which will provide a near real-time view of your cyber security health. You will be automatically alerted to any changes indicating new risks.
Contact us to discuss how security scans can benefit your business. Together we can guarantee the security of your store.
5. Have backups in place
Of course, you should be doing everything you can to prevent a malware or ransomware attack, but it’s also important to be prepared in the event that you do suffer a breach. Damage limitation is much simpler if you have access to an uncompromised copy of any data and critical systems. This is why you should always have backups in place.
There are different types of backup solutions - cloud backups, tapes, external hard-drives and more. Ideally, you will have multiple backup copies to best protect your data. This is why cloud backups are so useful, as they allow you to easily protect data across multiple geographic locations.
If you’re not sure which backup option is the best for you, get in touch. Our team will be happy to help.
Maximising the security of consumers is a requirement for any responsible retailer. Trust and customer loyalty are built from consistently doing the right thing, which includes providing a safe shopping environment.
As part of the iomart Responsible Commerce programme, we partner with merchants to deliver and maintain security, speed, scalability and support throughout the entire lifetime of your store. Including up to £50,000 breach protection warranty, continual vulnerability scanning, and a shield of trust which you can display on your site, demonstrating a commitment to customer security. We work with you to drive long-term success through implementing industry-leading best practices.