Planning the eCommerce Security Process

We have all seen the headlines.

A well known company either is hacked, does something foolish or otherwise fails to prevent customer data from being shared publicly.In some cases it disrupts your operations, in others financial loss or fraudulent transactions are involved. Finally you have the social interest cases -  such as the more recent Ashley Madison affair that become media dynamite and will be shouted from the rooftops.

The adage about the 'larger you are' is of course true. If you are a brand new start-up you may not be the most high profile target. However getting the security process

and mindset right, and building it into your plans from day one is the first step in ensuring you are not the softest target on the block.

Read on to find out some easy ways to protect your ecommerce website

Security is a big deal - but its not unsolvable

You should put in place measures to protect your systems and data against theft and hackers. You may or may not be able to do this directly yourself - so we would suggest at the least you communicate your security needs to your providers, and have their answers on file.

There are a variety of ways in which misuse of information (yours or a customers) or hacker attacks could jeopardise your business.

Make sure you include security in your planning process, don't think of eCommerce security as being an 'add-on'.

If you don't, you run the risk of your site being down, of becoming a target for extortion and customers refusing to do business with you once you get it back online!

SSL and TLS

Many people are familiar with the acronym SSL (Secure Sockets Layer). It is associated with the technology used to encrypt transactions. In fact their is a newer kid on the block - TLS (Transport Layer Security). TLS 1.2, has been built on the foundation of SSL. SSL is however now an older approach - and has inherent weaknesses.

A fuller discussion on the differences (in short, its the way the encrypted session in initiated) is beyond the scope of this blog post, however the takeaway is to make sure your website and certificates support TLS.

Some people use the terms SSL and TLS interchangeably, so ask the question (which mechanism do you use for encryption, SSL or TLS and if so which version?) of your software provider and host, and look for the answer to be TLS 1.2 or 1.3.

Protecting Information Online

Data leaks, are usually a huge problem. You need to understand the legal implications (Data Protection) and the social ones.

However people gaining access to information they should not have often stems from an oversight in configuration or process (its not always a direct 'hacker' issue). Some basic principles can be followed to your risks:

Ensure that every user that can access your website has a unique user name. Make sure that:

  • Nobody logs in on a regular basis with the 'admin' account
  • Check that in your organisation nobody shares accounts or passwords - if someone needs to log into the back-end of your site, they need their own passwords!
  • Make sure you have 'Audit logs' a evidence trail of the actions of all accounts
  • At the end of the development process, write to your developers, and ask them to confirm the user names of any accounts associated with them that they maintain, and ask why they have them.
  • Use password controls - i.e. a minimum password strength, keep them unique and change them periodically

Security Controls

Your security controls dictate who can do what. Whereas it may be easier to make everyone in your organisation an 'admin' user - should everyone that logs in have access to your customers buying habits? How about your product lists or purchase costs?

Make sure with your providers, that your security controls are granular enough to meet your needs.

Inadequate security controls - or failing to configure them correctly is often a root cause of hackers gaining access to your sensitive business data such as price lists, catalogs and valuable intellectual property. The motives may be malicious or to gain competitive knowledge.

More worryingly the motive may be to use your customers data fraudulently.

Combat this by:

  • Ensuring that every internal user only has the minimum access they need - no more.
  • Have a process for removing the accounts of people that leave your organisation.

Mitigating DDOS and Network threats

A DDOS (or a Distributed Denial-of-service attack) prevents your customers (and often yourselves) from accessing your own website. In short so much data is passed to your site from multiple places that your website can become overwhelmed and unable to respond to 'real' customers.

DDOS attacks are sadly pretty easy to initiate - and harder to solve unless you plan your infrastructure properly.

As before this is not the place for a full technical explanation, but make sure you have a plan for responding to such a issues. You can do this in part by:

  • Select a host that has the capability and process to respond appropriately (we like to use Pantheon for all of our Drupal or Wordpress sites), make sure you understand in advance what will happen if a DDOS is detected and who will communicate with who.
  • Consider user a CDN (Content Delivery Network) as part of your hosting solution. There are others, but Cloudflare is easily accessible and cost effective. 

It is FAR easier to configure solutions such as Cloudflare before you have issues as opposed to during!

Contingency Planning

Ultimately contingency planning is about expecting the unexpected. Here is a short list of things to make sure you can put your hands on if you need them:

  • A complete backup of the your site, typically from within the last 24 hours, and an older reference point
  • An export of customer accounts and transaction details
  • Your security certificate(s) - the .key and .csr files as well as the unique encryption password
  • Your product data in .csv or other sane format
  • A change log for your website (what was the last code change, by who and when)
  • A snapshot of the latest code change (via a system such as git)
  • A root account and password

Note, may not all be information you have to hand - but you need to know who does and how to access it! With access to above information and data the list of problems you can solve increases. As some of this data becomes unreliable, or harder to access the difficulty of solving certain problems increases.