Spork_Blog_EcommerceWebsite

The Most Common Security Risks In Ecommerce, And How To Protect Your Store From Them

Based on our conversations with website owners over the years, the most common security risks store owners seem to fear are somewhat exotic: Hackers stealing credit card data by intercepting web traffic, breaking into the server somehow and planting a virus, or maybe doing some Mission Impossible moves and stealing funds from the bank.

While these things could happen, the most common security risks involve passwords, employees, third parties, and negligence. Here’s how you protect your store from these more likely risks.

ecommerce risks

Passwords Are By Far Your Store’s Biggest Security Risk

Most store owners use easy-to-remember passwords because they’re in their store all the time. While this is logical, it’s risky:

  • Hackers share “master lists” of easy-to-remember passwords they’ve cracked over the years – like “Password!” or “ABCabc!@#” or whatever – and use these files along with software to look for easy accounts to break into.
  • Hackers can also use something called a “dictionary attack” to try and crack a password, which is basically running every word in the dictionary (plus common suffixes like “123!” or “!”) to try and break into an account.

These attacks are the least imaginative and most entry-level form of hacking, and yet they generate a LOT of opportunities.

So, if you’re reading this and you’re wondering if your password is vulnerable, it probably is. You can use Norton’s free password generator to create a super secure (and impossible to remember) password, or you can come up with your own password algorithm (easier than it sounds) so you never have to write anything down.

Additionally, you may be able to implement two-factor authentication for your store login (not all ecommerce systems support this, but most do). This way if one of your staff is using a weak password, you’ll have an additional layer of protection.

Employees Are Another Common Security Risk

Speaking of staff, they’re another common security concern. A staff member who is on their way out the door might not feel bad about “borrowing” a customer’s credit card info and making some personal purchases, for example. Or they might change a shipping address on a valid order to send a particularly valuable order to a friend’s house and then blame the shipping provider when someone investigates.

While most employee theft is low-tech (and foolish), it can add up to a lot of money if it goes unnoticed for a while. Some ways to limit your risk:

  • Avoid giving new employees full website access
  • Check everything twice with two different people – two people verify order addresses, two people verify phone orders, etc.
  • Check-in with staff about their happiness and engagement level, and act swiftly when you determine a staffer is feeling disrespected

The last tip is important: Very often store owners correctly guess which employee is stealing from them once they discover that someone is stealing. If you suspect a staffer, either implement systems to limit the damage they can do or cut them loose.

online data protection

Third-Party Tools And Javascript Can Be Risky

Many security breaches are a result of problems you have no control over as a store owner. A third-party service may have a breach, fail to recognize it, and in the process expose you and your customers to substantial risk.

Obviously, there’s nothing you can do to mitigate third-party risks, so the best thing is to limit the way third-party tools (and javascript) are used on your e-commerce website.

  • If a third-party tool requires you to install a javascript snippet on your website, consider installing it via Google Tag Manager instead. That won’t necessarily stop every risk, but it will mitigate the more obvious ones.
  • If a third party is a new or relatively unknown company, it’s a good idea to dig into them a little bit before installing their tool or software on your site. With WooCommerce plugins, for example, we typically don’t consider using them without either a very large user base OR the support of a known developer.
  • Depending on the size of your store and the amount of business you can provide to a third party, you can request that they indemnify your store from risks due to their negligence and name your company on their insurance policy. If your company is providing them with a lot of revenue, it’s not an unreasonable request.

Negligence Is A Killer Security Risk

If you’re using an open source ecommerce system like WooCommerce, Magento (a/k/a Adobe Commerce), Drupal, etc., website management and maintenance is a thankless chore. Installing plugin updates (for example) isn’t necessarily “security-critical,” but it is a good idea to stay on top of plugins on a monthly basis. And the same can be said for core updates. The key is not to ignore them.

But the main source of security risks from negligence is just ignoring signs of a problem. If a customer calls and blames your company for their card number getting stolen, you might think it’s a one-off and move on. But if it happens twice? An investigation is warranted.

The same goes for customers reporting emails that look like they came from your company but didn’t, customers complaining about security issues in reviews, or reports of odd website behavior. It takes time to go down these rabbit holes, but the time you might spend “chasing ghosts” will pale in comparison to the time you’ll spend dealing with the aftermath of an actual breach.

Summing Up

As an online store owner, it might be easy to shrug off a lot of ecommerce security issues. This is because website security conversations with experts often devolve into technobabble and arguments over the best way to deal with extraordinarily uncommon threats. In fact, it’s reasonable to listen to these conversations and conclude that either:

  1. Website security experts are extraordinarily paranoid (they are) or
  2. If a hacker is really determined to hack my store, they will, so why bother worrying about it?

But the truth is that most security issues that ecommerce stores encounter are run-of-the-mill. With some simple processes and foresight, you can eliminate most of your store’s risks.

Get even more tips on e-commerce security in this post on SporkMarketing.com.

More Content

Domain Name And Hosting FAQs

If you are creating a new website or reconsidering your existing domain name and hosting arrangement, this post is for you. We cover the basics…

Read More

What’s A Good ROAS In Parts And Accessories Advertising?

Auto parts and accessories manufacturers and retailers that advertise need to understand return on ad spend (ROAS). In this three-minute video, Spork Marketing Founder Jason…

Read More

Use A Vehicle Giveaway To Market Your Store At A Fraction Of The Cost – Shared Sweeps

photo of Craig Martens of Shared Sweeps

Few things get consumers more excited than a life-changing giveaway. Part and accessory consumers especially get excited about a chance to win a race-prepped Porsche,…

Read More
Auto parts in the cardbox. Automotive basket shop. Auto parts store.