The Most Common Security Risks In Ecommerce, And How To Protect Your Store From Them
Based on our conversations with website owners over the years, the most common security risks store owners seem to fear are somewhat exotic: Hackers stealing credit card data by intercepting web traffic, breaking into the server somehow and planting a virus, or maybe doing some Mission Impossible moves and stealing funds from the bank.
While these things could happen, the most common security risks involve passwords, employees, third parties, and negligence. Here’s how you protect your store from these more likely risks.
Passwords Are By Far Your Store’s Biggest Security Risk
Most store owners use easy-to-remember passwords because they’re in their store all the time. While this is logical, it’s risky:
- Hackers share “master lists” of easy-to-remember passwords they’ve cracked over the years – like “Password!” or “ABCabc!@#” or whatever – and use these files along with software to look for easy accounts to break into.
- Hackers can also use something called a “dictionary attack” to try and crack a password, which is basically running every word in the dictionary (plus common suffixes like “123!” or “!”) to try and break into an account.
These attacks are the least imaginative and most entry-level form of hacking, and yet they generate a LOT of opportunities.
So, if you’re reading this and you’re wondering if your password is vulnerable, it probably is. You can use Norton’s free password generator to create a super secure (and impossible to remember) password, or you can come up with your own password algorithm (easier than it sounds) so you never have to write anything down.
Additionally, you may be able to implement two-factor authentication for your store login (not all ecommerce systems support this, but most do). This way if one of your staff is using a weak password, you’ll have an additional layer of protection.
Employees Are Another Common Security Risk
Speaking of staff, they’re another common security concern. A staff member who is on their way out the door might not feel bad about “borrowing” a customer’s credit card info and making some personal purchases, for example. Or they might change a shipping address on a valid order to send a particularly valuable order to a friend’s house and then blame the shipping provider when someone investigates.
While most employee theft is low-tech (and foolish), it can add up to a lot of money if it goes unnoticed for a while. Some ways to limit your risk:
- Avoid giving new employees full website access
- Check everything twice with two different people – two people verify order addresses, two people verify phone orders, etc.
- Check-in with staff about their happiness and engagement level, and act swiftly when you determine a staffer is feeling disrespected
The last tip is important: Very often store owners correctly guess which employee is stealing from them once they discover that someone is stealing. If you suspect a staffer, either implement systems to limit the damage they can do or cut them loose.
Many security breaches are a result of problems you have no control over as a store owner. A third-party service may have a breach, fail to recognize it, and in the process expose you and your customers to substantial risk.
- If a third party is a new or relatively unknown company, it’s a good idea to dig into them a little bit before installing their tool or software on your site. With WooCommerce plugins, for example, we typically don’t consider using them without either a very large user base OR the support of a known developer.
- Depending on the size of your store and the amount of business you can provide to a third party, you can request that they indemnify your store from risks due to their negligence and name your company on their insurance policy. If your company is providing them with a lot of revenue, it’s not an unreasonable request.
Negligence Is A Killer Security Risk
If you’re using an open source ecommerce system like WooCommerce, Magento (a/k/a Adobe Commerce), Drupal, etc., website management and maintenance is a thankless chore. Installing plugin updates (for example) isn’t necessarily “security-critical,” but it is a good idea to stay on top of plugins on a monthly basis. And the same can be said for core updates. The key is not to ignore them.
But the main source of security risks from negligence is just ignoring signs of a problem. If a customer calls and blames your company for their card number getting stolen, you might think it’s a one-off and move on. But if it happens twice? An investigation is warranted.
The same goes for customers reporting emails that look like they came from your company but didn’t, customers complaining about security issues in reviews, or reports of odd website behavior. It takes time to go down these rabbit holes, but the time you might spend “chasing ghosts” will pale in comparison to the time you’ll spend dealing with the aftermath of an actual breach.
As an online store owner, it might be easy to shrug off a lot of ecommerce security issues. This is because website security conversations with experts often devolve into technobabble and arguments over the best way to deal with extraordinarily uncommon threats. In fact, it’s reasonable to listen to these conversations and conclude that either:
- Website security experts are extraordinarily paranoid (they are) or
- If a hacker is really determined to hack my store, they will, so why bother worrying about it?
But the truth is that most security issues that ecommerce stores encounter are run-of-the-mill. With some simple processes and foresight, you can eliminate most of your store’s risks.
Get even more tips on e-commerce security in this post on SporkMarketing.com.
Every once in a while, a parts or accessories ecommerce company will toy with the idea of offering free returns. The story goes something like…Read More
If you work in the parts and accessories industry, you probably have mixed feelings about SEMA and AAPEX. Either: At Spork, we have nothing but…Read More
We'll send you actionable parts and accessorries marketing articles every month - just sign up below.