Click the button and start listening to this article.
E-commerce and online businesses face an unprecedented number of security threats in today’s landscape. From ransomware and malware to fraud, theft, and major data breaches, there’s almost no stone left unturned by would-be attackers.
It makes pinpointing security investments incredibly challenging. Where do you focus your time, money, and resources? What should take priority? What are the top threats your business faces amidst all the potential events?
There are several forms of fraud a business must contend with, including financial and credit fraud, fake returns, and counterfeit goods.
With credit card fraud, either the criminals have stolen legitimate payment details, or someone is trying to pull a fast one and use fake information. Stolen cards are much more common, and they’re used to buy goods or services more often than you might think.
Fake returns happen when a customer replaces a genuine article with something that’s not, or when they claim an item as stolen or lost in shipping when it was not. This plagues all online businesses, including major retailers like Amazon, Walmart, and others.
Commonly called phishing, or social engineering in some cases, it’s the act of creating a mirror website, portal, or email that looks legitimate. Fraudsters create the fake copy and try to pass it off as genuine, and customers, employees, and vendors then presumably use the site, giving up sensitive information, including account or payment details.
Resourceful hackers can actually use URL and site redirects to send visitors to the fake portal, increasing the damage of such an attack. They often gain access to mission-critical systems or remote computers through social engineering hacks, where they pose as a legitimate source. During the EITest scam campaign, for example, attackers posed as tech support crews, conning victims into paying for services.
3. Malware and Ransomware
Infecting websites, computers, and IT systems with malware is a common occurrence, and it can be done using various system vulnerabilities. Opening or downloading attachments in an email is just one way they can infect a system. Hackers can also install malware remotely or in person, or it can be done automatically after a triggered event, such as the email example.
A particularly egregious form of this is called ransomware. The virus or malware will seize control of the computer, system, or critical data. Hackers will then demand a ransom promising to return access after being paid. In most cases, the hackers are under no obligation to return access or restore data, meaning the business is out even more in financial costs.
Trying to remove the ransomware yourself may result in deleted or corrupt systems and data. It highlights the importance of creating regular data backups that can be restored in an emergency. The recent Colonial Pipeline attack was carried out with ransomware.
4. DDoS Attacks
Websites, e-commerce sites especially, are vulnerable to something called DDoS attacks, or Distributed Denial of Service attacks. It’s a malicious attempt to overwhelm servers with a flood of internet traffic, ultimately disrupting the services of a company. If your website was under this type of attack, your customers and visitors would not be able to visit the site and would instead be met with an error.
Hackers use exploited machines to carry out these attacks, sometimes even employing botnets, a complex network of devices and systems, much like we saw with the Marai botnet. The best defense against these types of attacks is to use a web application firewall, which is really another layer of digital security. Some examples include Cloudflare, AWS Shield, Azure DDoS Protection, SiteLock, Google Cloud Armor, and more.
You can think of an exploit as a known vulnerability or weakness in digital security and armor. Hackers gaining access to a network through an open router port is a very basic example. On a more complex level, they might also appear because of misconfigured S3 buckets or permissions, unsecured systems, SQL injection vulnerabilities, cross-site scripting, and more.
The best defense for these kinds of security threats is to employ top-level monitoring tools to detect and deal with potential vulnerabilities before they can be leveraged by attackers. AI is paving the way for more advanced systems that can handle 24/7 monitoring and improve detection accuracy, but every business should have some form of network security monitoring in place.
6. Brute Force
Often automated in the form of bots, brute-force attacks are straightforward and can be incredibly damaging when they succeed. Basically, it’s when an attacker continues to try various administrative account and password combinations, over and over until they gain access. They’re automated to make things faster and to attack multiple domains at once.
There’s really no defense for this kind of attack, outside of using a cloud security service, and ensuring that strong password protocols are followed. You should be using strong passwords with complex strings anyway.
7. Additional Threats
Of course, there are many other types of security threats a business may encounter or face in today’s market. Some of those are:
- Man in the Middle (MITM) – These attacks happen when a hacker listens in or snoops on a connection. They might inject malware for a point-of-sale system to scoop up payment and credit card details, for instance.
- e-Skimming – Becoming more and more common, e-skimming is when a website’s storefront or checkout page is infected. It’s a lot like a MITM attack, except the company’s website is the one compromised. Hackers use these attacks to steal credit cards and payment details.
- Spamming – Spamming attacks are similar to phishing in that they might mimic a legitimate email or portal. They’re sent en masse to a collection of contacts, and hackers hope to get a nice chunk of hits out of the communications. They might send messages via social media, email, or other means.
- Data Scraping – Hackers may scour a website using simple URL and development techniques to find sensitive data. The act itself is not always nefarious, but it can create major problems when you’re talking about trade secrets, upcoming product releases, and sensitive business information that you want to remain private.
How to Protect Your Business and Website
While each form of attack or threat must be dealt with differently — for example, you wouldn’t deal with a phishing attack in the same way you’d deal with a DDoS attack — there are some basic things you can do to better protect your business, website, and customers.
1. Enable Encryption
Use data encryption to protect the information that’s being sent back and forth between your visitors and your website, especially for e-commerce and online storefronts. HTTPS protocols with SSL certificates are a must-have!
2. Anti-Malware and Anti-Virus Tools
You’d think it would be obvious, but that’s not necessarily true. Ensure you have anti-malware and anti-virus tools installed on all mission-critical systems, at the very least. Ideally, every computer or device connected to the network will be protected and scanned regularly for potential threats.
3. Train Personnel
Hackers can use social engineering to fool employees into providing them access. They can also take advantage of poor or ineffective passwords, stolen or lost security badges, and similar authentication techniques. It is imperative that you train all of your employees to build proper security awareness.
4. Deploy Firewalls
Use services such as Cloudflare to deploy firewalls between would-be attackers and your network. They can help fend off the more challenging threats like SQL injection, DDoS attacks, and much more.
5. Secure Payment Gateways
If you’re taking payments, you should be using a third party to handle the processing and services, rather than maintaining in-house systems. It keeps all sensitive information away from your website and servers and often provides much better protection overall. Payment providers have their systems locked down, and you must as well.
6. Create a Security Team
Whether you go with a small internal team or find a third-party service to handle the duties, you should establish a security crew to manage, monitor, and maintain your various digital security requirements. Their primary focus should be on protecting and securing your website, business, and all related network systems. Ideally, they would have a strong background in IT security and networks. You can also use special online programs to help you protect your confidential information from cybercriminals. For example, one such tool is the url fuzzer by Sitechecker. This tool will help you identify all hidden directories and files on your site. You will be able to take steps to fix these problems and cybercriminals will not be able to upload malicious code or steal confidential data to your site.
Protection Starts Today
Your business and its website represent your portal to the world and your livelihood. Pay attention to these essentials and you’ll be well on your way to keeping them safe.
About the Author
Eleanor Hecks is editor-in-chief at Designerly Magazine. She was the creative director at a digital marketing agency before becoming a full-time freelance designer. Eleanor lives in Philly with her husband and pup, Bear.