The super meltdown for every shop operator: Malware infects the shop software, steals your customers’ payment information, encrypts the merchandise management data, and turns your online shop into a virus slingshot that also infects your customers’ computers. The system goes down for days or weeks, and sales plummet. The good news is that you can do things to prevent this from happening. The following applies to shop operators who administer their shop system themselves. You are already on the safe side if you use a rental shop like the Host Europe online shop. Because then professionals will take care of the security of your shop, including malware protection and backups. But be careful: Even then, you should make sure you use strong passwords – if someone uses their known email address for the backend and the password “123456” (the most frequently used password for many years ), every professional is powerless.
Table of Contents
E-Commerce Security Is More Than The Antivirus
Even if the described virus attack sounds like the worst-case scenario, other threats could also affect your website and your users (in the next section). Information security measures always pursue three classic protection goals: availability, confidentiality, and integrity (correctness of information and functions). All three are also important for online shops. “Availability” refers to (authorized) users being able to access systems and data as intended.
In the case of a webshop: Potential customers must be able to access your shop website and use all the essential functionalities (product selection, shopping cart, payment process); you, as the operator, must be able to access the backend. But even if everything works, that doesn’t mean everything is fine. Perhaps a hacker has manipulated the system in such a way (violation of “integrity”) that it is spying on users unnoticed (breach of “confidentiality”)? In short: Take a holistic view of security and think about possible risks and their effects.
Know Your Enemy
However, this assumes that you understand the potential risks, which is challenging in a fast-moving environment like online security. Cybercriminals are constantly finding new ways to compromise other people’s systems. Security service providers such as Avast and authorities publish up-to-date information. The most critical cyber threats relevant to online shops currently include ransomware and DDoS attacks, and automated or targeted hacker attacks. Ransomware is a virus that encrypts essential data and only re releases it after paying a ransom – if at all. They get into the system in a variety of ways: as a Trojan (malware disguised as helpful software), via email attachments clicked on through ignorance, through a supply chain attack (regular updates from a manufacturer’s hacked server), or as the result of a successful hacker attack. However, other malware still poses a severe threat.
With DDoS attacks (Distributed Denial of Service), criminals try to bring web servers to their knees with mass requests. The aim is either to harm the operators or to blackmail them. You can find more information at the BSI, for example.
Hacker attacks aim to exploit security gaps (e.g., weaknesses in your shop software or WordPress but insufficiently protected logins) to penetrate the system. This is done in a targeted or increasingly automated way by bots – especially in e-commerce, whereby in 2021, almost 60 percent of all attacks were carried out by bots.
Virus protection is also vital for websites today. Host Europe provides a free antivirus solution for its/many shared hosting packages. The administration tools Plesk or cPanel also offer virus protection and other security tools for server packages. In addition, shop operators can also use a cloud-based SaaS solution (Software as a Service). However, the best defense against ransomware is an up-to-date backup of your business-critical data – don’t allow yourself to be blackmailed in the first place!
Newly discovered vulnerabilities are usually closed by the developer soon after they become known – but exploited by hackers just as quickly or even faster. Therefore, always keep your system up to date and immediately import security updates for all components. You can read how to view essential pages, e.g., B. Login pages, in this article. Before the launch or after significant changes to your system, invest in a security expert who will check your design and carry out penetration tests (simulated attacks). You also get a high level of security with a web application firewall (WAF): a proxy that monitors the data traffic between the shop and the requesting systems. There are WAFs, for example, as server plugins, separate appliances, or as a service in the Sucuri security suite already mentioned.
Repel DDoS Attacks
DDoS attacks are particularly insidious: In extreme cases, they can completely paralyze your shop, which leads to significant sales losses, especially during peak periods such as Black Friday or before Christmas. And it’s hard to fight back. The BSI recommends configuring the web server in such a way that the attack surface is as tiny as dangerous and TCP packets that are not necessary or potentially are rejected from the outset (filtering, logging of IP addresses, etc.), to make use of the provider’s defense services and to prepare accordingly to mitigate the consequences of successful DDoS attacks. The caching of static content in distributed Content Delivery Network (CDN) servers, which Sucuri also offers, can mitigate DDoS attacks and increase performance.
Ecommerce Security – The Human Factor
Website security can be significantly improved with security solutions such as Sucuri Website Security, especially for shop owners without technical and safety knowledge or access to the server configuration. But technology isn’t everything – people are still the most significant weak point for security experts. It is one thing that manufacturers deliver their systems with insecure default settings and that admins can make configuration errors. Even more severe is the ignorance of the users. Again and again, employees fall for phishing emails, calls from alleged admins or Microsoft employees, and other social engineering tricks, divulge critical information, or click on virus-infected attachments. You should therefore ensure that everyone in your company and, if possible, your partners are aware of these threats.