By Mike James
2015 has seen some very high profile retail and ecommerce related cyber-attacks hit the headlines. At the start of the year, British shoe brand Office reported a breach of their systems potentially affecting millions of customers. In March, healthcare insurance provider Premera Blue Cross revealed the scale of their hack, which had compromised over 11 million customers’ details, including bank account information. Perhaps the most highly publicised hacking story this year is Ashley Madison. While the intent of this hack didn’t appear to be motivated by stealing bank account information, it seemed the hackers wanted to embarrass its owners and management, nevertheless bank and credit card information was again compromised.
These are just a few high profile examples of businesses that process payments online and have found themselves struck by sophisticated hacking techniques in the last year alone. National and global retailers and ecommerce businesses frequently hit the headlines following cyber security breaches, but what about the many thousands of smaller retailers that run ecommerce operations online? What steps can small or medium enterprise businesses, or SMEs, take to better protect themselves and their customers’ data?
Key considerations for online retailers
For businesses that process payments online, the following steps should be at the forefront of your security assessment
1) User training
End users clicking links or downloading documents containing malware provides one of the main access routes for hackers to breach your network. Ensuring that all of your staff are fully trained in spotting malicious looking emails and other communications is imperative for any organization dealing with sensitive data.
2) Passwords
Weak passwords can also provide a way for hackers to compromise your systems. Make sure that all passwords into your systems, software and applications are sufficiently complex.
3) System configuration
The configuration of your computer network and the coding of your applications, software, website and payment gateways are all critical to the security of your customer’s data. You need to ensure all have been configured with web security in mind.
4) Software & Application testing
Legacy and unpatched software and applications can also provide a route into your network by hackers. You need to regularly monitor, test and update all software and apps.
5) Network security
Have you implemented adequate threat detection technology? How confident are you that you will detect threats quickly enough before they are able to damage you? These are just two key questions that any online retailer needs to consider as part of their network security assessments.
6) PCI-DSS compliance
Are you managing to adhere to the Payment Card Industry Data Security Standards (PCI-DSS)? Do you require assistance in ensuring that you meet the required regulations?
Ensure you’re secure from the outset
Whatever your current stance is on the above six key issues, it’s understandable why smaller retailers sometimes find themselves in trouble. With continuing growth in online sales many bricks and mortar retailers have found themselves under considerable pressure to adapt their operations to include an eCommerce offering. However, the pressure to offer an online solution for customers, without necessarily taking the time to ensure all security issues have been fully considered before launch, can have devastating consequences for smaller businesses. With speed being the critical factor, some sites have been launched with limited testing and inherent vulnerabilities that hackers have been quick to target. The potential costs of not securing systems can be enormous from lawsuits and notification expense to customer losses due to reputation damage
From SMEs to major retailers, it’s critical for businesses of all sizes to manage their information security risk. From PCI DSS compliance through to 24/7 real time monitoring, considering all aspects of cyber security is a must for anyone dealing with sensitive customer data.
Mike James is part of the IT team at Redscan – a managed threat detection and security services company.