A Black Friday checklist for businesses selling online

As we approach the end of November, the holiday shopping marathon season begins - starting with Black Friday. Black Friday and Cyber Monday mark the change in consumer behaviour as more than ever before, individuals prefer online transactions over traditional in-store purchases. Statistics indicate that Black Friday expenditure in the UK accounted for £1.49 billion in 2018.

As sales grow online, criminals take advantage of the upsurge in traffic to eCommerce sites where customers share valuable information such as credit card details, email addresses, home addresses and more. Online merchants therefore need to understand the critical need for website security to protect sensitive data. However, research conducted by Tala Security highlights that 98% of Google Alexa’s top 1000 websites are lacking deployed client-side security measures.

Investing in resilient security for your eCommerce platform is far less costly than  your site suffering a data breach so to ensure the festive season runs smoothly, here are some things you should consider...

The biggest threats to your business this Black Friday

Phishing

Phishing attacks continue to be a pervasive threat in 2019 and Black Friday purchases present a good opportunity to develop new phishing campaigns.  Criminals will often impersonate different companies to trick victims into providing private information such as passwords, credit card details and more. Be vigilant and let your customers know if cyber criminals are impersonating your brand. Moreover, train your employees to recognise social engineering scams that could lead to a data breach or leak; read our blog to find out more about phishing. Scan your company domain using our breach checker and discover whether your any of your employee's information has been shared on the dark web, as well as a tailored list of risks your company is exposed to. 

SQL injection

SMEs are usually targeted by cyber criminals as they are more likely to have vulnerabilities on their website. Therefore malicious actors can inject fraudulent SQL into the platform from an authentication or contact form to gain access to the information stored in your database. In order to prevent SQL injection attacks you should stick to data sanitisation routines to filter user information, apply patches and updates regularly, and use web application firewalls (WAF) to filter malicious data. 

Cross-site scripting (XSS)

XXS consists of malicious code - usually JavaScript - placed into a webpage. This particular attack does not target the website itself, but the visitors of these pages aiming to expose them to malware or phishing attempts.  

E-Skimming

E-Skimming is a threat to all the websites handling online transactions. Criminals execute malicious codes on particular pages to capture payment details in real-time. This is extremely difficult to spot and has been a growing problem in 2019. Regular security practices are recommended such as vendor assessment, server patching, access control, and external penetration testing. 

Refund fraud

Some fraudsters will request fake refunds or returns. Refund fraud is a common type of fraud where businesses refund illegally acquired products or damaged goods. Thus, it is crucial to train the customer service team not only to detect cyber threats and maintain adequate security standards, but to also verify the identity of customers who request any changes to their orders or accounts.

DDoS Attacks 

Distributed Denial of Service (DDoS) attacks can disrupt your website and consequently will affect your overall sales. These attacks will aim to flood your servers with a huge amount of requests until they gain access and the website crashes. Moreover, you should be aware that criminals have developed precise decreased sized DDoS attacks that can pass undetected and cause long-lasting damage. Developing a clear comprehensive DDoS incident response plan and using multi-level protection strategies such as VPN, anti-spam, content filtering and load balancing will help you prevent and mitigate these types of network security threats.

How to protect your business - the checklist

SSL and PCI Compliance

SSL certificates create an encrypted connection between networked devices in order to conserve the integrity of data by combating man in the middle attacks. SSL can be used to secure confidential information including payment information, system login credentials, and other personal data. Once you have an SSL certificate for your e-commerce site, you can move from HTTP to HTTPS, which helps customers recognise your site as secure.

Furthermore, all organisations that store, process or transmit sensitive financial data must be payment card industry (PCI) compliant. PCI refers to the industry operational standards that guarantee safe transactions and credit card data collection. This framework requires every e-commerce platform to follow 12 general data security conditions established by the Security Standards Council. It helps significantly defeat potential threats such as fraud and it enhances the security of your business.

The Verizon 2017 Payment Security Report highlighted that 77% of beached companies were not compliant with the number one PCI requirement: install and maintain a firewall configuration. Therefore, web application firewalls should be installed in order to monitor web-based traffic, block malicious software, and keep your website, as well as customers who are transacting on your site, safe.

Choose a secured eCommerce platform

The eCommerce platform that you are using to provide your services must be well secured and include an inbuilt security protocol as well as an effective backup service. However, eCommerce platforms do not provide a malicious bot traffic mitigation strategy which is crucial for e-commerce businesses to avoid security incidents such as DDoS attacks or account takeovers. It is essential for you to have the technology to identify and block bad bots. For instance, introducing captcha for the login process makes it more difficult for bots to access your website. 

Websites with outdated plugins are also a top target for criminals, therefore it is essential to update your website regularly. Magento is one of the prime targets for criminals attempting to compromise websites built on unpatched e-commerce platforms in order to inject card skimming scripts on checkout pages. Thus, it often releases patches to address these vulnerabilities. 

Strict policies

Robust cyber security strategies employ specific regulations among employees with a focus on integrity, confidentiality and availability. Ahead of busy shopping periods, every business should:

  • Perform checks to ensure the website can handle increased traffic.
  • Review admin-level accounts and privileges and other tools that handle your customer’s data.
  • Disable or delete any outdated integrations on your website to make sure only necessary parties have access to your customers’ personal information.
  • Carry out robust checks of your internal processes including the ways your employees view and share customer data between internal and third parties.

Backup your data

Backing up your data will make a huge difference in the recovery process if a data breach occurs. Also, if you fall victim to a ransomware attack, you can avoid paying the ransom by restoring your database to the latest backup and get your business back up and running in a timely manner.

Ensure your customers use robust passwords

Customers are one of the essential components in building a comprehensive cyber security strategy. If your customers use weak passwords that can be easily guessed, or reuse passwords from other sites that have been breached, it can compromise all your efforts to provide effective security measures for your site. It is incredibly important for your customers to use strong passwords that combine uppercase letters, lowercase letters, numbers and special characters if permitted.

If your business could benefit from cyber security advice and tools, get in touch with our sales team today. We have a range of tools designed for small to medium sized businesses, protecting your business in ways antivirus software can’t.