Over the past few years, the number of e-commerce data breaches have risen exponentially, and the increase in numbers and frequency show no signs of slowing down, mainly due to a number of reasons:
First is the fact that the number of e-commerce sites continue to increase, which simply means that attackers who are after these systems will have more targets to go after. Next, compromising systems is becoming easier through the availability of sophisticated scanning tools that are either free, cheap, or cracked by the attackers themselves. Last, and probably the biggest reason is the really good payoff for the attackers. e-commerce sites nowadays store an abundance of personal information, with some sites holding an average of 50,000 to 100,000 personal records in their database. Considering that the price of a single data record on the black market is around a couple of dollars to $25, attackers stand to gain a lot of money for every single e-commerce site that they manage to breach.
If you’re a website administrator or programmer whose means of earning a living depend on these e-commerce sites, you’d want to protect them to the best of your ability. Here are a few tips that will help you do your job:
Encrypt Your Data
At all possible times, encrypt your data. There are people online that may be hired to hack any site and most of them are good enough to hack multi-national banks. If you can’t avoid storing sensitive data to the cloud, at least encrypt it.
However, do remember that the PCI standards expressly forbid storing of sensitive authentication data after authorization even if encrypted, so it’s a bit mind-boggling why a lot of e-commerce sites still choose to do so. There is very little good reason to store all of the records of your customers, especially full credit card numbers, expiration dates, and CVV2 codes. charge-backs and refunds only require a minimal amount of data, and even if it provides convenience to your users, the potential damage caused by a breach far outweigh any convenience they can think of. So start modifying your codes in order to stop storing sensitive data, and start purging old records from your database.
Put in Place Multiple In-Depth Strategies
Be redundant in your security system and employ multiple in-depth strategy that overlaps and supports different system aimed at protecting your system against different points of failure.
If possible, employ more than one security team and get the services of hackers outside of your security agency. Get a good one.
Keep All of Your Sites Isolated from Each Other
It’s a really great idea to run a blog, a user forum, and an auction site under the banner of your main site, but if you’re going to do so, segregate them from each other or at least away from the main site. If you keep them hosted in the same server, you run the risk of exposing every single one to an attack if even just one site is compromised. There are many cases where a number of sites hosted in a single server were compromised simply because a wordpress plugin from one opened them all to intrusion.
Be Vigilant with Updates
This is already common sense if you’re a systems administrator, but still bears mentioning because a lot of admins still get caught with their pants down. Patch your sites, forums, web apps, etc regularly. Keep yourself up to date on what’s going on with the service that you are using, majority of them will release patches everytime a new exploit or vulnerability is found.
Robust Security System and Cyber Insurance
This is not a 100% surefire protection against breaches, but the technology and the industry have matured in the last few years. A typical insurance will include business interruption and damages to customers who own the data. These are usually customisable. This may not fully protect you from attacks but it will cover the damages when an attack happens.