But your customers aren’t the only victims in this horror story. When an e-skimming breach hits the news, businesses can suffer significant reputation loss. The government isn’t going to let you off the hook either. Regulatory fines are a common occurrence. For example, regulators in the UK fined Ticketmaster £1.25m (approximately 1.7 million in U.S. dollars) because the company’s website operators failed to notice and halt a Magecart attack that lasted three months and resulted in the theft of data on nine million customers.
And then there is the dreaded Google Blacklisting. Google regularly marks tens of thousands of websites as ‘suspicious’ daily due to malware embedded on the website. Do you really want your customers to type your website URL, only to get the Google message “This site may harm your computer.”?
Ok, I get it. I am ready to become a website security evangelist. Show me the way!We recommend you start with these 10 steps:
1. Move Security to the “Left”No. We’re not making a political statement here. On the software development lifecycle (SDLC) continuum, historically, security was an afterthought—i.e., it happened after a website or application had been created or cobbled together from a variety of different third- and fourth-party code and applications. Security needs to happen at the beginning of and throughout the website and application development process. And just in case you still need convincing, it is considerably more costly to patch bugs and fix issues later in the development lifecycle. An ounce of prevention is still worth a pound of cure!
2. Know Thyself. Identify & DetectThe maxim from the ancient Greek oracle temple at Delphi is inherently appropriate here. It is critical for your business to know what web assets you own and the type of data they hold. You should also engage in some regular “web and system psychotherapy” by conducting some deep-dive scans to reveal intrusions, behavioral anomalies, and unknown threats.
4. Patch early and patch often (and keep your software updated for goodness sake!)The 2020 Magento breach mentioned previously happened because 2,000 online store owners failed to migrate their online website operations from Magento 1 to Magento 2. Updates and patches happen for a reason, folks. If you receive a notice that one of your website’s applications has issued an update, then take some time and install the update!
6. Add a little extra policing. Implement Content Security PoliciesContent security policies (CSP) add some extra security that can detect and mitigate some types of attacks, such as XSS and data injections. Configure your web server to enable CSP. You can also define your own CSP using meta tags within the HTML page.
7. Avoid the drama. Compartmentalize your web applicationsSecurity professionals advise you to split your front-end applications up into smaller components, such as public, authenticated, and admin, and to deploy these parts in a separate origin (e.g., https://admin.websitename.com). This can help reduce client-side vulnerabilities by limiting the exposure across the application.
8. Eek! Cover up. Don’t expose all your data!If you have some sensitive merchant data that no one needs to see, then make sure you store this data in a unique metafield. Also, if you’re using something like GitHub, remember to keep your API keys hidden from public view and access.
9. Certify yourself. Use an SSL Certificate for all websitesSSL certificates are a protocol for encrypting Internet traffic and verifying server identity. In a nutshell, they are basic website-security 101. They enable website authentication and make SSL/TSL encryption possible. They also enable the website to have an HTTPS web address. Many browsers have started tagging websites without an SSL certificate as “not secure.” While an SSL certificate and HTTPS address does not guarantee a website is secure (since SSL certificates are easy to obtain and a malicious threat actor could create a fake or malicious website with an HTTPS address), having that HTTPS web address and encrypting any customer data being sent over the internet, does make customers more trustworthy of your site.
10. Never give up. Never surrender! (i.e. Stay vigilant)Cybercriminals don’t give up and neither should you. Make sure to dedicate regular efforts to inspection, monitoring, and patching.