How to keep your small business safe from data breaches and hacks

By:  Jennifer Lonoff Schiff

Cybersecurity – and security breaches – continues to be a hot topic. And small ecommerce businesses, especially ones using an open source platform, are particularly susceptible to hacks and breaches. So what can small ecommerce shops do to protect their sites as well as any sensitive (customer) data? Following are 10 suggestions from ecommerce security experts.


1. Educate employees. “Cyberattacks are becoming more and more sophisticated and it’s easy to be fooled by emails, links and attachments that look like everyday business requests,” says Norman Guadagno, chief evangelist, Carbonite. “It only takes one click for malware, viruses and ransomware to in infiltrate your system, compromising important business data.”

So, “the first step in protecting your data from cyber attacks is educating your employees to make sure they’re up to date on the latest methods being used by cybercriminals,” he says. “One of the best ways to do this is by creating real life scenarios to test employees’ ability to detect a phishing email or suspicious links. This will help you gain insight into common mistakes and identify areas for improvement.”

Also consider “hiring a third-party to conduct social engineering or facility breach exercises, [which] can help you understand whether your security policies and awareness programs will actually prevent outsiders from obtaining valuable client information directly from your employees,” says Christopher Roach, managing director & national IT practice leader, CBIZ Risk & Advisory Services.

2. Make sure your hosting company has your back. “Use only trusted providers for your site’s hosting,” says Troy Gill, manager, Security Research, AppRiver, which specializes in email and Web security. “Make sure they take security seriously. For example, do they use encryption?”

3. Use a secure ecommerce platform. “Use a hosted shopping cart,” says Christopher Flemming, principal, “Most hosted carts, like Shopify, Bigcommerce and 3dcart, have gone through PCI compliance audits. Most of them are PCI-DSS Level 1 compliant. And they have a full-time staff patching security vulnerabilities giving you time to do what is most important, market your business.”

4. Deploy SSL encryption. “Ensure all transactions occurring on your website are secure with SSL/HTTPS,” says Dodi Glenn, vice president, cybersecurity, PC Pitstop. “When selecting an ecommerce platform, make sure it can support secure transactions over SSL. This will allow you to conduct financial transactions securely, without risking sensitive information being sent over in plain text.”

Even better, “make sure your entire site is secured with an SSL certificate, not just the payment gateway,” says Nick Leffler, a business branding consultant. “This has the benefit of keeping all user data secure (even their email address) as it passes over the Internet – and Google will be paying more attention to this over time as a ranking factor.”

5. Make sure your ecommerce site is PCI DSS compliant. “Any ecommerce business that processes, stores or transmits payment-card data needs to comply with the PCI DSS (payment card industry data security standards),” says Roach. “Complying with PCI DSS protects a merchant against digital data security breaches across their entire payment network, not just a single card. Using a QSA-certified company to help you comply with PCI DSS standards can help augment your resources, but make sure to evaluate the completeness and accuracy of their testing,” he says. “Failure to comply can result in penalties and fines if a data breach does occur on your end.”

6. Utilize Web Application Firewalls (WAFs). Ecommerce businesses should “utilize WAFs to protect their site from various attacks, such as Cross Site Scripting, Denial of Service or brute force attacks,” says Glenn. “Several companies offer WAF protection for little to no money. [And] configuration of the WAF can be done in a matter of minutes.”

7. Have employees regularly change their passwords. Require “admins to change their password often,” says John Arroyo, CEO, Arroyo Labs, a digital agency. “Most hacks are socially engineered and/or due to weak passwords. Require strong passwords and force them to be changed regularly. This is a low cost method to stay secure.  Magento Enterprise, for example, has a password lifetime feature. Set it to 90 days or less.”

“Having non-repeatable passwords with certain conditions – upper case, with a special character and number – is key,” adds says Anthony Julien, director IT at Dupray, which sells steam cleaners and steam irons.

Also, “don’t store passwords,” says Mike Baukes, cofounder & co-CEO, UpGuard, a cybersecurity company. “If you absolutely must have user accounts in an application you’re building, don’t store passwords if you can help it. Use an authentication protocol called OAuth from a trusted provider with two-step verification like Google, Facebook, Twitter, etc.”

8. Use multi-factor authentication. “Multi-factor authentication adds an extra layer of security to your WordPress ecommerce site, toughening it up against brute force botnet attacks and similar threats,” says Brett Dunst, vice president, Brand and Community, DreamHost. “It’s easy to implement, too. For example, this plugin lets you implement Google Authenticator, so that logging into your site will require your password and verification via your personal mobile device.”

9. Keep up-to-date on security patches, especially for open source platforms (such as WordPress and Magento). “Nearly a quarter of all websites are built on the WordPress platform,” says John Macaulay, cofounder & chief content strategist, BizZen Canada. “However, it’s open source, meaning that without the proper precautions, a WordPress website is at risk of security issues. To mitigate these risks, an SMB needs to ensure that they or their Web guys always update the site and all plugins to their latest versions,” he explains. “As well, install a premium security plugin on the site. And just in case something does go horribly wrong, regularly backup the entire site to off-site cloud storage, [which] can be automated.”

“If your ecommerce site is built on a common open source platform such as Magento, make sure that your developer is scheduled to conduct security patch updates every single month,” says Bart Mroz, CEO, SUMO Heavy, a digital commerce consulting firm. “It’s easy to let your website run on autopilot, only fixing problems as they occur, but in today’s world where there are new vulnerabilities popping regularly, be proactive and stay up to date with the latest security patches to ensure the security of your ecommerce website.”

10. Make sure to back up your site regularly. “Back up your data in two places,” says Matti Kon, founder & CEO, InfoTech, a software development company and systems integrator. “Back up data on a hard drive as well as in the cloud. If the hard drive crashes [or there’s a fire or flood at your office or facility], you can still retrieve your data in the cloud.” Also, be sure to “regularly schedule data backups on both the hard drive and the cloud to maintain the safety of your businesses information.”