Data security: how ecommerce brands can better protect customer data

Around the time at which Amazon assumed its position at the top of the ecommerce mountain, the average online shopper had become extremely relaxed about distance selling. After all, it had evidently been turned into a reliable and hyper-efficient process, and there didn’t seem to be anything to worry about — but that naive optimism didn’t last.

This change in perspective can be attributed to three things in particular:

  • A host of high-profile data breaches, including the 2014 attack on eBay that compromised 145 million user accounts, as well as the embarrassing breach of the Adult Friend Finder service in 2016.
  • A general rise in technological awareness as all generations — young and old — steadily became more accustomed to using the internet (and began to better understand what can go wrong).
  • The implementation of GDPR (the EU’s General Data Protection Regulation) in May 2018 bringing a lot of attention to questionable data-storage practices.

Consequently, shoppers today are significantly more concerned about how their data is stored and protected, and ecommerce brands must respond or see their reputations tarnished. Here are some general tips for how suitable adjustments can be made:

Follow best in-house security practices

There isn’t much use in finding clever ways to protect data in the cloud if you’re going to undermine that security by being extremely lax with how you handle it in your office. Something as simple as leaving an admin password on a post-it note stuck to a computer display can allow an enterprising criminal easy access to your system. One of our ethical hackers was able to gain entry to a client’s system during a penetration test by simply seeing an employee type in a password. The first level of security is physical and involves ensuring that only employees are permitted into the office, or that visitors are either escorted and/or have their access limited to sensitive areas.

You should actually strive to achieve a paper-free office. These days, there’s no need to have anything printed out, and going paper-free will ensure that your customer data (and company data, of course) remains safe even if your premises get invaded. The weakest link in an organisation’s security is typically their employees and their poor understanding of security measures. A paper-free office will literally reduce the paper trail.

There’s also the matter of training staff members on when it is appropriate to discuss customer details and what details should never be shared, whether in or outside of the office. Discretion is essential. When people are trusting you with their data so you can provide them with a service, it’s wholly inappropriate to treat that data as viable for everyday conversation. Even to members of your organisation that simply don’t need to know.

Ensure platform regulation compliance

Whether you’re running a self-hosted store using an open-source CMS or using an all-encompassing service that’s hosted for you, you need to ensure that you can rely on your platform to resist intrusion. That calls for carefully vetting your providers before you commit to them, looking at their security records, adherence to regulations, and update schedules. Regularly updating your applications, whether it be your CMS system, your WordPress site, or even your operating system, is the best way to make
sure vulnerabilities are patched.

When choosing an open-source CMS, popularity is a double-edged sword. The higher-profile the platform, the more battle-tested it will be (and the larger budget it will have for security testing), but the more attractive it will be to criminals. Something like Magento’s open-source version is well-regarded on the whole, but the inability to force updates causes issues — for example, a major vulnerability was identified earlier this year. If you take that route, be extremely careful, and bring on a security firm to ensure continued safety.

Using a hosted service is far safer overall because your software installations (being stored in the cloud) can be easily updated. You lose some customization options, admittedly, but aside from that, it’s all positive. A polished system will meet all 6 levels of PCI DSS compliance — Shopify notably maintains that standard even while allowing extensive cross-channel sales — so do your research to confirm that a system is worth investing in before seriously considering migrating your store.

Identify vulnerabilities with penetration testing

If you’re unsure about the quality of your current system, and you don’t know what to make of the security claims you find, there’s something you can do to get a better idea of how it would stand up to an attack: subject it to a test attack. By getting an expert security company to comprehensively test the security of your website, you can form a solid understanding of where your strengths and weaknesses lie. Penetration testing comes in many formats that can be bundled or parred down to suit your needs. A simple vulnerability scan from a security testing company can already give you a clear indication of your vulnerabilities, for less investment that a full penetration test.

The results may show that you’re in a decent position but could make some minor tweaks, or even that your CMS is woefully behind the times and needs to be replaced. Regardless, it’s the only way to know for sure if your website is vulnerable without actually falling victim to a devastating cyber attack (the testers won’t actually steal any of your data, of course). If it is, you can make suitable adjustments before returning to your regular operations and proceeding with great confidence that your protection is robust.

For small businesses, particular ones that store valuable customer data like credit card information, ransomware attacks have increased
exponentially
in recent years. Ransomware attacks involve a hacker hacking into your system, encrypting your data, and holding it ransom until you pay a ransom fee. It’s a common attack that can easily be prevented by implementing security best practices and contacting a security testing company.

Keep customers apprised of data use

GDPR is now in effect, bounding a lot of companies based in the EU (or selling to EU customers) to meet various requirements. Even if you exclusively work with non-EU customers, it’s still a good idea to keep your customers informed about everything you’re doing with their data.

There are two reasons for this: talking about your data use with customers will mean that you have invested the time to documenting what acceptable GDPR practices are and therefore mean you have changed your practices to suit and knowing what’s happening with their data will make it easier for customers to choose you as a reliable provider. Instead of viewing you as just another random web shop, customers will gain a great sense of your legitimacy through how you explain and implement the protection of their data, leading to greater sales and loyalty.

Of course, you’ll need to ensure that you can fully justify collecting and using the customer data you request. If you inform your customers of everything you store, and they can’t discern a legitimate reason for you to collect that much, they’ll feel exploited or suspicious. Honesty is the best policy, yes, but only once you’ve got your house in order.

Protecting customer data isn’t simply about keeping your existing customers around — it’s also about safeguarding your company reputation. Not to mention a hefty fine for failure to protect customer data properly. If people come to feel that you’re not invested in treating personal data with suitable care, they’ll view your brand as indifferent and switch to your competitors. Follow these steps to improve your data handling, and your customers will appreciate it.

Authored by:

MicroStartups is a business community that celebrates inspiring startups and small businesses, solopreneurs, and entrepreneurs. Whether you’re a solopreneur or a startup making your way in the business world, we’re here to help. For the latest news, inspiring stories and actionable advice, follow us on Twitter @getmicrostarted.

Tags

top