7 Smart Ways to Secure Your E-Commerce Site

Especially if your e-commerce and CMS platforms are integrated, you risk multiple potential sources of intrusion, and the integration points themselves may be vulnerable to attack.

Chances are your business has both an e-commerce platform and a content management system. Perhaps they're one and the same. Together, these technologies drive your business, empowering customers, sales staff, and partners. The content management system (CMS) gives them information; the e-commerce platform handles transactions. Easy.

However, these technologies can also be a target, providing everything that a bad actor wants, from trade secrets (such as inventories and price discount sheets), lists of partners and suppliers, discount codes, and even sensitive information about customers.

Whether your e-commerce platforms and CMSes are combined in an all-in-one comprehensive suite, or are disparate systems integrated together, the risks and potential weak spots are mainly the same. If you have integrated e-commerce and CMS platforms, not only does your tech now have multiple potential sources of intrusion, but the integration points themselves may be vulnerable to attack, or at least to snooping. If you have an all-in-one system, a single exploited vulnerability or phishing-enabled breach could give cybercriminals everything in one fell swoop.

For this discussion, let's assume that your company follows well-established cybersecurity best practices, such as applying patches and fixes to operating systems, applications, drivers, and libraries. Failure to make these updates in a timely fashion is a leading cause of breaches. Also, let's assume you employ state-of-the-art encryption for data in transit, and change all default access and admin passwords for your servers, routers, and services.

With that as a baseline, let's talk about seven specific steps that are particularly well-suited to CMS and e-commerce platforms.

Gather the Least Amount of Customer Information Possible

Then be careful where (and how) you store that data. If you steal customer credit card numbers or medical information, the market impact, civil lawsuit penalties, and adverse publicity could put you out of business. Oh, don't forget HIPAA and GDPR fines, depending on what and where your data is stolen.

Careful What You Store On Internet-Facing Servers

Yes, your e-commerce platform needs to be aware of inventory levels and pricing discounts in order to facilitate e-commerce. What if competitors can retrieve that information in a tidy bundle? They might be able to use your business data against you.

Monitor Lists of Zero-Day Threats and Other Vulnerabilities

You can start with the one published by organizations like the Cybersecurity & Infrastructure Security Agency. It's not enough to receive threat-assessment reports, of course. They need to be read and acted upon. An issue with a very large impact appeared, for example, in the popular Log4j library not long ago. Every organization that uses Log4j needed to update to version 2.16 or later immediately. Is there someone in your organization responsible for knowing about that sort of incident? If not, there's a vulnerability right there.

Use Penetration Testing Tools and Services

No matter whether your software is off the shelf, tailored by consultants, or homegrown, you don't know how secure it is unless you test, test, test. Conduct pen tests regularly and thoroughly; not only do systems become less secure if not maintained properly (see the first point), also your service landscape changes and attackers are becoming more sophisticated as well. If you haven't pen tested recently, or used a white-hat firm to assess your defenses, you don't know what you don't know.

Vet Software Suppliers, and Insist They Follow Secure Coding Practices

If you are using cloud services, examine those carefully. Consider everything. For example, the CMS company I work for is certified at the highest level for its security practices, conforming to ISO 27001 security protocols. These protocols include regular code reviews, strict access control, anomaly detection and rigorous security testing. You should expect nothing less from every supplier.

Check With Banks, Payment Processors to Ensure You're Doing It Right

There are many practices for working with ACH transfers and credit-card payments. Some of these appear obvious, such as using CVV values on credit cards, and verifying that shipping addresses match the bank account's address — but e-commerce platforms may not enable those extra levels of validation by default. I would also highly suggest using a service that specializes in payment transactions. These services will be certified according to PCI DSS requirements and you can focus on your core competencies.

Log Everything and Analyze Those Logs for Anomalies, Attack Patterns

Every transaction, every privileged login to the CMS or e-commerce platform, every error caused by someone entering a bad password, should be logged. Don't trust humans to be able to understand those logs, by the way; modern-day attacks can be both fast and subtle, and there's too much data to correlate for patterns. Use machine-learning tools to monitor events and logs, and as in the fourth point above, make sure someone is responsible for receiving, reading, and following up on those reports.

Follow these seven steps, and your CMS and e-commerce platforms will be more secure and more trustworthy than ever before. Are these steps reasonable? Yes. Are they easy? Once systems are in place to work safely and run securely, yes. Your customers, suppliers, and partners want your systems to be safe. Let's get to work.

Editors' Choice
Haris Pylarinos, Founder and CEO, Hack The Box
Robert Lemos, Contributing Writer, Dark Reading