The security and vulnerability of your ecommerce ecosystem is a critical risk to your project.
Security breaches and vulnerability attacks by robots and malicious individuals trying to hack the site are constant threats to online retailers. Most commonly, the key target of their activities is stealing credit card and financial data. However, more and more often there are cases where website transaction data, customer data and product data are being compromised or stolen by these parties. Any website design and infrastructure has vulnerability, and it is critical that these are tested at different stages of the project. In most cases, independent security and vulnerability tests are recommended, as neither you nor your developer are likely to have the expertise or currency of skill in this area. It’s a highly specialised skill set that evolves constantly.
1. Do you have a security or vulnerability test planned for your project? This is a pretty imperative part of your project and should be well accounted for in your timeline and budget. Get an independent security-testing agency on your team for peace of mind.
2. Do you have a security and vulnerability policy for your business that outlines acceptable levels of risk and business continuity? The lower the level of risk your site achieves, generally, the higher the cost to run it. Determine your acceptable level of risk and viable investment
3. Do you have a user access control policy? One of the most significant risks to a business is poor user access control where someone who shouldn’t have access under the hood of the site does, either because they’ve left the business or they no longer require access as part of their job. Be clear on who has had administration access to all parts of your site and ecommerce platform, both inside and outside your company, and review this regularly.
4. Have you considered PCI compliance and looked at credit card data security as part of your design and build? PCI compliance is an issue most ecommerce sites handling payments need to face. Becoming PCI compliant is quite involved and can add significant time and cost into your project. Talk about this early on in your project, and be aware of additional testing it may require through the setup and deployment of your website.
5. Do you understand the vulnerabilities of hardware, operating systems, software and platforms in relation to the risk profile of your business? The technical architecture of your solution contributes to its overall risk. Be sure to assess alternatives and choose wisely. Record any known risks in your risk register.
6. Do you understand the consequences of a security breach, and have you quantified the potential commercial damage? Business continuity, brand reputation and potential legal risks need to be quantified as part of your risk register,Â and to help plan the appropriate responses.
7. Do you have a business continuity plan and disaster recovery plan in the case of a security and vulnerability breach, and do you have a plan of action to react to this situation? Security and vulnerability breaches can have a significant commercial and PR effect. Be sure to have an action plan to help respond to these scenarios.
8. Are you under a service level agreement with your developer so that they can react after hours to a security breach? Depending on the size of your business and the markets you service, response to issues outside of business hours may be required. Be prepared to negotiate this, and allow the required budget.
9. Do you have a plan for a Denial of Service attack (DoS)4? DoS attacks commonly involve saturating a site with external communication requests to the point that it can’t respond to legitimate traffic, or it makes the site run so slow it’s essentially unusable. In this scenario the server becomes overloaded and falls over. There are a number of ways you can try to prevent a DoS attack, but if you are the target of one, you’ll need a defensive plan ready to roll. Talk this through with your developers and infrastructure teams.