Top five security tips

Frederik Vig 9/9/2018 10:00:00 PM

If you don't secure your online store with an SSL certificate, you may be penalized for your visibility in Google. Here are the tips you need to follow in order to be successful in e-commerce.

- Having a secure digital commerce solution is actually far easier than many people might think. At the same time, it can be completely devastating if you don't do this job properly. Targeted attacks, but also pranks can actually run a medium-sized online store to the ground. Too few Norwegian online stores have thought about it, says the experienced security expert and one of the founders of the international consulting company Geta, Frederik Vig.

Geta is an e-commerce company, and works with advisory and development services and analysis both in Norway and internationally.

"A lot of companies have things in order, but the vast majority, especially among small and medium-sized businesses, should take steps to get to an acceptable low security risk," says Vig.

Here are his top five safety tips for online stores:

1. Encrypt the entire online store with an SSL certificate

All webshop pages, not just the payment page, must be encrypted. This means that the URL should start with https://, not just http.

Google will now remove the green padlock in its browser, Chrome, which currently marks HTTPS pages. They would also like to alert the user to pages that are unsecured with a clear, red warning. This may mean that users will more likely navigate away from unsafe websites. Google will also "punish" online stores that do not have SSL certificate with lower visibility in search.

2. Use a Content Delivery Network (CDN)

The CDN is actually a geographic system of servers that together provide the fastest possible delivery of internet content. At the same time, CDN can also protect you against so-called service attacks (DDOS) or other unwanted downtime for your system, which can be caused by a heavy traffic increase to the site.

So-called service attacks have grown in number and size in recent years. The most common thing is to flood the site with traffic until it almost breaks and stays down. Most DDOS attacks are economically motivated.

3. Install a web firewall

A web firewall is a firewall to protect your web server. It protects you, among other things, against BOTs (small computer programs that are made to perform a task on a regular basis) and other malicious traffic that comes to the online store via internet traffic.

A web firewall is as important to the webshop as a personal firewall is for your own PC security. BOTs can do anything from creating artificially high or low traffic and giving you fake statistics on the user pattern to reserving good on a large scale and ruin inventory management.

A web firewall protects you, among other things, against so-called SQL injections (attacks to retrieve information from your databases), cross-site scripting (script that can forward users to malicious websites or steal cookies) and cross-site forgery attacks (the user is advised to changing password or something like that).

4. Have routines for updating and processing sensitive information

Many online stores have some old servers in their systems that have not received the latest security updates. Therefore, be sure to keep them up to date and create good routines so that you always know where sensitive information is. A lot of companies have bad routines for both updating and processing data. Too much data is stored on bad FTP servers or less secure cloud solutions. This has become particularly important with the EU's new rules for processing personal data, GDPR. If you do not have routines for this now, you can risk major fines.

5. Create routines and technology that will protect you against fake emails

The vast majority of attacks against Norwegian businesses are done via fake emails. Therefore, make sure your employees have solid digital skills and know how to tell a fake email from a real one. There are already several improvements that technically reduce the possibility of fake email coming through the system. Standards like SPR, DKIM and DMARC are invisible to end users, and are recommended by for example the National Security Authority of Norway. Both Gmail, Yahoo and serveral other major email providers are already using these standards.