As organisations move to an e-commerce platform, existing and potential customers have serious concerns about web security. They hear every day about ransomware and malware attacks, theft of user data and other threats to their security and are naturally fearful. They worry about the security of their financial data and if their transactions are processed securely.
These concerns can lower the take-up of online commerce.
To be sure, security is a mutual matter, users need to operate in a practical and common-sense way, and organisations need to put security measures in place to allay their fears.
For website hosts, Web Security can be a complex and confusing affair with obscure concepts and convoluted solutions. However, there are some basic principles and practices that can be observed to reduce risk and provide security.
Here are four very simple ways that an organisation can help to improve its Web Security.
Make your host a secure host
In the past, all web browsers used the HTTP protocol to identify the remote host they wanted to reach. However, this is not secure, and in most cases has been replaced by the HTTPS protocol, denoting a secure connection. Users must ensure that the website they visit has an HTTPS prefix, and their browser displays a lock icon in the browser bar. Similarly, website owners must ensure that the web host is a secure host operating the HTTPS protocols.
Bowsers, for example, Edge and Chrome, flag sites missing the HTTPS certificate as insecure and present a warning page that will deter visitors and for e-commerce, potential clients.
In short, website hosts need to make sure that access to their host is controlled and managed and secure. For example, keep your host as a clean host. Backup then delete files, databases and old applications that are no longer used. This releases storage space and removes possible entry points for hackers that are not monitored as closely as active systems and data.
Keep up to date with current threats and continually monitor your website host for unusual activity. Back up systems and data to a remote server.
Secure access with encryption
Part of the secure host profile is to ensure that all connections are made using a secure access protocol at the very least. This makes sure that all information transmitted between the user and the host is encrypted, and therefore passes securely over the connection. SLL or better TLS encryption must be established during the connection process to help prevent hackers from intercepting login credentials and other sensitive data like credit card numbers.
Another option to consider is 2FA, two-factor authentication. A common implementation, after login credentials are validated is to use a one-time password (“OTP”) which must be presented before proceeding. The OTP can be sent to a phone number or email address held in the user profile. It is essential for e-commerce and financial websites where financial data will be held.
Monitor access rights and credentials
It’s all very well to put barriers up to prevent unauthorised access to systems and data. They are useless if the enemy is already inside the gates. There are several key matters to be addressed here:
- Ensure all access is via login credentials with users required to use or create a user profile before proceeding into the website. In many cases, this must include 2FA.
- Deactivate user credentials that have not been used in a set period, say three months. Delete them after another period of inaction.
- Demand strong passwords and require them to be changed regularly.
Keep software up to date
New malware threats and attack vectors appear every day. Your anti-malware software must be kept up to date. Regular updates, often hourly, of malware signature files and the detection software itself is an essential part of creating an effective Web Security environment.
It’s not just your anti-malware software. Updates to operating systems and applications software can inadvertently create security flaws that a hacker could exploit. Patches and updates must be applied as they become available.
Web Security is not rocket science. It just requires good tools and practices and constant vigilance. A good backup/restore policy also helps when, not if, the site is hacked.