Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

4 Lessons For Small Ecommerce Stores Trying To Improve Security

Home
Industry Insights
4 Lessons For Small Ecommerce Stores Trying To Improve Security

Blog Article Published: 12/04/2020

By Rodney Laws, Editor at Ecommerce Platforms

Security is tougher for small ecommerce stores. They don’t have weighty budgets allowing massive investment — and while they’re less likely to be targeted owing to their relative lack of popularity and revenue, their appeal lives in vulnerability. After all, it’s better to attack a helpless minnow if you lack the weapons to take down a shark.

So what are such stores to do? Neither ignoring security as a priority nor breezily funding ideal safety measures is a viable option. The smart path ahead involves a more delicate approach with the investment of time and money in some key areas. In this post, we’re going to succinctly run through four security lessons that every small ecommerce seller must learn. Let’s begin.

Focus on human-based security first

What do I mean by this? It’s simple enough: the weakest link in an online operation’s security tends to be the people running it. You can forge a web fortress, but it won’t stop anyone if you happen to leave the drawbridge down and the front gate open. The biggest concerns here are passwords (despite the rise of passwordless authentication) and information protection.

Everyone with any level of admin access to a store needs to know how to set and protect a strong password (e.g. using enough characters, changing it semi-regularly, not choosing a word that someone might easily be able to guess). They must also know how to be responsible with how they talk about the store: if someone approaches them in an effort to glean information through social engineering, they have to refrain from disclosing anything significant.

Never rely on customer knowledge

Consider what the average buyer is likely to have learned about website security in their travels: to be clear, not that much. It’s easy to think that young people don’t need to be told about such things because they grew up using the internet, but that doesn’t necessarily mean much. In truth, a typical young adult’s “security” research might consist of the following:

...And that’s it. Why would they see the need for anything more? They’ve probably never dealt with major online issues, knowing the internet as a convenient and safe place. In other words, they’ve yet to see how badly things can go wrong — and the onus is on you to change that by providing information about how to use the internet safely.

The thought leadership will work to your credit and give you the chance to extol the strengths of your security system (strengths that would otherwise go unnoticed).

Promptly install relevant updates

“Updates are available”, explains the system, but it isn’t a good time so you delay them until later — at which point you delay them again. This is a common problem, and one that strongly undermines efforts to keep online stores secure. This is due to the inevitable prevalence of system vulnerabilities.

As developers prod at their systems to see what happens (and hackers target them), issues are always identified, and they need to be patched immediately. Once an exploit is common knowledge, myriad people will attempt to use it. Skipping updates will instantly make a store markedly less secure — so it’s essential to install them as rapidly as is practical.

Keep plugin use at a minimum level

Plugins are highly useful for ecommerce, but every plugin you install adds a point of vulnerability to your overall system. It’s normal for a key plugin to require admin access to operate, of course — so if someone who can’t access your system directly can get into the plugin, they can exploit that access to cause some major damage.

If you must use plugins, avoid the biggest culprits: choose those from acclaimed developers and check to see that they’re updated regularly. And if you ever stop needing to use a plugin, deactivate and uninstall it to get rid of that point of weakness. The fewer points of entry you maintain, the better.

Startups

Share this content on your favorite social network today!

Latest from CSA
AI Summit at RSAC 2024
The State of AI and Security Survey Report
Data Resiliency Survey 2024
Trending This Week
#1 What is the Cloud Controls Matrix (CCM)?
#2 Zero Trust and AI: Better Together
#3 Test Accounts: Another Compliance Risk
#4 AI Safety vs. AI Security: Navigating the Commonality and Differences
#5 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
Enhance your cloud security skills with CSA's online training options.
Related Articles:
Startups Don’t Need Cyber Security (Or Do They?)

Published: 08/07/2023

4 Important Compliance Management Tasks for Startups

Published: 11/28/2022

Cloud Security for SaaS Startups Part 2: Application & Platform Security

Published: 05/03/2021

A New Resource for API Security Best Practices

Published: 04/30/2021