Retail Sector – Protect your website from cyber criminals

Like most retail companies currently operating in the region I imagine that you’ve got a really good website. Loads of content with great pictures and descriptions of stock and a simple interface for your customers to be able to select and purchase whatever you sell. The reality is that retail is only going one way – and that is an increasing share of the market moving to online sales. This has partly been pushed by the restrictions of the pandemic but is also reflected the modern consumer’s desire to be able to purchase online. But if you operate a website you need to be aware of the risks that you face from cyber-attacks.

Image of website on a laptop

Types of attacks

Retail websites remain popular targets for criminals because of the way that they are set up and the valuable customer finance data that can be obtained. And cyber enabled fraud within the retail sector only adds to the scale of the problem for eCommerce sites, which also have to deal with potential ransomware and DDoS attacks as well.

1. Phishing.

Phishing remains the most common method by which cyber criminals get into eCommerce networks. As is well understood it is a type of social engineering and refers to methods used by attackers to trick victims — typically via email, text, or phone — into providing private information like passwords, account numbers, social security numbers, and more.


2. Malware and ransomware.

When your device or network becomes infected with malware or ransomware you may be locked out of all your important data and systems. Downtime is expensive, but regular backups of your site data can help keep this from being a devastating blow to your business. And by not clicking on suspicious links or installing unknown software on a computer, you can be better protected against attacks.


3. SQL injection.

You may be at risk of an SQL injection attack if your ecommerce site insecurely stores data in a SQL database. If not properly validated, a malicious query injected into a packaged payload can give the attacker access to view and even manipulate any information in a database.


4. Cross-site scripting (XSS).

XSS involves inserting a piece of malicious code (typically JavaScript) into a webpage. Unlike some other kinds of attacks, this one doesn’t impact the site itself, but it would impact the users of that page — i.e., your shoppers — exposing them to malware, phishing attempts, and more.


5. E-skimming.

E-skimming refers to a method of stealing credit card information and personal data from payment card processing pages on ecommerce sites. Attackers gain access to your site either via a successful phishing attempt, brute force attack, XSS, or third-party compromise, then capture in real time the payment information your shoppers enter into the checkout page.

Cartoon male scratching his head next to the ECRC logo

Some of these attack methods are fairly technical – if you are unclear about whether your retail website is vulnerable speak to a member of the Eastern Cyber Resilience Centre about getting a vulnerability assessment. With prices starting at from £100.00 plus VAT it’s not as expensive as you think and could save you thousands of pounds in the future. Have a look at what it at entails - https://www.ecrcentre.co.uk/remote-vulnerability-assessment.


Recommended best practices

You should be looking at enhancing your cyber resilience by carrying out the following measures

  • Implement strong, unique passwords — and help make sure your customers do, too.

  • Consider using a password manager.

  • Protect your devices – update your software and enable anti-virus on your networks.

  • Protect against social engineering attempts and make sure that your staff are aware of how they can protect their personal information.

  • Implement additional authentication factors. Use MFA to protect your valuable data

  • Only store the customer data that you need. Less is more. And remember if you lose your customer’s data your company may be liable to fines or worse.

  • Make sure your site is always up to date and patch vulnerabilities as soon as you are notified of them.

  • Switch to HTTPS to host your site. Helps to secure your site and it will send a positive message to your customers that you are looking after their data.

  • Back up your data regularly. Store the back-up offline and ensure you can access it when you need to.

What next?

The impact of a successful attack against your website can be catastrophic and lead to website downtime, loss of business and loss of reputation. In the worst cases it can lead to the closure of the business altogether. But all is not lost


So, what can I do?

Here at the centre, we would advise you to do two things now

1. Join our free core membership. You will be supported through implementing the changes you need to make to protect your business and your customers


2. We would also recommend that you speak to your MSP and / or website company to discuss how they can implement cyber resilience measures on your behalf.


3. Join us at our webinar at 11am on Thursday 27th January to find out what steps you can take for secure your business and ask our panel your questions in this area. Register now.

The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The