Cyber Attacks Interview: How to Protect Your Business from Hackers

Cyber attacks and hackers target innocent people every day. This includes online shoppers, but also businesses. As an online retailer, you are responsible not only for your own data, but also for your customers’ data. For this reason, you should take extra care to protect your online shop against hacker attacks.

Philipp Jakubowski, head of the Information Security Office at Trusted Shops, and internet security specialist, answers our questions about cyber attacks on online businesses.

Which methods are used by hackers? How do you protect your customers' data? Has the corona-crisis made companies more vulnerable?

Keep reading to find out!

After the interview, we'll provide you with a few more tips that you can use to protect your online shop from hackers and cyber attacks.

Interview with Philipp Jakubowski of Trusted Shops

The following questions were made during an interview between Pauline Bondoux, Content Manager at Trusted Shops, and Philipp Jakubowski, head of the Information Security Office at Trusted Shops and internet security specialist.

Are all online businesses endangered?

We may have the impression that cyber attacks don’t concern us or are only reserved for larger companies, but that’s not the case.

There is always a certain risk for cyber attacks to happen. This risk won’t disappear. In fact, it’s even more likely to intensify.

Technologies evolve and so does the probability of attacks. If you operate online, then you're facing that risk.

"Companies that don't take precautions and don’t put safety first are making a big mistake."

What are hackers targeting when attacking companies?

We have to distinguish between "technical attacks" and "social attacks".

During technical attacks, hackers scan your website, systems and networks for security gaps to figure out where they could possibly enter.

Social attacks, on the other hand, are all those for which hackers will use your employees as intermediaries.

How do hackers use your employees?

Hackers use your employees by sending them an email that was apparently sent by a colleague and asking them for sensitive information.

Another possibility is that they invite your employees to click on a link in that email, for example.

How can you protect your company from these types of cyber attacks?

Most companies are careful to protect their systems against all technical attacks but forget that employees are their main line of defence.

It’s therefore crucial to raise awareness concerning the importance of online safety throughout your staff.

Offer your employees trainings to teach or remind them of good security practices.

To protect your company from phishing-mails, you shouldn’t:

click on unknown links
open unknown attachments
give vital information to strangers

Instead, you should:

beware of emails that put you in a stressful and urgent situation
(without clicking) check the sender's e-mail by hovering your mouse cursor over the address

Smaller businesses, however, are actually rarely confronted with technical attacks.

Not in terms of probability, but rather because it’s easier to keep an overview of their potential security breaches.

"The bigger the company, the more complicated it gets. It's easier to keep a building safe than an entire city."

When ensuring the security of a building, it’s way easier to control your entrance doors, keep track of changes made, and have all your security systems well in mind.

Now imagine the same situation with an entire city! The extent of the task is definitely not the same here.

This also applies to businesses.

How can you be sure that your customer data is protected?

shutterstock.com/DrDrawer

Encrypt your data. Encrypting your customer data is the only way to ensure its protection.

You should do so, not only with the data stored on the server, but also when customer data is being transferred.

Without encryption, there is always a certain risk regarding the security of customer data:

If you store the data on a hard drive, then everyone who has access to the drive, also has access to the data on it.
If you change storage systems, hardware settings, or even your webhosting, then again, you’ll have no control over what will happen to the stored data. It may seem obvious to you and yet, it’s even happened to government agencies in the past.
The server on which you store your data can also be sold later and then you have no way of knowing in whose hands it’ll end up in. You should therefore pay close attention to the cancellation terms of your contract.

If I had to summarise it in one word: Encryption! You must be the only one with control over customer data.

Only you should have the key to decode and read this data. As long as you don't lose the key, you’ll be safe!

GDPR: Is this the best way to ensure the security of customer data?

Yes and no.

Of course the General Data Protection Regulation (GDPR) gives you lots of valuable advice, but you should see it rather as a general framework.

There are many other details that you should pay attention to when it comes to protecting customer data.

Encryption, for example, isn’t a mandatory requirement of the GDPR, although it’s highly recommended.

How can you reassure your clients about your shop’s reliability?

There’s a large number of possibilities at your disposal, not all of which have anything directly to do with IT security.

Here is an overview of what you could put in place:

A "user friendly" site is an important first sign of trustworthiness.
HTTPS protocol: Few internet users will be willing to enter their banking data on a site that isn’t protected by this protocol.
The general terms and conditions of sale and legal notices should be strikingly displayed. Of course this cannot guarantee the reliability of a site, but their presence contributes to a necessary sense of reassurance.
Display authentic customer reviews from real customers. 90% of Internet users consult reviews before placing an order. It’s, indeed, a secure and therefore persuasive element of reassurance. However, for even more security, I’d advise you to consult the profile of the online shop on the site of the reviews provider. If the site uses Trusted Shops services, then you can google "Site name + reviews + Trusted Shops" to find the profile page.
A seal of trust recognised as the Trusted Shops Trustmark. By obtaining it, you display the Trustbadge© on your site. It’s a discreet but easily recognisable element that allows customers to identify your site as trustworthy.

And how can I get reassurance as a customer?

I’d recommend you to pay attention to sites with particularly low prices. I’d advise you to "Google" the name of the site associated together with keywords such as "fake site" or "scam" and see what pops up.

What should you do if someone informs you of a security breach?

If someone reaches out to you indicating security breaches on your site, don't go straight to the police.

First, you should listen to them carefully and ask them to investigate further.

"The majority of these “hackers” aren’t malevolent beings operating in the dark-net and simultaneously attacking Facebook in order to acquire millions of euros."

Most of the time, they’re either IT students, enthusiasts, or people in need of recognition.

There’s even a name for these types of cyber-attackers: security researchers.

Do they make a demand for money like a ransom or do they just offer their services?

It is different every time. Some just write “Hey, I found a vulnerability in your website.” Others give out exact information upfront and kindly ask for a bounty.

Admittedly, it won’t be free of charge, but it’s usually not a huge amount of money either. Very often, you only pay around 20€ for this “investigation”.

Personally, it never felt like a ransom to me. The researchers have always given out the information for free and never behaved impolitely.

It’s a business that I like to call "unsolicited consulting".

It might seem a bit strange, but when you work in IT security long enough, you get used to it.

In any case, be open minded. Calling the police won't solve the problem and you wouldn’t be aware of your short-comings if it weren’t for them.

At Trusted Shops, we do indeed take their information into account and analyse it.

Will the COVID-19 crisis lead to new forms of cyber attacks?

There won't be any revolutionary methods that hackers invent and make use of. However, they will use the crisis as a basis for their work.

I do believe that the risk of social attacks is now somewhat higher because of the increase in working digitally (i.e. home office).

As communication becomes more and more virtual and digital, most of the communication takes place via e-mail and telephone.

From a "technical attack" point of view, people use their own computers for work, then all the precautions taken will no longer be feasible (encryption, antivirus, etc.).

Likewise, if a hacker has already taken possession of a private computer and your employee is now using it for work, then this could become a problem for your business.

Therefore, ask your employees to use their work computers instead or make sure that no sensitive data is stored on the private devices of your employees.

Thank you, Philipp, for the helpful tips!

If you're looking for more tips on what you can do to avoid hackers and cyber attacks, keep reading:

Tips on preventing hacks and cyber attacks on your online shop

Here are 8 tips for preventing cyber attacks and hackers from exploiting your e-commerce business:

Use complex passwords

As an online retailer, you need lots of passwords. For example, you may need passwords for administrative access to your e-commerce platform, access to databases, or to hosting providers.

Choose passwords that are as complex as possible, that contain letters, numbers and special characters and are at least 8 characters long. It is easy to work out passwords that are too simple or too short.

Use different passwords for each access in order to avoid total loss in the event you “lose” one particular password. You can use a password manager for the administration of your passwords.

Use virus scanners and firewalls

Use virus scanners on your computer to protect against viruses and trojan horses, as well as a firewall that cannot be changed without authorisation.

Always keep the programs up-to-date. You should also always remember to update your operating system regularly as the manufacturers secure possible security gaps with these updates.

Speaking of staying up-to-date...

Keep your shop system up-to-date

This is just as important for your shop system as it is for anti-virus programs and operating systems: Always keep your shop system and/or e-commerce platform up-to-date.

Source: shutterstock.com/Rawpixel.com

Most providers create regular updates, which secure weak spots that they become aware of and may also contain features that are relevant to security.

Be stingy with write permissions on the web server

The more files that have write permission, the higher the risk of malware getting into the web server. As a worst-case scenario, these files could disclose your customers’ data. Therefore, you should only give write permission where this is actually necessary.

Secure forms

Using forms as an entry point for malware is popular. For example, search forms, user registration forms, or customer login pages can be vulnerable to such attacks.

You define how this data is processed and read in the program code. Therefore, when creating code, you should always build in algorithms (or have these built in) that make it more difficult for malware to get into the system in “code injection attacks”.

Encrypt sensitive data

There is and never can be 100% security. None of the manufacturers can sort out weak spots that have not been published and this means that every system is always vulnerable to attack. That is why it is even more important to be prepared for the worst-case scenario.

One very effective method, as mentioned by Philipp, is to only save data in an encrypted manner and to store the encryption key away from the data. If an attacker does find a way to get into the system, they will not be able to read any of the data.

Get professional support

Nobody is an expert at everything. This applies to information security in particular. In the field of information security, there are solutions and experts that can support you in making your online shop secure and clarify where the problem areas are in your website for you. The range of services spans from automated vulnerability scanners to external information security officers.

Security is a worthwhile investment

You are probably aware of some of the security measures mentioned here from your personal internet use. However, as a business person, it is even more important to protect your own data and that of your customers.

In the event of data misuse, the extent of the damage to your brand's image, economic losses, and fines are generally extremely high. Therefore, investing in the security of your online shop can definitely be worth it.