Philipp Jakubowski, head of the Information Security Office at Trusted Shops, and internet security specialist, answers our questions about cyber attacks on online businesses.
Which methods are used by hackers? How do you protect your customers' data? Does the current corona-crisis make companies more vulnerable?
Keep reading to find out!
We may have the impression that cyber attacks don’t concern us or are only reserved for larger companies, but that’s not the case.
There is always a certain risk for cyber attacks to happen. This risk won’t disappear, it’s even more likely to intensify.
Technologies evolve and so does the probability of attacks. If you operate online, then you're facing that risk.
"Companies that don't take precautions and don’t put safety first are making a big mistake."
We have to distinguish between "technical attacks" and "social attacks".
During technical attacks, hackers scan your website, systems and networks for security gaps to figure out where they could possibly enter.
Social attacks, on the other hand, are all those for which hackers will use your employees as intermediaries.
By sending them an email that was apparently sent by a colleague and asking them for sensitive information.
Another possibility is that they invite your employees to click on a link in that email, for example.
Most companies are careful to protect their systems against all technical attacks but forget that employees are their main line of defence.
It’s therefore crucial to raise awareness concerning the importance of online safety throughout your staff.
Offer your employees trainings to teach or remind them of good security practices.
Some examples of such security practices would be:
To protect your company from phishing-mails, you shouldn’t:
click on unknown links
open unknown attachments
give vital information to strangers
Instead, you should:
beware of emails that put you in a stressful and urgent situation
(without clicking) check the sender's e-mail by hovering your mouse cursor over the address
Smaller businesses, however, are actually rarely confronted with technical attacks.
Not in terms of probability, but rather because it’s easier to keep an overview of their potential security breaches.
"The bigger the company, the more complicated it gets. It's easier to keep a building safe than a city."
When ensuring the security of a building, it’s way easier to control your entrance doors, keep track of changes made, and have all your security systems well in mind.
Now imagine the same situation with an entire city! The extent of the task is definitely not the same here.
This also applies to businesses.
Encrypt your data. Encrypting your customer data is the only way to ensure its protection.
You should do so, not only with the data stored on the server, but also when customer data is being transferred.
Without encryption, there is always a certain risk regarding the security of customer data:
If you store the data on a hard drive, then everyone who has access to the drive, also has access to the data on it.
If you change storage systems, hardware settings, or even your webhosting, then again, you’ll have no control over what will happen to the stored data. It may seem obvious to you and yet, it’s even happened to government agencies in the past.
The server on which you store your data can also be sold later and then you have no way of knowing in whose hands it’ll end up in. You should therefore pay close attention to the cancellation terms of your contract.
If I had to summarise it in one word: Encryption! You must be the only one with control over customer data.
Only you should have the key to decode and read this data. As long as you don't lose the key, you’ll be safe!
Yes and no.
Of course the General Data Protection Regulation (GDPR) gives you lots of valuable advice, but you should see it rather as a general framework.
There are many other details that you should pay attention to when it comes to protecting customer data.
Encryption, for example, isn’t a mandatory requirement of the GDPR, although it’s highly recommended.
There’s a large number of possibilities at your disposal, not all of which have anything directly to do with IT security.
Here is an overview of what you could put in place:
A "user friendly" site is an important first sign of trustworthiness.
HTTPS protocol: Few internet users will be willing to enter their banking data on a site that isn’t protected by this protocol.
The general terms and conditions of sale and legal notices should be strikingly displayed. Of course this cannot guarantee the reliability of a site, but their presence contributes to a necessary sense of reassurance.
Authentic customer reviews from real customers (on a closed review platform). 90% of Internet users consult reviews before placing an order. It’s, indeed, a secure and therefore persuasive element of reinsurance. However, for even more security, I’d advise you to consult the profile of the online shop on the site of the review provider. If the site uses Trusted Shops services, then you can google "SiteName + reviews + Trusted Shops" to find the profile page.
A seal of trust recognised as the Trusted Shops trustmark. By obtaining it, you display the Trustbadge© on your site. It’s a discreet but easily recognisable element that allows customers to identify your site as trustworthy.
I’d recommend you to pay attention to sites with particularly low prices. I’d advise you to "Google" the name of the site associated with keywords such as "fake site" or "scam".
(More) Tips for Protecting Your Online Shop from Hacker Attacks
If someone reaches out to you indicating security breaches on your site, don't go straight to the police.
First, you should listen to them carefully and ask them to investigate further.
"The majority of these “hackers” aren’t malevolent beings operating in the dark-net and simultaneously attacking Facebook in order to acquire millions of euros."
Most of the time, they’re either IT students, enthusiasts, or people in need of recognition.
There’s even a name for these types of cyber-attackers: security researchers.
It is different every time. Some just write “Hey, I found a vulnerability in your website.” Others give out exact information upfront and kindly ask for a bounty.
Admittedly, it won’t be free of charge, but it’s usually not a huge amount of money either. Very often, you only pay around 20€ for this “investigation”.
Personally, it never felt like a ransom to me. The researchers have always given out the information for free and never behaved impolitely.
It’s a business that I like to call "unsolicited consulting".
It might seem a bit strange, but when you work in IT security long enough, you get used to it.
In any case, be open minded. Calling the police won't solve the problem and you wouldn’t be aware of your short-comings if it weren’t for them.
At Trusted Shops, we do indeed take their information into account and analyse it.
There won't be any revolutionary methods that hackers invent and make use of. However, they will use the crisis as a basis for their work.
I do believe that the risk of social attacks is now somewhat higher because of the increase in working digitally (i.e. home office).
As communication becomes more and more virtual and digital, most of the communication takes place via e-mail and telephone.
From a "technical attack" point of view, people use their own computers for work, then all the precautions taken will no longer be feasible (encryption, antivirus, etc.).
Likewise, if a hacker has already taken possession of a private computer and your employee is now using it for work, then this could become a problem for your business.
Therefore, ask your employees to use their work computers instead or make sure that no sensitive data is stored on the private devices of your employees.
Take care of yourself, your business, and stay informed!
This article was originally published on our French blog: Cyberattaques - Comment protéger mon entreprise des hackers ?