Digitalisation, Ecommerce & Security
Companies’ digitalisation, a buzzword or a real opportunity? According to the European Commission, 62% of the French population buys on the internet whereas only 16% of the French companies have online sale activity (1). This figure clearly underlines the “digital” opportunity that French company have. Whether it is a showcase website, an online sales platform, or local marketing, each option is an opportunity and does represent a competitive advantage over other companies that do not dare to digitalise their businesses.
Digital marketing agencies, freelances specialized in e-commerce, CMS, there are many different offers to facilitate the creation of a website. The competition on this market is fierce and prices often comes as a decisive factor for SMBs wishing to have their own sales platform. However, if the delivered website meets the expectations of the customers in terms of functionalities or design, it shouldn’t stop there, as hacking risks of a website are high (even for “small” websites”.)
What about cybersecurity?
For companies that decide to work with external web professionals (either freelances or agencies), it is necessary to understand what preparation and construction implies the creation of a website worthy of the name. This means setting up a budget to invest in the website’s construction. Its “size”, functionalities, design, maintenance fees (meaning the necessary updates on the website) and also cybersecurity will have an impact on the overall budget. Cybersecurity is too often ignored to offer cheaper prices, and yet it is a major issue.
It is crucial to understand that being a web developer, as good as one can be, does not necessarily means being an expert in cybersecurity. The two distinct jobs correspond to very different skills. It is fundamental to understand this distinction to be ready to question your developers on the topic. What security guarantees can they provide? Have they planned to run security audits? Who will be liable if the website gets hacked? This is where the issue lies: if there is no mention of security in the technical specifications or in the maintenance contract, then it is your responsibility when you get hacked.
How to reduce hacking risks?
Some guidelines can minimize the hacking risks:
- Less is more: this is a universal rule in cybersecurity, every non-essential feature should be deleted. All the functionalities on a website must be indispensable and used by the final customer. For an attacker, every functionalities, pages or fields to fill are potential vulnerabilities.
- Maintenance is necessary: when dealing with a CMS, such as WordPress, it is crucial to update whenever a new version comes out. Those updates will fix the last found security flaws as well functional issues. Hence, skipping those updates will make the website obsolete and vulnerable to attackers. It is important to clarify whether this is included or not in the maintenance contract.
- Watch out for custom built code: it might not be compatible with futures updates. For that reason, some companies do not update their CMS intentionally to keep their website functioning despite the risks that it implies. We recommend the use of a test platform to see if the new coming updates have an impact on how the website works.
- Do not forget to set up a password policy, this applies to the website’s owner as well as its users. Using a passphrase, a sentence that was invented for that use only, instead of a password, tends to be the best option security wise.
How can I guarantee that my website is secure?
First things first: it is cheaper to make sure that a website is safe than to suffer the multiple consequences of a hack (financial loss, brand damage & costs to “fix” the platform).
If you already have a website and that you now want to invest in its security, you can perform a security audit on it. This type of service is also called “pentest” (short of penetration test). It consists in attacking a web platform with a hacker point of view. This allows to find and fix the security flaws before a malicious person spots them.
Otherwise, for companies with a project of website creation, it can be interesting to use the services of experts in a cybersecurity consultancy. They will guide you through the development of the website with a security mindset, or will at least make sure that the server’s and CMS’ configurations follow the best practices.
Whatever your context is, it is essential to adjust your security measures to the actual level of risks that you are facing.
If you wish to exchange more about your cybersecurity needs, please do not hesitate to contact us.
(1) The Digital Economy and Society Index, Commission européenne, février 2016.