Online retail sales are growing by the day, with U.S. revenues already exceeding $300 billion in 2014, a figure expected to double by 2018. The steady annual rise in e-commerce revenue and scope seems unstoppable, but what does that mean for those old barriers that once held back many from converting online, mainly personal information security? As you may have deduced, these figures hardly represent the full potential of online and/or mobile consumption.
Google changed their algorithm to favor sites with secured URLs, and a MarketWatch survey found that security is the leading barrier to conversion amongst users, with only one third stating they do not shop online in fear of personal data breach.
Moreover, in a different survey a staggering figure of more than 80 percent of U.S. shoppers who searched for a product online expressed interest in finding products nearby — indicating that there’s still a strong preference for shopping in person, but also clues us into a very basic level of mistrust in both the online presentation of items, and more importantly a hesitance to input personal information. High profile user data hacks such as the one eBay faced in 2015 do more to deter already-fearful Web users from handing over their details. It almost doesn’t matter how quickly and effectively the company dealt with the breach, or how much (if any) damage was incurred by the users whose data was leaked.
Establishing or recuperating trust is one of the main barriers to conversion from existing and future consumers. This is doubly true when it comes to lesser known, new, or online-only retailers.
The fact of the matter is, if you own, operate, or promote a website, your information — and your users’ information — is exposed to a certain level of risk. While not all businesses can afford to enlist a team whose role would be to monitor their site’s cybersecurity, it may be beneficial for you (as a web marketer professional) to consider training someone among existing staff to deal with security at least at the basic level.
As business owners, we all know we get a myriad of “lookie-loo leads” — prospects that are just price shopping with no intention of ever committing — and there are dozens of reasons why a potential client would legitimately say “no” to your proposal. Even when dealing with a site that’s been found relatively secure, you or your potential client may be soon parting ways due to the failure of showcasing efforts to secure data. Read on to learn how you can polish any site’s security to improve consumer trust and ultimately, revenue. This post covers how to use security as another piece of your sales funnel and as a pitch to prospective clients.
Some Numbers
When conjuring up an image of a hesitant online user, we often think of the elderly. After all, relative to the younger crowd, they’re likely inexperienced in completing Web tasks, and generally used to doing things a certain (offline) way. Yet, according to the MarketWatch survey referenced above, the fear of personal data being possessed by malicious sources is most prevalent among the 35-and-older crowd, which is probably a much younger cut-off than you anticipated. Moreover, it’s not as though everyone younger than 34 is completely comfortable with sharing and managing information online. In fact, two thirds of consumers say they believe they will fall victim of a data breach in the coming year, and the same percentage say they’re more worried about their information in cyberspace now than they ever were before.
Finally, there’s one new and important factor making nearly all online consumers uneasy: fear of breach is common in all age groups when it comes to completing purchases on mobile devices — a figure we should be mindful of in light of the steady increase in mobile usage for e-commerce purposes, reaching nearly 40 percent of all online sales in the U.S. on Black Friday 2013 alone.
While barriers to conversion are virtually endless, security is one that’s consistently cited by Internet users as a deterrent from completing online purchases. If you own or promote a long-established giant retail chain with well-distributed brick-and-mortar stores and an online store, your reputation is likely doing more than half of the work. If the above doesn’t apply to you, below are some tried and true tips that are essential to strengthening a site’s security.
Audit and Take Action
As with all journeys, the road to safety begins with one major step — figuring out where you are on the safety spectrum. This step should be as thorough as possible; consider involving one or more professionals who can closely examine the site and assess it as whole. Depending on the size of the company, these professionals can either be one-time consultants or full-time team members paid to have their eye on the ball at all times. The following three areas are where you’ll most likely find security gaps during your inspection, so focusing on them is a great start:
- URLs: The exchange of data online (credit card data, address data, login pages, etc.) should be carried out over a secure connection that’s authenticated and encrypted via https. I will not expand on this, as we all already know the importance of https for Google. Therefore, it is highly suggested to do the switch if not done so already.
- Plug-ins: Does the site utilize any form of open-source platform? If yes, this puts it at risk of data hacking due to various possible security bridges, like loopholes to steal data or commit fraud. Worst of all, if this occurs, it may be extremely difficult to realize the source of the breach. Yes, WordPress! Quick, go and update all your plugins and make sure they are all from a reputable source. If you’re using a reputable web host, they will automatically update your software. If you’re unsure if yours does, investigate and possibly switch to a better host.
- Payment verification: If the site accepts payments (e-commerce for instance), carefully examine the level of protection that’s provided by the payment-processing program the site subscribes to. In most cases, it would be beneficial to take additional measures in order to boost this level of security, starting with the purchase of reputable financial verification software such as VeriSign, MasterCard Merchant Fraud Protection, and more.
- Data validation should be done on the client side, not server side: Many web forms include JavaScript validation. If the validation process is done on the server side, it means nothing. Make sure all JavaScript validations are done on the client side, or you might find yourself an easy prey for hackers.
- Password: Everybody knows they should have a strong password, but this is not always the case. It is critical that you have a bullet proof password to all access points of your website. Avoid generic user names such as admin, user, or test and avoid using your email and your user name. Change your passwords every quarter. Set a reminder to do this.
- Consider a web application firewall: this can be your first line of defense. The firewall inspects incoming traffic and blocks hacking attempts right of the bat. Until a few years ago, firewalls were available only as an added hardware. Now you can contact your hosting company and ask to add the application to your hosting package. Reputable hosting companies include them as part of your plan.
- Limit access to certain directories and restrict file permission: in most hosting accounts, and in those usually done through FTP, you can control level access and file permissions on your server. This is a very effective way to block certain areas of your website and to reduce the risk of unwanted activity. Read more about it here.
- Invest in and keep up with advanced security software. By now you realize the importance of ongoing security scans, but it can be a nuisance to update software at the high rate most security programs demand today. Regardless — take on the role of security by remaining up-to-date on the latest software, or you could be surprised of where it may hit you (spoiler: it could impact the site’s rankings). This goes further than installing the latest version of McAfee or Norton, it entails ensuring vital components of the site’s transaction processes are up-to-date, such as the shopping cart; if it’s based on an outdated or open plugin, one simple breach could mean compromising the client database, which may expose them to breaches on other platforms.
- Avoid storing sensitive data: Generally speaking, PCI regulations prohibit the storage of customer information (especially payment method details) beyond the completion of a transaction. If you have smaller/beginner e-commerce clients, this may be a handy memo for them. There are exceptions to this rule, such as recurring payments. However, it’s strongly advised to limit the information kept to a bare minimum, such as what the system requires to issue refunds. If your clients keep to this rule, they’ll rest easy at night knowing that even in the event of an attack, there will be no sensitive data that can leak.
- Penalize suspected breaches: Ever forget a password or type one out incorrectly? We’ve all been there – it’s only natural. What isn’t natural is making dozens of back-to-back attempts at passwords in a short timeframe. If you haven’t already, make sure the login page is set to deny login after a certain number of failed attempts, typically three. It doesn’t have to be a hard block, even a temporary ban of 30 minutes can make eager brute hacker-bots skip onward to the next unattended cyberspace.
- Clearly define, designate and stick to admin roles: The number of people who are exposed to internal information in a company can easily exceed what’s necessary, considering high employee turnover and general failure to contain data. They say the greatest threat to data comes from within. Keep close tabs on who is exposed to sensitive information, and go the extra mile by switching up passwords to security software and admin panels often.
Don’t Keep Security a Secret
Preventing a potentially financially devastating attack is an end in and of itself. Studies have found that prominent trust signs, such as conspicuous SSL layers actively boost customer trust and thus positively impact sales. Any reputable site should display trust signs proudly, including accreditations, encryptions, and verifications. These symbols subconsciously — but powerfully — indicate to clients that the business is serious and concerned about their online safety, helping them feel comfortable completing a purchase or handing over precious information.
It shouldn’t end there, however. Consumers know security is also in their hands, so any help provided to them in order to understand how to protect themselves online is beneficial and works to establish the site as an authority on online security — not a bad place to be. For instance, you can be more transparent by giving clients access to their stored account details and teaching them about the importance of having a unique password by raising the minimum level of complexity; making real time automated recommendations. When all parties are well informed about what constitutes as unsafe behavior and make a conscious effort to be safe, it’ll make fraud easier to detect.
Stay Ahead of the Next Attack
Unfortunately, hackers are just as sophisticated and creative as cybersecurity experts. For site owners, this means living in a never-ending arms race where an attack may always be just around the corner. Assuming your client is already keeping their security software consistently up-to-date, their best bet to stay safe is to test the network occasionally by running cyberattack simulations. This can be carried out by a cybersecurity professional, and it should be a regular protocol — especially before important sales or promotions when system overflow may make data more susceptible to real time attacks. In severe cases, Google may dole out a manual action and send an alert to Web Master Tools (Search Console), indicating that the reason for the penalty is Malware or third party hacking.
Though often enlightening, periodic attacks should not be relied on as the only measure of site security on an ongoing basis. The best way to monitor suspicious activity is by setting up real-time alerts and consequences for suspicious activity. Depending on the niche you’re dealing with, that could mean denying registration or checkout completion for any of the following cases: a foreign IP, multiple attempts at registration / login / checkout completion, suspicious telephone number input (e.g. 111-111-1111), multiple identical orders placed, or if an order is placed that differs greatly from typical new client projections. By being able to identify these behaviors real time, you could stop attempts at fraud in their tracks.
You’re on your way to becoming an online safety expert. Use the above information as a starting point, and lay the foundation for advanced cybersecurity. It can and will pay off in revenue and trust. Once you become aware of the risks that loom, you may be surprised to realize how many close calls you and your clients have had — and how effective security measures need to be.
About the Author: Asher Elran is a practical software engineer and a marketing specialist. He is the CEO at Dynamic Search and founder of Web Ethics.