Hacking

EXPERT ADVICE

Small Etailers: It’s Not Too Late to Protect Your Holiday Revenue

As consumers start to tackle their holiday shopping lists, retailers are scrambling to finish preparations for what’s likely to be a record-breaking year. Total sales could break through the US$1.1 trillion mark for the first time in history. Cyber Monday alone racked up an estimated $9.4 billion in sales.

When looking at their own businesses, most merchants typically understand how significant this time of year is. All the goods sold from now until the end of December can account for 20-30 percent of a retailer’s total annual sales. Yes, nearly one-third of revenue for the year is hitting the books in a little more than a month. Since most overhead costs will stay the same, retailers likely will get more margin from each sale.

The stakes are high, and potential customers have limitless options. If merchants do not deliver a high-quality experience that is frictionless and fast, they will lose. This is especially true for the thousands of small and mid-size retailers trying to build their brands and customer base.

You may think that delivering a quality experience simply means that your product descriptions are free of spelling mistakes and your site loads quickly. Unfortunately, there are many more ways of damaging a brand’s reputation and revenue besides bad copy and slow performance. None is more dire than a store not being able to process sales.

This is exactly what happened to major retailer J.Crew during Black Friday last year. The company’s website struggled to process sales. Shoppers flooded social media listing problems: They couldn’t log in; they couldn’t add items to their shopping cart — or pay for them.

It took J.Crew’s team about five hours to fix everything, and by then the damage was done. It’s estimated the company missed out on $700,000 in sales. It wasn’t the only retailer that struggled. Walmart, Gamestop and Lululemon all faced issues with serving customers online.

These companies have deep pockets and brick-and-mortar shops to help cushion the blows. However, many e-commerce retailers don’t have those luxuries. Being down for a few hours can be detrimental to their year.

The inability to manage high volume isn’t the only threat. There are other ways a store can be compromised, potentially resulting in shutdowns that last for days, or even wiping out a business altogether.

External and Internal Cyberattacks

We have become used to seeing big names such as British Airways, Marriott and Target as the victims of cyberattacks. However, criminals are moving down the food chain and increasingly are targeting businesses of all sizes. In fact, cybercrime is the fastest growing criminal activity.

This year alone, it’s estimated that 70 percent of small businesses hit by a cyberattack were forced offline. In this compromised group were some stores that were down for days. One in 10 were forced to close their doors for good.

Ransomware has increased 500 percent from this time last year. There is often a spike in ransomware cases just before the holiday shopping season, when retailers are most vulnerable.

The costs of recovering from a cyberattack can be downright daunting. Some put the cost around $200,000 for small businesses — if they can recover from such a staggering hit, that is.

When retailers ramp up protections to combat cyberattacks, they need to realize that anonymous hackers are not the only threat. Employees and other third parties, like contractors who have access to their site, also pose a risk.

It may seem far-fetched, but disgruntled employees or contractors, if inclined, can completely sabotage your online presence. In one instance, a developer maliciously deleted more than 3,000 product listings. It took the business 18 months to perfect its site, but it was destroyed in a manner of minutes.

Third-Party Integrations

On average, a merchant relies on between four and 10 third-party integrations to help run all the pieces of its online business. The number spikes for large enterprise solutions. No two e-commerce stores are alike, and these solutions fill in the operational and software gaps that have popped up over time — helping with everything from billing to ordering, store optimization, emails, chat and more.

This reliance — specifically, the intimate connection third parties may attain with your store and data — is cause for concern. All third-party apps require different levels of access. Before you install an app, read the terms and conditions.

If the integration simply wants to ‘View’ or ‘See’ data in your store, you should be fine. However, if the app wants to ‘Manage’ or ‘Modify’ data, that is a major red flag. The deeper a third-party integration is entrenched, the greater your risk of something being manipulated or edited out of your control.

Online fitness brand Gymshark learned this the hard way. Unfortunately, it happened right in the middle of Black Friday. An app sitting idly in the background, not even being used at the time, had faulty code. The rogue app ended up crashing the entire site.

It took Gymshark’s technical team eight hours to get the site up and running. By then, it’s estimated that the company missed out on more than $140,000 in sales, not to mention lost manpower and productivity. Gymshark was able to bounce back, but this scenario could break a small operation.

Human Error

We all make mistakes — they are inevitable. They often can be avoided though. It is common to encounter merchants wanting customized edits or changes to their theme code. Yet if experienced coders can make the odd error, imagine the risk a store is taking if a member of the marketing team attempts to write a killer program. It easily could end up killing your store.

The same goes for freelancers or contractors you bring into the fold. The more access you give them to your store, the greater potential for accidents to happen. Finding a reliable contractor is not as easy as you might think. If you search online sites where e-commerce merchants gather, you will see dozens (if not hundreds) of horror stories about contract work gone bad.

Sometimes mistakes are made simply due to the fact that people weren’t paying attention. You may have been trying to clean up product pages, blogs, customers lists or something else. Instead, you ended up deleting the data for good. This happens more often than you might think.

Here’s the biggest problem: Even reliable platforms like Shopify and BigCommerce won’t be able to help you get that data back.

E-Commerce Platforms Don’t Back Up All Your Data

No matter how many times I have the conversation, online retailers are still shocked that not all their data is protected by e-commerce platforms. “But it’s in the cloud, isn’t it?!” Well, yes and no. Let’s say you use Shopify to power your online store, here are the sections NOT automatically backed up:

  • Products and Product Images
  • Inventory
  • Customers
  • Orders
  • Collections
  • Blogs and Blog Posts
  • Pages
  • Themes and Theme Files
  • Menu Navigation
  • Store Policies
  • Locations
  • Shipping Zones
  • Gift Cards
  • Customer Saved Searches
  • Metadata (for Enterprise plans)

Now be honest — that’s more than you were expecting, isn’t it? The next thing I usually hear is, “I don’t understand why these things aren’t backed up.” That has to do with something called the “shared responsibility model” of backups.

Chart: Responsibility for Cloud Security, AWS/Customer

This is the model for Amazon Web Services, but most platforms essentially follow the same model. A reputable e-commerce platform will ensure that its own software and infrastructure are always up and running. Yet when it comes to account-level data, merchants are responsible.

Even if these platforms wanted to help, they would have more luck locating a needle in a haystack. If account-level data or content is accidentally deleted, e-commerce platforms cannot flip a switch to restore it. It may be gone forever.

This situation may seem overwhelming, even hopeless — but it isn’t. There are tactics and strategies even the smallest merchants easily can put in place to mitigate risks from all the scenarios discussed above.

Tighten Up Store Security and Access

First, create unique passwords — and not just for yourself. Create them for everyone who touches your online store. We all know that complicated, hard-to-remember ones work best, but the majority of people STILL do not follow this best practice.

To help overcome password fatigue, use a tool like 1Password and LastPass to help create and store all these hard-to-hack passwords. Pro tip: NEVER let a Web browser like Chrome or Firefox save your passwords. If you do, you are inviting trouble.

Second, install two-step authentication. Even the most complicated passwords are not 100 percent foolproof from cyberattacks. For the unfamiliar, two-step authentication is simply the process of using mobile technology to verify a person’s identity.

A unique code is generated on your site, and a user enters it on a personal phone or computer to gain access. This ensures that the authorized user is the only person who can access the account. Password thieves still would need the user’s phone or verification code to get in.

Finally, give users access only to the areas of the site that overlap with their responsibilities. In other words, don’t give someone in customer support the ability to edit code. This is a very simple but effective way to reduce human error, whether it’s malicious or erroneous.

Perform a Site Audit of Integrations

No matter how many third-party apps you are using, it’s important to revisit periodically what type of access they have and your associated risks. Research the app and the experiences of others. That will help you build a case for or against installing or keeping it. Ask yourself these questions:

  • What are the negative/positive reviews or ratings? Are they a four-star or two-star app?
  • How accessible is the party who built it? Can you contact them or are they digital ghosts?
  • Was it built by a firm that seems reputable or is it an anonymous avatar?

The goal is to determine whether the benefits of installing an app on your store are worth the risks. One quick tip that works well: Initiate a code or install freeze before any big event. Unless there’s a serious problem that needs immediate fixing, it ensures you will not make any changes that may compromise your store during critical selling periods.

Put a Backup Strategy in Place

A proper backup strategy is the last wall of defense. Should anything — or even everything — go sideways, a comprehensive backup serves as an insurance policy for the worst-case scenario.

As in the previous examples, it’s not just the lost sales that hurt an online retailer. It’s also a major drain on resources to fix site issues. A backup strategy for your account-level data will help reduce or eliminate this pain altogether.

There are three types of backup strategies you can employ for your e-commerce store:

  1. You can take a manual approach and export CSV (comma-separated values) files for every single area of your store. A CSV is essentially data saved either in a spreadsheet or plain-text file. When you need to restore a section of your store, you import the file. Most platforms have instructions on how to do it. It sounds simple, but this method actually can be very complicated and time-consuming. If you recall the list of areas NOT backed up by e-commerce platforms, some of those areas cannot be exported into a CSV file. So if something is compromised or lost, it may be lost for good.
  2. Build a custom backup solution using a platforms’ application programming interface (API) framework. An automated program that makes a digital backup of all the key areas on your site, it saves the headaches of a manual strategy — but it won’t be a cheap option, by any means. This is a job you will need to outsource to an experienced team (and we already highlighted how hard it is to find one). Furthermore, platforms constantly make updates, so you also will have to pay for ongoing audits, and regularly update your solution to ensure it doesn’t stop working.
  3. Opt for an off-the-shelf, third-party solution. In some ways, this is the best of both worlds — no manual labor, no high costs. However, you will want to do your homework when it comes to third-party integrations. While prices can vary, so does the data a system can back up effectively. Make sure you do your homework and compare your options. Checking ratings and reviews in the various app stores to get peer reviews is essential.

Don’t Put Your Holiday Sales at Risk

It’s the most wonderful time of the year for shoppers, but the most critical time of year for retail operations — especially smaller players. Don’t risk positive cash flow and profitability by ignoring all of the external and internal threats that can compromise your store and devastate your sales.

Update your security protocols, audit your site for risks, and implement a backup strategy. Shoppers will spend the next few weeks basking in the positive energy of the holiday season, and online retailers should get to do the same.

Mike Potter is the cofounder and CEO of Rewind, a cloud data backup and restore provider recently named BigCommerce Partner of the Year. A veteran entrepreneur, Potter has more than 25 years of experience building solutions for the software, cloud and data analytics space, including tenures at Adobe and Mozilla. He earned his MBA from the University of Ottawa and his B.Eng in Mechanical Engineering from McMaster University.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels