Marcela Gonzalez
Not so long ago, Ticketmaster was under fire because of a leak in their Canadian customers’ personal information. Other countries were affected too—resulting in more than 560 million customers seeing their data hacked and sold on the dark web.
Although the risks of identity fraud were low and sensitive information like credit card numbers was hidden, this incident still posed a danger to privacy. It could have escalated into grim consequences for customers like phishing or other practices used to obtain confidential information by manipulation, known as social engineering scams.
As a small food business owner, you might be wondering: But what does this have to do with me? I’m not a big corporation like Ticketmaster managing huge numbers of data. You would be right in thinking that this level of scan doesn’t target businesses on your scale, but the truth is that almost 50% of small businesses experienced a cyberattack in 2022.
The consequences of these data breaches can be devastating for eCommerce businesses:
Financial losses: although it depends largely on the incident, some costs come with handling the incident, paying for ransomware attacks, and offering free products and discounts to customers → In the U.S., for example, most small businesses saw losses of less than $250,000, with very few paying more than $500,000 (although it must be noted that the size standards for small businesses in the U.S. are different from Canadian ones).
Legal Liabilities: If you fail to protect your customers’ data, they are entitled to come together to file a class-action lawsuit to seek compensation for damages like their own financial losses, identity theft, and emotional distress. There are also violations of data protection laws like the Personal Information Protection and Electronic Documents Act, which can lead you to pay up to $100,000 CAD per violation!
Reputational damage: The loss of trust and anger that comes with security breaches may discourage new and existing customers from buying from your business. Cyberattacks also affect the quality of your service: You might have to take down your website, get someone else to fix it, or delay your active orders.
To protect you and your customers from potential harm, in this blog post, we will dive into the best practices and tools to ensure secure transactions.
Understand the Risks in Food eCommerce Businesses
Small businesses have become the target of cyber criminals—the lack of sufficient security measures and backed-up files is appealing to hackers who want to exploit customers’ sensitive data.
Some of them might even see your business as a point of entry to access the information of larger customers or companies you’re working with.
Here’s a list of vulnerable points that can make your business more susceptible to attacks:
Outdated software and systems: If you’ve been hitting “later” when your Content Management Software is asking for an update, do it right away! These “patches” are meant to fix security flaws or bugs that could be exploited by hackers.
Weak passwords: A guessable, short, and simple password can easily give access to unauthorized data. In 2023, more than 60% of the factors that compromised security were weak or absent passwords and leaked credentials.
Lack of encryption: Encryption acts as an extra security barrier that turns your information—whether that’s your customer data, employee information, or emails—into illegible code that can only be deciphered using a decryption key. For criminals to breach your data, they would have to break through your encryption algorithm.
Limited IT resources: Small businesses may not have the necessary IT skills or knowledge to set up a cybersecurity strategy in place, in part because they believe they don’t hold anything of value. If you have a limited budget it may be hard to allocate part of it to cyber insurance, for example, and even harder to find and hire IT professionals.
Lack of backup and recovery procedures: Not backing up your data frequently enough could lead to a complete loss after a breach or system failure occurs. Storing it in physician locations, like a USB or other removable media, makes it vulnerable to malware attacks or theft.
Now that you’re aware of the risks, let’s discuss what dangers to look out for.
Common Data Breaches in the Food Industry
Ransomware
Remember what we said about encryption? Picture that but the other way around, with a hacker taking hold of your information and rendering it unintelligible or inaccessible. They hold it hostage and will only give it back until a ramson is paid.
Other ransomware variants completely lock you out of your computer, preventing you from accessing your information. They may also threaten to leak or destroy your data, potentially bringing your business to a standstill.
Even if it doesn’t come to that, the 22 days of downtime businesses normally spend to recover can be just as fatal to their operations.
The exact ransom demand amount is hard to pin—sometimes it is directly linked with the company’s annual revenue, but it all depends on the intelligence the attacker has to figure out how much their target can pay. However, the median is estimated at around $26,000 USD.
Phishing
Many cyberattacks start with fraudulent emails or messages containing a malicious link directing you to the attacker-controlled website. Once there, malware—that is, code or programs that are harmful to systems—could be downloaded into your device, allowing the perpetrators, among other things, full access to your device.
By posing as trustworthy entities, they can get you to give away sensitive information. To achieve this, they could also call you, pretending to be a financial institution or a loved or known one to gain your trust and extract what they want from you much more easily.
The City of Ottawa was the victim of a phishing attack in 2019, when the treasurer for the city at the time sent more than $100,000 CAD to an American cybercriminal who had impersonated the city manager and had asked her to wire the money to a “supplier.”
91% of cyberattacks start with a phishing email, so beware of inconsistencies and spelling errors, and don’t open any link coming from an unknown sender.
Data Leaks
Although this is technically not a data breach since the sensitive information is leaked by someone inside your business, it’s still a safety threat that you should take into account—especially considering that hackers could take advantage of a leak to carry out a breach.
They happen in multiple ways, like an email with important data attached to it being sent to unintended recipients, publicly accessible cloud storage, accidental uploads on your website or social media, lost devices, etc.
It’s then important to:
Limit the access your team has to data to the one that they absolutely need to keep the business running
Train them on how to handle that sensitive information
Go through your old data and delete whatever you can to lessen the risk of a leak
Review the security practices of your suppliers—if they experience a leak, your eCommerce business information could be exposed too
Assess your own practices to identify vulnerabilities
These are the most common tactics cybercriminals use to access your sensitive data, but as attacks become more and more frequent, your small business could also become the target of…
Card Skimming, where criminals capture your card’s information through POS terminals and use it to make unauthorized purchases (and thus the importance of virtual payment methods!)
Distributed Denial of Service Attack, which partially or completely shuts down the online services of your small business to either make a statement or extort you for money.
Best Practices For Secure Transactions
Payment Getaways
These are the platforms that bridge the gap between your business and your customer. They allow for credit cards to be read and for digital payments to be processed. Gateways ensure that the data is securely transmitted: They encrypt it to prevent unwanted access. If you’re worried about fraud, they also take care of that by checking addresses and CVVs.
Payment getaways have to comply with regulatory standards like the Payment Card Industry Data Security Standard (PCI DSS), which outlines strict requirements like installing and maintaining security networks, protecting cardholder data, and testing systems regularly.
Features like tokenization, data masking, secure user authentication, secure payment infrastructure, and regular security audits and updates are tools to look for when choosing a service.
Data Encryption
We mentioned it already and we’ll mention it again: Encrypt your data to be safe from hacking threats. This includes the data that’s stored in your computer and servers—like customer data and order information—, documents or spreadsheets containing personal information, and data you’re transferring between devices.
You can choose to use the same key to both encrypt and decrypt the information—known as symmetric encryption. For a more secure exchange, asymmetric encryption uses the recipient’s public key (taken from a directory) to send the message, and lets the person decrypt it with a private key that is only privy to them.
Some encryption methods include Advanced Encryption Standard (AES) for customer data stored on servers, Rivest-Shamir-Adleman (RSA) for emails and files, and Secure Lockets Layer or Transport Layer Security (SSL/TLS) for protecting the user’s information as it travels through the Internet.
Multi-Factor Authentification
Having a strong, seemingly impregnable password is not enough to protect you against cyberattacks, and that’s where Multi-Factor Authentication (MFA) comes in. MFA acts as a bolt to protect your business, since even if your main key is stolen, another one is needed to gain access.
There are different types of authenticators depending on the factor they rely on (is it your password? Your cellphone? Or your FaceID?) and not all of them provide the same security. The methods are many, but instead of feeling overwhelmed focus on:
Relying on code generator verification like Microsoft Authenticator, Okta FastPass, and Google Authenticator instead of SMS or emails, which could be intercepted.
Using a risk-based authentication method that adjusts the level of MFA required based on factors like the user’s location and time of the day.
Implementing MFA in all your employees’ accounts.
Employee Training
We are all humans, we make mistakes and we’re not going to think straight if we’re under a cyberattack, but the truth is that some threats can be prevented by being aware of them. And so, your task as a small food business owner is to educate your team (if you have one) to spot any suspicious activities.
More specifically, your training should include:
Phishing awareness: How can they recognize it?
Strong password practices: How can they create unique and complex passwords?
Handling sensitive information: What can they do to avoid data leakages?
Secure browsing habits: How to avoid malicious websites?
Reporting incidents: Who should they talk to in the case of an attack?
It becomes a matter of decreasing risks, and of keeping a safe online environment for your team and yourself. Social engineering threats go beyond losses in profit—becoming a victim of one of them involves feelings of fear and guilt, and comes with an added stress to be extra vigilant going forward.
Incident Response Plan
Simply put, this document details how to respond to security breaches and minimize their impact. It should clarify:
Procedures to identify and report a security incident
How to isolate the affected system to prevent further damage
Steps to remove the threat and restore the system to a safe state
The recovery process for lost or compromised data
Space to analyze the incident and identify areas for improvement
Websites like Soft Kraft offer templates to help you get started with your team, as well as the government of Canada! They have a very complete guide on Cybersecurity 101 for small and medium businesses, including a more detailed section on incident response plans.
GIPHY App Key not set. Please check settings