When Dawn Hurlebaus bought an online company that sold body sculpting garments several years ago, she thought she knew all about the necessary technical issues associated with selling products online. After a 30-year career in the IT industry, she specifically thought she knew what she needed to know about cybersecurity and website development.
But then she was getting ready for an important trade show last October when she received a notice from Google that her website had been compromised.
“I went into panic mode when I did an online search and saw in big bold letters a notice to customers that my site was not secure,” Hurlebaus says.
She immediately called her website host provider, who referred her to SiteLock. The online security company immediately conducted a diagnostic program which found numerous security violations on the website.
“There was malware all over the site and someone had replaced all our legitimate hyperlinks with links that took customers to sites that were not legitimate,” she says. Additionally, the hackers captured information that allowed them to send out spam that looked like it was coming from Hurlebaus’ site.
After diagnosing the problem, SiteLock eliminated the concerns and got the site back up and running within a few hours.
“When I woke up the next morning, the site was up and running and was fully functional,” Hurlebaus says.
Luckily, the hack did not result in sensitive data — such as credit card numbers or private customer data — falling into the violators’ hands. If the situation had not been handled early, there would have been the potential for such problems: Hackers could have used the illegitimate emails to phish for confidential client information. Customers might send information to outside sources when they believed they were sending it to Hurlebaus’ company.
Speed in correcting the problem was of the essence: Hurlebaus needed the site up and running for the trade show — a weight reducers conference with 600 attendees. In addition to selling directly online, Hurlebaus sells at conventions where she uses her website, instead of a stand-alone point-of-sale system, to record orders and take payments.
She recorded 70 sales at the show, with an average size of more than $100 per order. If the site had been down, Hurlebaus would have lost a lot of sales.
“This could have shut me down,” she says.
Conferences currently account for about 20 percent of her total sales, and that number is growing; the hack took place at the beginning of the company’s peak season.
SiteLock continues to monitor the website to stop additional potential problems before they can start. While less-expensive options of on-demand or weekly scans are available, Hurlebaus went with the continuous scan option. “It’s not cheap to do it this way, but when I look at the potential losses, it is worth it,” she says. “I could have lost more money in one show than what it costs me to provide in a year.”
Here I am, experienced in IT, and I understand what malware is and phishing is and how they affect customers. And I was violated.
And in addition to site monitoring and repairs, Hurlebaus appreciates the on-going reporting. She gets a weekly report that shows the number of bots reported and the number and types of attempts to violate security.
“We’ve got upwards of 25,000 bots already blocked,” Hurlebaus says. “We’re not at risk anymore.”
The problem Hurlebaus experienced is not unusual for small business owners.
“Dawn’s experience is pretty typical of an ecommerce site, especially for a small business,” says Jessica Ortega, product marketing manager for SiteLock.
Already, SiteLock provides security protection for more than 12 million websites, many of them retailers.
Many retailers are so focused on the marketing and sales side of their businesses that they don’t put enough emphasis on security, Ortega says. “A lot of retailers have not built security into the initial budget. This is especially problematic for sites where there is a lot of do-it-yourself updating and maintenance. Those always run a higher risk of infections,” she says.
Hurlebaus agrees that her situation is typical of online retailers. “Small business owners are at a high risk,” she says. “Here I am, experienced in IT, and I understand what malware is and phishing is and how they affect customers. And I was violated. It could be much worse for retailers that have no understanding of the internet world.”
Even someone experienced in technology — like Hurlebaus — had mistakenly believed that she would be covered by her basic service providers. That turned out not to be the case.
What’s also typical in the case of Hurlebaus’ company is how the hackers got onto her site. Ortega explains that in this case, hackers used a “back door” to download files that allowed them to make changes to the site and send out spam links.
“Back doors are one of the most common ways for hackers to get onto websites,” Ortega says. “In the fourth quarter of last year, we found out that in 49 percent of the cases where malicious files were involved, the hackers used a back door.”
Complicating the security challenges for Hurlebaus is that she sells worldwide to tens of thousands of customers. International sales present additional challenges, she says. “Most of our international sales are to Canada and Australia, so we are not dealing with high-risk countries. But there are additional issues. For example, we can’t always use address matches for verification the way we do in the United States.”
What’s more, government fines for data breaches differ among various countries and some foreign countries levy hefty fines against internet sites that allow customer data to be compromised.
Regardless of where an ecommerce site sells, the most important thing is for site owners to stay ahead of the problem. “A lot of retailers wait until they have a problem. They don’t realize that they need website security from the beginning. But it is better and cheaper to be proactive than reactive,” Ortega says.
As final recommendations to retailers concerned about site security, Ortega advises them to be proactive and build security into the original site. Additionally, retailers should use an automated process that allow for malware scans and removal.
Lauri Giesen is a Libertyville, Ill.-based business writer with extensive experience in covering payment and finance issues.