Your phone, tablet, and computer all get frequent software updates. How often is your Magento web host updating the software running on your servers? If your answer isn’t a definitive “As often as needed!”, then pull up a chair. You can’t afford to neglect the security of your eCommerce business. You’ve been putting off this conversation, but it’s time that you learned a few important details about updating software like PHP.
First, let’s dispel a common misperception. Hackers don’t care how big your website is, or what you sell. They scour the internet looking for easy targets.
If you aren’t patching your hosting environment, you’re the easy target they’re looking for.
Having a hosting provider that advertises Magento Hosting is no guarantee that your hosting environment is being properly updated. Many publicly-traded web hosts are notorious for advertising that their hosting supports popular software platforms like Magento. However, they don’t provide proper management and security of those environments. This became extremely apparent after a September 2020 cyberattack on 2000+ Magento stores, called CardBleed:
Top-ISPs for these 2735 hacked Magento 1 stores. Conclusion: a Cloudflare WAF or a certain premium Magento hosting company did not prevent this malware attack. https://t.co/WLzj2kvx8c pic.twitter.com/dKGPZZ55yF
— gwillem (@gwillem) September 16, 2020
Just having good infrastructure is not enough. You need dependable maintenance too. When there’s a patch, you need a team that’s going to work with you to roll out updates and ensure that your site is loading perfectly. Equally important, you need a managed solution that looks at firewalling, intrusion detection, malware scanning, and off-server backups. You also need hosting experts to ensure that you’re following other security best practices.
Don’t Be a Statistic…
How many sites are out-of-date? In November 2019, security experts estimated that only 9% of Magento site owners worldwide were running an updated version of PHP. If you haven’t been working with your web developers to make sure that your site is compatible with a new version, chances are that you’re running outdated and unsupported software in your hosting account.
— Sansec (@sansecio) November 13, 2019
…Because People Are Counting On You
Now, you may be thinking “So what, sites get hacked all the time!” If so, shame. Shame upon you! …but you weren’t really thinking that. You know that your customers, co-workers, and vendors deserve better than dealing with the fallout of your site getting hacked. A hacked site can lead to a loss of business, long-term damage to your brand, expensive forensic audits, investigations, and assessments.
Of course, if you leave your site vulnerable to attack while accepting credit and debit cards, things can get even worse. When you run an ecommerce site, PCI Compliant Web Hosting is a mandatory check-box to secure your site from known threats. Things get dicey when you’re not maintaining your website and hosting, as that means that you’re not addressing PCI Compliance standards, potentially increasing risk of litigation. The Payment Card Industry (PCI) has set up these standards to ensure that everyone involved in the using and accepting of credit cards remains safe, and by accepting payment cards, you’re expected or play by the rules.
What’s the worst that can happen if you’re not PCI compliant?
It’s a bit like cheating on your taxes. You can hope that no one will find out, but is it really worth it? In the case of not being PCI Compliant, you can be forced to pay higher processing rates, extra fees, and your merchant processor may require a security deposit since you’re a high risk. Your merchant services payment processing account may even be canceled altogether.
What happens if you’re not PCI compliant and you have a data breach?
Ouch. You’re risking heavy fines for every credit and debit card that was stolen, and even the loss of ability to accept payment cards in the future. Visa, Mastercard, American Express, and the rest of the payment card industry consider this to be a form of negligence, so the payment card industry gets to hold you responsible. They don’t want to deal with notifying cardholders and cards being re-issued, or worse yet, cardholders charging back fraudulent orders made once their credit card data was stolen. They expect you to operate responsibly. In some cases, you may also find yourself subject to various legal costs, settlements, and judgments.
But, do breaches really impact businesses like yours?
According to a 2020 IBM Security report, the average share of data breach costs incurred more than a year after the data breach is 39%. In other words, the fallout of a data breach can sting for a long time.
Perhaps more disturbingly, a 2020 payment security report from Verizon Business found that PCI-DSS compliance is down 27.5% from 2016 figures. Verizon has suggested that businesses are struggling to retain qualified security experts, and are coming up short on long-term planning. This makes it all the more dangerous to go it alone.
Have you fallen behind in security for your Magento store?
If the answer to that question isn’t a definitive “NO!”, then it’s time for a Magento Security Check.