As a webshop owner, you need to protect both your business and your customers against the risks that go with ecommerce. If the security of your web server is breached, your trade can be seriously disrupted and long-term damage done to your reputation.
Your customers can be hit too, certainly if your webshop retains personal data and payment information, such as credit card numbers. If a hacker gets hold of details like that, there are obvious implications for your customers' privacy and finances. That's bad news for you too, because under European law, the webshop owner is responsible for making sure that the information is safe. And for paying up if it's lost.
The ecommerce sector is teeming with SMEs, few of them big enough to have their own security experts. So the job of keeping data secure is usually contracted out to a hosting service provider – the company that rents out the servers on which the website runs. Legal responsibility remains with the webshop owner, however. Meaning that choosing the right hosting firm is very important.
But how can a webshop owner possibly know whether a hoster's security is up to scratch? The key is ISO 27001 – an international standard for information security management. ISO 27001 is effectively a comprehensive checklist of good security practices, covering people, processes and systems.
Always check whether a hosting firm you might work with is certified to ISO 27001. If it isn't, think very carefully about the implications. If the hoster is indeed certified, don't just leave it at that: ask for the audit report and look critically at its contents. What kind of physical security does the data centre have to prevent unauthorised access, for example? Would you leave your own valuables in a place with the security described?
Make sure that you know where the hoster's responsibilities end and yours begin. Webshop security depends on prompt installation of upgrades and patches for all the software that your site relies on. Your hosting service provider should be updating the server ware, but what about the proprietary ecommerce software used for your site? And the password strength checker that helps customers pick good log-ins? Keeping those programs updated may well be down to you.