'Cyber-readiness should be treated like a fire drill' UKFast CEO warns brands

The Drum spoke to chief executive officer of UKFast, Lawrence Jones on how brands can win back customer trust following a breach, how best to understand cyber challenges and what to do when your business faces an attack.

How do you win back customer trust after a breach?

A data breach can of course be incredibly damaging for a business. Being seen to be proactive in your response is absolutely essential to manage the fallout. It’s important to be as honest as possible with your customers and the public, and to communicate what has happened while understanding the hassle and risks posed by a breach for your clients and stakeholders. The fact that you’ve had a breach alone won’t destroy your business, but a poorly handled breach and failing to learn lessons might.

Showing that you take cybersecurity seriously is essential, so it may be a good idea to take on some additional certifications, like Cyber Essentials or Cyber Essentials Plus, to show your customers you take the security of their data seriously. All eCommerce businesses need some form of payment card industry data security standard (PCI DSS) compliance, so work with a hosting provider that offers PCI compliant hosting and can support you in your journey through security and compliance.

We’re in an ever-changing landscape and as soon as the industry secures itself against one thing, something else comes along. Staying secure in the modern online world is no mean feat, but working with supportive providers for hosting and cyber security can certainly help you along the way.

What are the major cyber risks to eCommerce businesses?

We work with thousands of eCommerce businesses at UKFast and know that the key to being safe online comes in understanding the platforms you’re using and how to secure them. For example, we’ve seen firms using cPanel, WordPress and Magento without understanding secure development processes, which leaves them open to exploitations in the code layer or structured query language (SQL) injections.

We’re also seeing a rise in denial-of-service (DDoS) attacks. Not a day goes by that we don’t experience at least one attack somewhere on our network. These attacks flood your site with thousands of fake requests until it goes offline. Unfortunately, this is one type of attack used by businesses to knock their competitors offline, particularly during peak shopping periods like Black Friday and the Boxing Day sales.

Alongside these, attempts to deliver malware through phishing attacks are a constant in the online world.

What can they do about it?

The absolute foundation of cyber security is the humble password. There is no point in having all of the latest protection in place if your password is 1234. Strong, long, complex passwords are the very foundation of protecting your online business.

Equally, it sounds obvious but ensuring that you install patches as and when they’re released is an absolute baseline of cyber security. All open source platforms offering plugins publish lists of verified plugins that have been reviewed and approved, giving you that extra level of reassurance.

Next, another baseline, expected measure: SSL certificates. To put it simply, customers will go elsewhere if your site isn’t secure - the green taskbar shows them in an instant that you’re a serious business who’ll protect their data.

On top of this comes the technology. Many risks are mitigated with careful management and monitoring of your IT infrastructure. Reviewing your server, the applications running on it and any plugins used, should be done on a monthly basis as a bare minimum – how can you be secure if you don’t know what you’re securing? Any good hosting provider can help you with threat monitoring and threat response to ensure that you know what’s happening with your solution and how to mitigate any issues.

If you’re concerned about DDoS attacks and simply can’t afford to have downtime, this is where a DDoS mitigation tool comes in.

Smart operators are also investing in checking their systems and double checking their work. Ethical hackers, or penetration testers, use the same methods as cybercriminals to look for ways to break into your online presence to steal data or cause harm. Flagging these security holes with you, they’re able to secure any gaps before malicious hackers can use them.

Is it possible to plan ahead for a data breach?

We should see data breaches as a case of ‘when’ rather than ‘if’. Much like we have car and home insurance, we assume something is going to happen and plan accordingly. Cyber-readiness should be treated as critically as a fire drill. There are far too many different scenarios to cover everything, but you should plan for the worst and ensure that everyone in your business understands their roles and responsibilities in the event of a breach.

What can be done to reduce the impact of a data breach, if one happens?

Your hosting provider or cyber security support are able to help you here. In the case of a breach, you might in the first instance consider turning off access to your site while you investigate what’s happened; resetting all user accounts and passwords for your sysadmins, who have the ability to access the back-end infrastructure, and restricting site functionality – also stopping people paying for items if you’ve had a breach of credit card data, for example.

UKFast are headline sponsors of The Drum Awards for the Digital Industries (the DADI's). The finalists have been revealed and you can now purchase tickets for the event which will take place on 10 October at the London Marriott Hotel Grosvenor Square.