The Holiday Season Website Security Checklist

Share article
twitter linkedin medium facebook

With 95% of cybersecurity breaches reportedly being caused by human error, e-commerce website owners have their work cut out trying to keep thieves at bay at any time of the year, but in the weeks between Black Friday and Christmas, the risk of a breach shoots up as online sales surge (to a projected $194 billion worldwide).

When business gets this busy, (and when employees have a little too much holiday cheer) social engineering attacks become much more effective. It only takes one team member to drop their guard and open a fake Merry Christmas email for attackers to gain a foothold. Its payload of compromised links or infected attachments is then free to introduce malware into the system, such as a Magecart web skimmer that can lift customer payment details from checkout pages.

Around 36% of all data breaches in 2022 involved phishing, probably because the attackers know that over 70% of victims will click on phishing emails. With that kind of success, it’s not hard to see why more than 48% of the emails sent in 2022 were spam.

The average annual cost of phishing attacks in 2021 was estimated at $14.8 million. With that in mind, here are the things that your business needs to do this holiday season to stop attackers from ‘going shopping’ with your customers’ payment card details.

1. Regular Cybersecurity Training

As we’ve already suggested, the human element is often the weakest link in any security posture. Attackers only need to get lucky once, but employees must be vigilant always. Since 91% of cyberattacks start with phishing emails it’s important to set up an ongoing education program to help staff respond correctly. You can then use regular penetration testing to ensure that everyone’s got the message—send fake phishing emails to measure how well your human firewall is working and to identify which employees may need more training.


2. Due Diligence

Speaking of employees, be sure to perform background checks on any new hires for the holiday season. Also, ensure that each employee can only access data that’s necessary for their role and level of responsibility. The fewer people with access to critical data, the better.

3. Maintain Password Hygiene

Keep these tips in mind:

·         Change passwords often and don’t use the same one twice

·         Use a mix of letters, numbers, and symbols

·         Don’t share passwords

·         Don’t write passwords down

·         Use a password manager

·         Regularly change your Wi-Fi network password

·         Don’t let your employees use your company’s devices on public, unsecured Wi-Fi networks

4. Keep Your Software Up to Date

Keeping your software, including your CMS, plugins, and all other software components up to date is fundamental to protecting your site against Magecart attacks. Magecart hackers often exploit the vulnerabilities in outdated software to inject their malicious code into your website. Therefore, updating your software regularly can ensure that there are no weak points in your system that hackers can exploit.

5. Use a Secure Hosting Provider

Choose a hosting service that provides a high level of security to protect your website against cyber threats. Look for a hosting provider that offers SSL certification, DDoS protection, and backups, along with monitoring tools to keep your website safe and secure. And on the subject of backups, it’s worth remembering that regular data backups of your e-commerce site can be a lifesaver if you lose everything to a ransomware attack.

6. Implement Strong Authentication Protocols

Customers often use weak passwords for multiple accounts, so to ensure their account with your e-commerce business isn’t the one that gets compromised, encouraging them to use two-factor authentication via email or SMS will help to prove that they are who they say they are.


7. Use a Web Application Firewall (WAF)

Critical vulnerabilities take an average of 184 days to fix. A Web Application Firewall (WAF) (aka Layer 7 firewall) can patch application weaknesses virtually while it monitors and filters traffic. It can stop attacks from using cross-site forgery, cross-site scripting (XSS), file inclusion, and SQL injection without changing the application’s code. Implementing a WAF adds an extra layer of protection between your website and cyber threats. A WAF can identify and prevent malicious attacks, including Magecart web skimming, and you can also use Content Security Policy (CSP) headers to limit the sources of input your website accepts, prevent injection of malicious code, and prevent attacks by third-party intermediaries. 

Having said that, in some sophisticated attacks involving third party dependencies, WAF will not be enough and the attackers can cleverly bypass it. That’s where a remote advanced monitoring solution can truly help maintain watertight security. 

8. Remote Security Tools

Third party malware attacks can often be invisible to traditional embedded security solutions like WAF. That’s why a remote solution like Reflectiz is an important addition to the list. It first maps all of the assets within your digital ecosystem and establishes a baseline for behaviors and activity. Then, with continuous monitoring, it can detect the malicious changes that threat actors like Magecart use to harvest payment details and other sensitive data from e-commerce checkout pages.

Reflectiz prevents keylogging, and exfiltration of data to malicious domains, tracks changes, prioritizes issues, and activates alerts, but all of this power is packaged in a user-friendly interface that even non-technical staff can get to grips with quickly. With comprehensive visibility over your entire digital landscape, it’s possible to react fast to any suspicious activity and shut it down before the damage is done. 


With the holiday season just around the corner, now is the time to prepare your e-commerce website for the influx of visitors and ensure that their sensitive information is protected from Magecart web-skimming attacks.

Remember to keep your software up to date, use a secure hosting provider, implement strong authentication protocols, educate your employees on cybersecurity and password use, give them access to data and resources only on a need-to-know basis, use a web application firewall, and implement a remote continuous monitoring solution for third-party protection. By taking these measures, you can keep your business and your customers safe from Magecart attacks and many other cybersecurity threats. And of course, if you invest in a remote solution like Reflectiz you’ll gain comprehensive protection and visibility over your entire digital ecosystem.

Subscribe to our newsletter

Stay updated with the latest news, articles, and insights from Reflectiz.

Your Website looks great!

But what’s happening behind the scenes?

Discover your website blind spots and vulnerabilities before it’s too late!

Try for free