Frequently asked questions

Data Breach Monitoring tool

Does the DBM tool affect Google Analytics?


No.




How long does the setup usually take for the DBM tool?


On your end, it takes a few minutes. On Lokte’s end, it depends on the complexity of your site and the traffic. Usually, we can expect that it takes approximately 1 week from the time the script has been installed on your side. We have a notice period of 2 weeks from the time the order is placed.




How much does the DBM tool cost?


The cost depends on the package selected.




I use another data loss prevention product; do I need the DBM tool?


We cannot answer this question without getting a little bit more information from you. We are happy to have a quick call with you to find out the product you’re currently using, and if it makes sense to bundle it with our DBM tool or whether your product is sufficient for your needs.




The market we operate in is very small; no one is going to hack us, right?


The market size does not matter to bad actors. You’re at risk of being targeted regardless of the market size. Often, attacks are carried out automatically and many sites are targeted simultaneously through vulnerabilities in the platforms, tools, third party software, etc., and the size of the actual business is irrelevant. Furthermore, the reputational damage from a data breach may prove to be significant despite the size of the business or market.




My hosting provider takes care of security for my online business; is this sufficient?


Not all hosting providers specifically monitor for customer data leaks; in fact, based on our experience, many do not. Your hosting provider most likely doesn’t have full access to your project, and therefore cannot carry out full data loss prevention. An eCommerce solution is composed of many components that fluctuate and receive updates with new versions (Magento, OS, PHP, etc.). Each new version may contain vulnerabilities that can be exploited by potential hackers. The DBM tool is an additional defense method that alerts you if your data goes anywhere unauthorised.




Magento has security patches and we patch on time; does this mean that our eCommerce solution is safe?


For M1, the support ended on May 31st, 2020, which means no support or patches are provided from a security point of view. This means that sites that still run on M1 will be very attractive to hackers, because they know Magento no longer provides fixes for security issues related to M1. Consequently, it’s especially important to bolster security on the M1 platform and ensure you are alerted upon any nefarious activity on your site. In regard to M2, the patches provide fixes for known vulnerabilities; meaning, a known vulnerability exists prior to a patch becoming available, and this vulnerability is then often exploited. When the patch becomes available but is not yet installed, bad actors will try to exploit the vulnerability. Often, there is a gap between when the patch becomes available and how long the vulnerability exists. The patch is often the result of several breached sites and the patch is there to protect and prevent future attacks of the same nature. It does not mean that the new patch will prevent or protect against future holes that have not yet been discovered.




We have a dedicated, skilled team who writes code and is responsible for our code; does this mean that we are safe from attacks?


Your site is much more than just one set of code; it’s composed of the eCommerce platform, analytical tools, operating systems, third party modules and/or products, etc. All code, whether proprietary or not, has the same rights on a site. Therefore, if any of the components’ vulnerabilities are exploited, the site could potentially be hacked through 3rd party tools or systems.




If we examine our site daily, we would know if something was wrong. Do we still have a need for the DBM tool in this case?


Most of the time, there won’t be visual clues that something is wrong with the site. The site will be working as usual, but the information entered by users will be sent to destination hosts controlled by criminals.




We don't process payments ourselves; do we need the DBM tool?


You don't need to process payments yourself in order to be hacked. For example, if you have an iframe for payment processing, the real iframe may be hidden and a fake one inserted in its place. Hackers may insert a fake payment form on your site, or your users may be redirected to a site controlled by online criminals that appears identical to your payment provider’s site.




Will the DBM tool ensure my business’ compliance with data protection legislation?


No. The DBM tool is a great method to both monitor your user data flows, and demonstrate that you are actively safeguarding your user data. However, it’s vital to understand the specific laws and regulations in your country of operation, and adhere to the established mandates.




Does the DMB tool alert my team, or Lokte’s team?


When we find something unexpected, our dedicated team conducts an investigation and if a threat is found, we alert your team with the findings.




Does the DBM tool work on all eCommerce platforms?


Our DBM tool can be installed on any website, including eCommerce platforms and custom eCommerce websites. Of course, this means our DBM tool works on mainstream eCommerce platforms, such as Magento, Commercetools, Salesforce, Shopify, BigCommerce, Woo Commerce and WIX. Contact us to ensure that our DBM tool will work for your website.




Does the DBM tool protect my site from all threats?


The DBM tool specifically alerts on requests to an unauthorized location, which entails Magecart attacks, supply-chain attacks, form-jacking, and skimming. This allows you to take action immediately.





Security Audit

Are your Security Audit services available for all platforms?


We currently offer our Security Audit service only for websites on the Magento platform.




How much does the Security Audit service cost?


The cost will largely depend on the scope of the project, and what you would like us to examine in your systems. The cost generally ranges from 6000 - 10,000 EUR per project.




I have already had another company perform a security audit for me this year. Do I need another?


We cannot answer this question without getting a little bit more information from you. We are happy to have a quick call with you to find out more about your eCommerce setup, and the security audit you had performed on your system. It’s important to note that security audits are performed in different ways, and the agreed upon scope and methods used all factor into the results.




What sets apart Lokte’s Security Audit service?


Lokte’s Security Audit service is uniquely designed for the Magento platform, with a skilled team who offers over ten years of Magento experience, including building sites, hosting, and providing security.




How often should I have a Security Audit performed on my eCommerce solution?


We recommend a Security Audit annually, or following major changes, such as large updates, or project launches.




I have developers in-house; they should be able to catch anything a Security Audit would, right?


Your solution is much more than just one set of code; it’s composed of an eCommerce platform, analytical tools, operating systems, PHP, third party modules and/or products, and more. All code, whether proprietary or not, has the same rights on a site. Therefore, if any of the components’ vulnerabilities are exploited, the site could potentially be hacked through 3rd party tools or systems. A security audit is much like a financial audit, in that your in-house team may be exceptional; however, an external company specializing in finding weaknesses will ensure that no stone is left unturned and that best practices are being followed.




Will your Security Audit service ensure my compliance with data protection legislation?


While we do check major points that pertain to GDPR compliance, actual full compliance with data protection laws is much more than one security audit can deliver. Our Security Audit service is a fantastic way to protect your customers by eliminating vulnerabilities that are discovered in the audit, and to demonstrate your proactive approach to data protection. However, it’s important to understand the specific laws and regulations in your country of operation, and adhere to the established mandates.




Does your Security Audit service guarantee protection for my website?


Our Security Audit service provides you with a report of weaknesses in your eCommerce solution, and our recommendations to mitigate the risks and how to bolster your security measures. It’s up to you to implement our recommendations and to use the suggested tools on a daily basis to support security on your site.





Penetration testing

How much does your Pen Test cost?


The cost will largely depend on the scope of the project, and what you would like us to go through in your system. The cost generally ranges from 7500 - 14,000 EUR per project.




I have already had another firm perform a pen test for me this year. Do I need another?


We cannot answer this question without getting a little bit more information from you. We are happy to have a quick call with you to find out more about your eCommerce setup, and the penetration test you had performed on your system. Different providers perform pen tests using their own unique methods, and the scope of the project is essential to answering this question.




What makes Lokte’s pen test special?


Our testers are well acquainted with a diverse offering of eCommerce platforms and keep up with current trends in the world of online threats. Our testers simulate the various ways that bad actors could use to gain access to your systems, and put your current security setup to the test (literally).




How often should I have a pen test performed on my eCommerce solution?


We recommend conducting a pen test annually at a minimum. Penetration testing shouldn’t be limited to a one-time effort; rather, it should be part of an established protocol of ongoing vigilance to keep your business safe through various types of security testing. Updates to security patches or new components used in a company website could expose security risks that leave the door open for bad actors. That’s why scheduling regular penetration testing to help uncover any new security weaknesses will help circumvent hackers that will try to exploit your system’s vulnerabilities.




I have skilled developers who write my code and check my systems daily. They should be able to catch anything a pen test would, right?


Your solution is much more than just one set of code; it’s composed of an eCommerce platform, analytical tools, operating systems, PHP, third party modules and/or products, and more. All code, whether proprietary or not, has the same rights on a site. Therefore, if any of the components’ vulnerabilities are exploited, the site could potentially be hacked through 3rd party tools or systems. If a project uses a combination of separate tools for operations and security, the tools may very well have different security mechanisms. Combining the tools and mechanisms can open up vulnerabilities that are not necessarily obvious and the teams may not be aware of such issues.




Will your pen test ensure my compliance with data protection legislation?


No. Our Penetration Testing service allows you to test your current security setup with simulated attacks that mirror the actions of bad actors. Our comprehensive report then offers guidance and recommendations, which allows you to take the necessary step to bolster your security. While a penetration test may be required in some countries, it’s essential to familiarise yourself with specific laws and regulations in your country of operation, and adhere to the established mandates.




Is your pen test available for any eCommerce platform?


Yes.




Does your pen test guarantee protection for my website?


Our Penetration Testing service helps you understand the effectiveness of your current security setup, and ways that you can strengthen your protective efforts.