Since the rise of the Internet, businesses have been forced to continually shift their strategies to effectively compete in the digital marketplace. From on-demand to subscription-based offerings, all digital business models centre on the use of various technologies to improve operational efficiency and the customer experience, thereby enhancing their overall value. But while digital-first strategies are proving to be beneficial across all business sectors, it is e-commerce that stands out as one of the most widely used models available. This was especially true in 2020, as many shifted to online shopping as a result of the Covid-19 pandemic. In fact, it is predicted that global B2C e-commerce sales will reach $4.5 trillion by 2021.
Digital business models such as e-commerce have become a critical component of the global economy, but they do not come without their own set of risks. As organisations rush to digitise, cybersecurity is often left out of the equation for the sake of saving time and initial costs. However, when security is not weaved into the framework of a digital strategy, organisations may end up losing the resources that they had initially fought to save. This fact alone should be of concern for any digital business, especially those in the e-commerce space.
A rise in online shopping has led to increased web traffic, something cybercriminals have been all too quick to exploit. And in 2020, this issue only grew more significant, further impacting the security of e-commerce sites. Between September and October alone, the FortiGuard Labs team saw a 140% increase in attempted attacks targeting this space. With the knowledge that more people are shopping online now than ever before, cyber criminals have taken advantage of the increase in virtual queues and slow web processing times.
With digital transformation comes the expansion of the threat landscape, presenting various opportunities for cybercriminals to target unsuspecting individuals. One strategy that threat actors have adopted is placing ads or links on trusted websites to lead shoppers away from their secure browsing experience, usually with the promise of a great deal. Upon arriving at the fraudulent site, shoppers will be directed to enter access credentials, including a username and password, that a cybercriminal can then use on the real website to steal personal information.
Through the deployment of phishing, malware, and man-in-the-middle attacks, and by leveraging Rogue Access Points, APs, cybercriminals can further their attempts to exploit wireless or proxy servers. Often, the goal here is to gain access to payment card information that can be used to fund other efforts. And while cyberthreats such as these are unfortunately common across digital businesses in general, the lack of security measures across many e-commerce sites is particularly concerning considering the large portion of the public that shops online without understanding the potential risks.
The e-commerce space is extremely profitable, which is exactly why cybercriminals target these types of businesses. They rely on the fact that most individuals do not ask themselves, “How do I know if this online shopping site is safe?” For this reason, it is up to the business to implement strategies that will enable secure transactions from behind the scenes, stopping threat actors in their tracks before they can even reach customers. Below are just a few ways in which this can be accomplished:
Meeting compliance standards is one of the most basic, yet critically important, ways that e-commerce sites can protect their customers. By taking certain steps, businesses can ensure they have laid a partial framework for combatting cyberthreats, this often means not storing more data than is necessary. Major cybersecurity-related regulations that e-commerce sites should comply with include: Payment Card Industry Data Security Standard, PCI-DSS, General Data Protection Regulation, GDPR, California Consumer Privacy Act, CCPA and International Organisation for Standardisation, ISO.
Unsurprisingly, outdated security is a top reason for repeated attacks. This often comes with basic misconfigurations on storage buckets and public cloud computing access systems, resulting in vulnerabilities that can be easily exploited. And while this is undoubtedly an issue across all types of digital businesses, having up-to-date infrastructure within e-commerce is especially critical due to the complexity of these sites. In some scenarios, this could be as simple as upgrading a plug-in, but in other cases, entire systems and websites may have to be updated to effectively manage vulnerabilities. In other words, there is not a one-size-fits-all solution, and requirements will vary on a case-by-case basis.
Both e-commerce sites and digital businesses in general should require customers to create passwords that cannot be easily guessed by cybercriminals. While this can come in the form of general recommendations i.e., discouraging the inclusion of phone numbers or birthdays, it can also mean rejecting certain passwords altogether. To be effective in their security goals, websites should require passwords that contain at a minimum 8 characters, including a combination of numbers, symbols, and uppercase and lowercase letters. Further, it is recommended that users leverage random word combinations, the revised passphrase method, or transform sentences into a password, the Bruce Schneier method. Above all, remember that length and obscurity is key.
Maintain updated certificates
While maintaining an updated SSL or TLS certificate is essentially table-stakes for e-commerce merchants due to PCI and other industry regulations, it is critical nonetheless and doing so allows businesses to realise a number of benefits. From a security standpoint, they help ensure their websites can stand up to cyberthreats, exploits, and website misuse while also keeping customer data secure by enforcing end-to-end encryption of data. From a reputational standpoint, the inclusion of HTTPS at the beginning of their page URL creates a sense of trustworthiness that will help customers feel more confident in the security of their digital experience. From a business standpoint, HTTPS allows for use of more powerful web platform features and API integrations that require permissions to execute such as Geolocation services.
While these strategies are all crucial to the security of digital businesses, each one cannot stand on its own. Instead, security teams must weave a framework of tactics such as these to deliver the highest level of protection to keep their organisations and their customers secure.
Digital transformation continues to change the way we do business, as well as what customers have come to expect. This is especially true across the e-commerce space. With more of the public shopping online now than ever before, businesses must ensure their websites can handle this influx of traffic, both from a performance and security standpoint. While there is no single foolproof way to manage e-commerce site security, businesses that take care to consider the basics when working to protect their customers set themselves up for success versus those that look to cut corners.
By Courtney Radke, Retail CISO at Fortinet