Recently, the e-commerce market has rapidly grown and it is a result of the restrictions in stationary trade due to the COVID pandemic. E-commerce has become increasingly popular, so it has attracted the attention of cybercriminals. Worldwide, cybercrime figures have grown at an alarming rate. For example, in 2021, in Mexico alone, online payment fraud increased by more than 75%, compared to the pre-pandemic period. Although, the most talked-about attacks are those targeting the largest players in the market, it does not at all mean that the smaller ones can feel safe.
External threats
Today’s attack vectors seem to primarily come from the software supply chain, making it much more difficult for enterprises and organizations to implement traditional countermeasures. The advantage of the increased security for applications used inside an organization is that the usage of the systems does not become any more burdensome, yet it requires hackers to refine their techniques to counter stronger security. The good news is that the latest tools on the market go beyond the basic threats identified by the non-profit foundation Open Web Application Security Project (OWASP).
DoS or DDoS attack is a low-cost, effective method of attacking an organization which aims to compromise the availability of a store for its customers. Such an attack doesn’t have to lead to data outflow at all (but indirectly can). The result is an outflow of customers who are unable to buy at a given time, thus direct their attention to competitors. To defend against this, we created TAMA.
Where to get the appropriate security knowledge?
There are many sources available. The very text you are reading is one of them! That’s why it’s so important to maintain connections with external cybersecurity specialists, and EXATEL S.A. is one of them. We share our knowledge with you.
Other ways to get guidance on how to proceed are: international standards that define the rules for building information security management systems (ISO 2700x family of standards) and those for maintaining business continuity (ISO 22301). Although it is a high cost for the organization to implement the standard, certify for compliance, and maintain it, you should not be discouraged from acquiring and using the good practices contained therein. One such practice is to limit the employees access to the minimum required level. The person changing the prices on the storefront does not need to have administrative credentials to do so, and if they quit their job, they no longer need any access to your internal systems. Hence, it is important to have and constantly monitor the control of assigned accesses and effectively respond to the changes taking place within the organization.
Internal threats
Life would be easy if threats came only from the outside, but e-commerce is also threatened from within. It is often due to the greed of the store owners, who obtain very extensive information about their customers, track their every move and then on the basis of the collected data, they build accurate profiles of their users. The possession of such a database is subject, in accordance with European law, to the relevant provisions that require the data controller to collect consents allowing for the possession of such information. Now let’s take a look at such a database, which, despite the ‘anonymity’ of the people, can be easily deanonymized, if it includes information, such as the user’s location at night (home? or maybe a hotel?) and during the day (work?), the location of a local store, combined with monitoring and payment card transactions from a given period of time. This essentially amounts to a police-like investigation. However, such a scenario is not an abstraction, as evidenced by the recent example of a Canadian network that was ordered to delete some of its data by their local DPA equivalent. For a potential hacker, such database is a golden goose, quite literally, because it is not difficult to imagine, for example, ‘pulling hooks’ on dishonest spouses. This is exactly why data administrators should conduct a risk analysis, on which basis they can determine what data is actually necessary to conduct business and what might be the consequence of the possible data loss or disclosure. In such a simple way, a company can lose the trust of its customers and expose itself to high costs related to a lawsuit that will be brought against them by angry customers, filing several class actions. This has happened more than once in history.
How to defend against it?
If there are threats awaiting us at every step, how to defend against them and what to do in order to ensure, firstly, the security of your organization, secondly, a peaceful sleep of the boss, and finally and most importantly, the security of customers data?
A solid foundation in internal systems and processes meant to address critical security issues is the best way to mitigate risk, protect customer data, and minimize potential losses resulting from cybercrime. At the same time, they build the customer’s confidence in the organization.
How to do it? The first step should be a precise definition of what data is in our possession, why we collect it and what might happen if we lose it. Often at this stage it becomes apparent that the scope of the collected data can do more harm than good to the company – especially if it is poorly protected.
What does it mean that data is poorly protected? Until someone from the outside checks the security measures implemented in the organization, it should be assumed that they are not strong enough. In order to be able to determine the effectiveness of the security measures, penetration tests must be conducted by a selected third party. Based on the report received from third-party testers, the company should introduce missing measures, harden the old solutions, and conduct another analysis.
Conclusion
Is this the moment to finally announce ‘I already have a super secure store’? Unfortunately, no. This is just the first step on the road to safety. Cybersecurity is a continuous and ongoing process, a constant arms race between attackers and defenders. That is why it is so important to introduce the life cycle of the solutions that are used in the organization. Technology has a way of aging quickly, but it is possible to extend its life cycle, maintain and even increase the level of security by updating the software on which the solutions run. However, each solution ceases to be supported after a period of time and is replaced by newer ones. And the role of the service administrator is to keep an eye on the situation and react accordingly in advance. Even the most secure solution introduced a year ago, if not updated, is no longer effective.
Therefore, it is worthwhile to expand your knowledge in the field of cybersecurity, use the help of professionals and introducing new and proven solutions on a regular basis, so that you can rest assured.
