The outbreak served as a catalyst for e-commerce and payment businesses. But every device and application used is a potential gateway for cybercrime. With e-commerce sites becoming attractive targets for hackers, Faouzi Kassab of BlueSnap outlines six key steps to mitigate threats if you’re setting up shop or are rethinking security at a mature company that is pivoting to e-commerce.Â
Any business that accepts online payments is a prime target for cybercriminals. Attackers make money by stealing and selling customer data and payment card information that passes through e-commerce systems. Their targets not only include financial institutions but also range from retailers and marketplaces to independent software vendors (ISVs), healthcare organizations, and gaming platforms. Researchers at Cybercrime Magazine estimateOpens a new window that the global cost of cybercrime will grow to $6 trillion by 2021.Â Â
If your organization transacts online, it’s a target. You’re in the e-commerce and payment business, whether you identify that way or not. Every line of code your team writes, every device added to your network, and every unwary employee represents an opportunity to cybercriminalsOpens a new window . If you’re growing a new company or rethinking security at a mature company that is pivoting to e-commerce, what can you do to mitigate the threats?Â
Here are the 6 best practices that will help your e-commerce business to stay ahead in the cybersecurity game.
1. Build Cybersecurity Into Your Culture and Employee Training
Most cybercriminals trick employees into providing usernames and passwords that enable them to penetrate the system. These social engineering attacks primarily come through phishing emails but may target your call centers as well. Therefore, the first and most important cybersecurity Opens a new window measure is to educate employees and build a security-minded culture.
Cybersecurity education should start during new employee orientation and include regular refreshers and updates. Topics could include:
- What is a phishing email?
- How do you check a URL before accidentally clicking a phishing link?Â
- How do you tell when someone appearing to be a coworker is emailing from an outside account?Â
- Why is it important to have a clean desk policy, leaving no papers on unattended desks?
- Why do you need to vet and accompany visitors to your office?Â
2. Establish Cybersecurity Policies and Procedures
After putting your organization through Cybersecurity 101, you need to create policies and procedures that make the lessons actionable. These include:
- Dos and Don’ts. For example, don’t leave papers with your passwords or sensitive information on your desk, never share your credentials, etc.Â
- Rules for how to respond to incidents (e.g., who should they contact, how, and when?).
- Data retention policies covering what information can be collected from customers, where it should be stored, and how frequently it should be deleted.
- Security patching rules that ensure employees update their devices before cybercriminals can exploit vulnerabilities.
These policies and procedures must be periodically reviewed, updated, communicated to employees and enforced by the organization.
3. Secure Your Application Layer
Universities do a great job of teaching graduates to code, but they don’t spend nearly enough time on security. Almost every application of vulnerability is created accidentally by a developer. Once an insecure application is exposed to the outside world through the internet, it’s only a matter of time before a malicious actor finds the vulnerabilities. To mitigate the risks:Â
- Implement a static code scanning tool that analyzes vulnerabilities and enforces secure practices.
- Put your team through secure coding educational programs.
- Document hardening procedures to ensure that servers are properly locked down and default passwords are removed.
- Invest in a Web Application Firewall (WAF) that can monitor if an application is being attacked after it’s up and running.
- Create a bounty program that pays white hat hackers to find the vulnerabilities in your system.
4. Secure the Network and Infrastructure
Standard practice is to only deploy the required software and only allow protocols required by your applications. Skilled attackers often find oversights and gaps in the network. You must assume that an attacker who penetrates your network will find a way to reach customer data or payment information. To reduce the risks:
- Use an intrusion prevention system, a type of networking software that runs in front of an application or server monitors network events and blocks attacks.Â
- Virtualize your network and create isolated â€œdemilitarized zones,â€ or DMZs. This entails placing a network layer (virtual or physical) in front where attackers first land. Even if the DMZ is compromised, the attacker will have a hard time breaching your network’s inner resources and assets.
- Constantly scan for vulnerabilities and never slack on updates. Deploy patches and upgrade software regularly.Â Â
5. Cover your Case-by-Case Necessities
Depending on how your business, applications, and network are structured, you may have some vulnerabilities that require case-by-case protection. In no particular order:
- Every public-facing e-commerce business should have distributed denial of service (DDoS) protection software. It’s cheap and easy to commission a DDoS attack against your company. So, protect your business not only from downtime but from other attacks, since often a DDoS attack is a diversion that ties up your security team while the criminals try to break into your systems.
- If your business exposes Application Programming Interfaces (APIs), invest in an API gateway layer to protect your APIs from abuse.
- Integrate your payments system with a proven fraud engineOpens a new window if your payment provider doesn’t do that already.
- Clarify whether you or your payment vendor is responsible for Payment Card Industry (PCI) complianceOpens a new window . PCI is not a responsibility you want unless you have expertise and resources to meet the standards.
- Last, invest in a security information and event management (SIEM) system. A SIEM will provide visibility across your organization and help you identify security events so your team can catch attacks in progress rather than discover the damage weeks or months later. A SIEM is critical if you process payments.Â
6. Secure the Corporate and Users Environment and Endpoints
The final step is to secure the networks and machines used by non-IT employees. Sooner or later, persistent attackers will look for vulnerabilities in basic systems like desktop computers, Wi-Fi networks, and email services. You can protect these environments in the following ways:Â
- Deploy anti-virus and anti-malware on your endpoints including servers.Â Signature-based solutions are not sufficient. Invest in next-generation endpoint solutions that could prevent zero-day vulnerability attacks.
- Implement a data leak protection solution that monitors and prevents sensitive data from leaving the organization.Â
- Keep your Wi-Fi network separate from your internal network(s). Wi-Fi is easily accessible and typically offered to visitors. Keeping it separate from your internal network is a smart security decision.
- Invest in network access control (NAC). If someone plugs into your network via an unrecognized or unapproved device, access to your internal network should be denied.Â
- Basic spam filters that come with email services are not good enough. Invest in anti-phishing and malware protection infrastructure.
- Finally, make full use of two-factor authentication to protect your assets and services that contain sensitive data and customer information. Force the user to authenticate beyond their user ID and password to gain access to these systems.Â
It’s much easier to find vulnerabilities in retrospect than to prevent an attack in the first place. That is why security is so expensiveâ€”it has to cover every possible contingency in hopes of covering the vector attackers will actually use.
If these recommendations stretch your budget too far, lean on your partners and vendors for help. Partner with e-commerce and payment vendors that have the scale and expertise to help you secure your systems.Â