Blog Post - Simon Toon, Jun 16 2017

Cyber Security - a bigger threat than your competitors?

Cyber Security - a bigger threat than your competitors?

In the wake of the recent ransomware attack that hit the NHS, should retailers be worried about their own levels of security, particularly on their ecommerce systems?

If there was a security breach on your ecommerce website or mobile apps, would you be able to say, hand on heart, in a court of law, that you had done everything possible to prevent it?

Cyber security is now a big threat.

Security management is therefore vital for ecommerce systems, which by their very nature, have to be connected to the wider Internet. Latest figures from internet service provider Beaming suggests 52% of UK businesses fell victim to cyber attacks last year. This resulted in almost £30bn in total losses.

A recent survey by Salmon determined that 92% of organisations cite ecommerce platform security as a deciding factor in their platform selection.

Users are increasingly security conscious too. They are increasingly fearful of providing websites or mobile apps with their personal information, name, postal address, email address, plus payment details (credit card numbers or other payment methods, e.g. ApplePay or Paypal authentication). Users are more aware that this poses a risk to them, when using an ecommerce website or mobile app, because they cannot use the system without entering these details. They know this exposes them to possible identity theft, and they could have money taken virtually from their pocket.

What does this mean for retailers online?

As a digital retailer there are a number of business-damaging aspects to consider:

  • You have a duty of care over your customers’ information, and there’s a risk that if your security is compromised, it might have bigger impacts on the brand owner, decreasing trust in the brand. Customers will choose to go elsewhere and it will cost you business. Furthermore, this duty of care has a legal basis within the existing UK Data Protection Act and the forthcoming GDPR initiative. If you are found responsible, a percentage of your revenue may be used as the basis for calculating a fine against your organisation. Also with PCI-DSS (Payment Card Industry Data Security Standard), further regulatory requirements exist and need careful consideration, implementation and ongoing management and governance to embed within your organisation as well as with the suppliers you may partner with.
  • You may lose stock, either shipping your goods without getting payment, or your inventory may be tied up by fraudulent orders, meaning genuine customers will be unable to complete their purchase on your website or mobile app because of an apparent (but untrue) lack of stock.
  • Your website could be used for spoofing. Loopholes in a poorly-protected website could enable a hacker to use a phishing exploit where they send an email with a link on your website but which enables them to siphon off the user’s personal details/passwords (e.g. ’man in the middle attacks’).

All of these can be irreparably damaging to your brand.

What are the aspects of security that you need to cover?

In order to keep your customer data secure, you need to agree what requirements you are seeking to align to, as a first step. For most organisations this will be at least the DPA/GDPR legal needs and it is also likely to be PCI-DSS to ensure PCI compliance too.

But security also needs to be considered company wide, and so this is not just an ecommerce department’s concern: there are desktops, servers, laptops, POS terminals, physical stores and networks that need to be securely managed too if you are truly serious about protecting your data.

So we would recommend alignment to ISO27001 as a best practice security initiative too. This will provide a risk based approach to assessing risks within your business, and most importantly provide a means of managing compliance to this risk in an effective manner. We all have information security policies - are they really being followed within your organisation?

Focusing in on the PCI-DSS requirements, in order to keep customer data secure, you need to examine your ecommerce system from both a development and operational perspective:

1. Secure development:

  • Developers must design and code according to the latest security standards, and they should regularly re-test their code to prevent against these common vulnerabilities to ensure they are using the best possible techniques. They should routinely implement best practice guidance from organisations like OWASP, noting that these change periodically too.
  • Code must be continually tested and evaluated, using a combination of automated and manual processes. This ensures all code meets quality and security standards, and nothing slips through the cracks.
  • Third parties and partners should perform penetration tests, which identify areas of weakness and security vulnerabilities in applications and infrastructure.
  • Most solutions are an integration of many 3rd party elements, but all parts of the solution must comply with PCI needs.

2. Secure operations:

  • Vulnerabilities must be identified, managed, evaluated, and quickly resolved as necessary. Integrators monitor alerts from platform vendors like IBM, SAP and Magento, but your team should also pay attention to service incidents, testing results, and vulnerabilities flagged by operating system vendors.
  • Integrators can also leverage large economies of scale, so each client can benefit from the knowledge that they gather from risk assessment and mitigation planning. This is much more cost effective than each retailer having to do this diligence work themselves.
  • Monthly reporting should detail all of the known vulnerabilities on your system, along with the corresponding risk and remediation plan.
  • Systems and mobile apps must be kept up-to-date with the latest security fixes on a regular cycle so you should plan in regular outages to apply these fixes, and do not delay in applying fixpacks for serious security vulnerabilities.

A good ecommerce team is also security-aware in its day-to-day work. That means:

  • Not downloading customers’ data onto test systems or local hard drives.
  • Encrypting any credit card data at the database level and if possible not storing this information within your own systems.
  • Delivering reports without any personally identifiable information or payment data where possible, and encrypting that information if inclusion is unavoidable.
  • Using secure methods of storage and transmission for all sensitive data, including passwords, SSL certificates, and security keys.
  • Controlling access to isolated security zones, with full audit trails.
  • Having documented and rehearsed incident management processes and a communications plan, so that the whole team can act quickly and coherently if there is a breach.
  • Have an authorisation model for users that provide business needs based access and no more and to regularly review such an access list.

Security breaches can result in customer inconvenience, damaged brand reputation, and considerable fines and penalties. The needs for security never stop and Salmon’s advice is never to stand still on security as those who want access to your data are continually finding new ways to gain entry. Retailers that adhere to secure ways of working have the best chance of avoiding security disasters.

To find out more about these matters and how Salmon can help protect you with the above mentioned services, contact us here.

Security is one of the key trends that Salmon called out at its annual ecommerce event Commerce 2020. Download the 20 for 20 Trends ebook.

Interested in more topics like this? Go to What We Think.