Team eCommerce Next interviewed Andrew Chan from AfterShip to get more insights into the security challenges e-commerce businesses face today, drawing on data from two recent surveys. Following is our interview with him:
Why is cybersecurity important for e-commerce?
In one sense, e-commerce businesses face cybersecurity challenges similar to many other types of companies, from the rise of the work-from-anywhere workforce to the rapid adoption of cloud infrastructure, to the faster pace of DevOps development, to sudden and sometimes unpredictable shifts in network traffic. All of these trends can open new vulnerabilities for hackers to exploit and make it more difficult to defend against attacks. With both IT and security talent in high demand, e-commerce companies can easily become overwhelmed at a time when speed and agility are critical. If they can’t keep up, they risk damaging disruptions to productivity, lost revenue, and customers who turn elsewhere.
What are the top-three security issues in e-commerce?
Reputational concerns are top-of-mind. A security breach can be highly embarrassing for any type of organization, but e-commerce businesses are especially vulnerable to customer confidence problems. While the difficulty of changing banks or healthcare providers can lead consumers to stay loyal even after an incident, it’s all too easy for an e-commerce customer to switch to the competition. Would you enter your payment card information into a website that you knew had been recently hacked just to make a routine purchase?
Website performance is also crucial. You can’t deliver a competitive customer experience if you’re wrestling with security or technology incidents.
Cloud security rounds out the top-three, but the benefits of the cloud come at the cost of security complications. Management complexity and cross-cloud security were seen as key operational challenges in multi-cloud IT. If e-commerce businesses can’t ensure that their security policies and configurations are consistent across every cloud they use, they can leave gaps for hackers to exploit. Similarly, a lack of centralized visibility can lead them to miss signs of a compromise or a lapse in compliance with standards like PCI DSS and GDPR.
What kinds of security threats do e-commerce businesses face?
In addition to the reputation-related threats I mentioned earlier, including hacking, defacement, fake sites, phishing, and user data theft, respondents named specific tactics like malicious code (42 percent), DDoS attacks (35 percent), and insider attacks (27 percent). Ransomware has been a large and growing problem for years—we all remember the X-Cart attack of late 2020. Earlier this year more than 500 e-commerce sites were infected with digital credit card skimmers to capture users’ personal and financial data.
DDoS attacks are a huge problem for many of our respondents. Also, e-commerce businesses have to watch for phishing attacks against employees, which can allow threats into their environment: SQL injection attacks to breach databases, and cross-site scripting (XSS) attacks to inject malicious code into your web pages, which can expose customers to malware and other threats, which illustrates the need for zero trust with e-commerce, using effective web application firewalls (WAFs) layered with load balancing and application delivery controller (ADC) infrastructure
What technologies are key for the security of e-commerce?
Given the size and urgency of the DDoS threat alone, respondents were planning to implement DDOS protection in the next three years. Encryption is also vital to secure online communications with customers, including payment information. The latest standard, TLS 1.3, was defined in 2018, but 20 percent of respondents were still working on the upgrade.
How does Zero Trust fit into e-commerce security?
There’s a reason Zero Trust has become a fixture on the cybersecurity agenda of every modern organization. With trends like work-from-anywhere, cloud infrastructure, and everything-as-a-service rendering the traditional hardened network perimeter obsolete, companies of all kinds need to ensure security at every level of their environment. No less, the White House has joined the call for Zero Trust, as seen in its executive order on improving the nation’s cybersecurity.
E-commerce businesses typically work with a whole ecosystem of suppliers, fulfillment partners, technology providers, financial services providers, staffing agencies, independent contractors, and other third parties, all of whom have a legitimate need for access to various data and services. Zero Trust provides a way to grant the right level of access to the right people, in the right way, while limiting the risk of a rogue or careless user from allowing a data breach, malware or DDoS attack, or other such incident, and a way to communicate the importance of this across the organization
To put it simply: cybersecurity threats are an inescapable fact of life for e-commerce businesses. To protect their customers and themselves, they need to weave security throughout their organization, from technologies like DDoS protection and ADC infrastructure to strategies such as Zero Trust. It’s a major undertaking, but it’s the cost of doing business in the modern world.
About Paul Nicholson
Paul Nicholson brings 25 years of experience working with Internet and security companies in the U.S. and U.K. In his current position, Nicholson is responsible for global product marketing, technical marketing, and analyst relations at San Jose, Calif.-based security, cloud and application services leader A10 Networks. Prior to A10 Networks, Nicholson held various technical and management positions at Intel, Pandesic (the Internet company from Intel and SAP), Secure Computing, and various security start-ups.