While large online retailers benefit from having their own security teams, unfortunately, eCommerce security may be more of a challenge for small businesses who lack the in-house resources and expertise. A lack of eCommerce security becomes even more unfortunate with new malware trends including supply chain attacks and automation. Through the use of these advanced malware threats, hackers have the enhanced ability to target large collections of eCommerce targets as opposed to attacking them each, individually.
For small businesses, that means eCommerce security can make or break their short- and long-term success in the online marketplace. The online small business space now represents a great opportunity for threat actors as it contains massive quantities of valuable information without the heavy security as seen with larger corporations. That’s why recent studies, like Verizon’s 2020 Data Breach Investigations Report have found a striking increase in the number of small businesses suffering from data breaches and other cyber threats.
With all businesses, from small business to corporate retailers, being forced to move their businesses to strictly eCommerce – security represents survival. Because when your customers sniff out the slightest hint that their transactions or PII are not secure, they are unlikely to stick around, leading to a significant loss of take-home revenue for your small business. This Packetlabs blog will serve to describe the inherent threats to eCommerce security, and further, to provide helpful suggestions as to the best course of action.
eCommerce Security: News Update
A survey conducted by the Canadian Federation of Independent Business (CFIB), in October of last year, found that nearly twenty-five percent of respondents had experienced some form of cyber threat since March 2020, in parallel to the timeline when many businesses were forced to shift to an exclusively eCommerce storefront. In their obvious haste, eCommerce security often fell to the status of afterthought to the more pressing issue of staying in business.
The CFIB’s vice-president of national affairs, Jasmin Guenette, alleged that businesses that were able to adapt quickly and successfully to the e-commerce pivot were, unfortunately, the most vulnerable to attack in the last year – likely as a direct result of their lack of eCommerce security.
Perhaps unsurprisingly, the aforementioned figure of 25% of businesses reporting experiencing cybercrime is very likely much, much higher. Guenette points out that many businesses, particularly small businesses, often find out only months (if they do at all – See Compromise Assessment) after an intrusion or an attack. Many of these small businesses may have failed to put adequate research into eCommerce security and have spent their budgets in the wrong places for very little return value. (See our blog: Choosing a Penetration Tester)
Regarding the source of the reported cyberattacks, the report discovered that more than 80% of businesses that experienced an eCommerce security threat said it was via business email compromise and phishing, specifically. The businesses most at risk had twenty or more employees, and many of which were working remotely.
eCommerce Security Defined
eCommerce security refers to the cybersecurity strategies and recommendations that allows for secure online electronic transactions between a buyer and merchant. eCommerce security allows people to buy and sell products and services on the Internet with a framework in place that provides security for all involved individuals or businesses. As mentioned, in recent year, particularly post March 2020, eCommerce security has become increasingly important for merchants and shoppers alike.
The Importance of eCommerce
According to a recent Quickbooks survey, 60% of small businesses said, as a result of pandemic, they have become more reliant on digital technology, with over 50% saying they did more business online than previous years. Their primary concern? Topping the list at 37% was cybersecurity risks, or eCommerce security.
Further, in a recent collaboration between Cisco and the National Center for the Middle Market, their report of small and midsize businesses tell a comparable story. Sixty-two percent of the surveyed CEOs declared that their firms did not have any eCommerce security strategy at all! If we consider the true cost of a cyberattack, it’s easy enough to put a company out of business. In actual fact, the National Cyber Security Alliance found that sixty percent of small and medium sized businesses that are breached go out of business within six months!
eCommerce Security Risks
- Malware: This eCommerce security threat is extremely common. When a threat actor gains initial access to a website, they often insert malicious code, called malware, which could have the potential to ‘grab onto’ to site visitors, allowing them access to personal information and sensitive data they have on their IoT device, for example.
- Phishing: This eCommerce security threat is when your customers or employees are sent fraudulent emails by threat actors that supposedly come from your business. Since these emails are often indistinguishable from internal emails, your customers or employees could mistakenly click on the links that lead to malicious websites, coaxing them to reveal sensitive data.
- Cross-site Scripting: Cross-site scripting (XSS) is an eCommerce security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. XSS allows an attacker to evade the same-origin policy, which is designed to segregate different websites from one another. Cross-site scripting vulnerabilities typically allow an attacker to masquerade as a user, to carry out any actions that the user is able to do and to access any of that user’s data. Worse still, if the victim user has privileged access within the application, then the attacker may be able to gain full control over all of the application’s functionality, including sensitive data!
- SQL Injection: This is an eCommerce security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. SQL injection generally allows a threat actor to view and retrieve data that they are not normally allowed. This data could include data belonging to other users, or any other data that the application itself is able to access. Often, the threat actor is able to modify or delete this data
- DDoS/Dos Attack: With this eCommerce security vulnerability, attackers attempt to make it impossible for a service to be provided. This is done by preventing access to servers, networks, applications, or specific transactions within a web application. In a DoS attack, it’s one system that is sending malicious data or requests; a DDoS attack comes from multiple systems. The impact of this specific eCommerce security vulnerability could range from a minor annoyance, from disrupted services to entire websites, applications, or even entire business being taken offline.
Putting the pieces together
For a small business, eCommerce security is not always easy to get right, especially for smaller businesses which may not have in-house IT. That said, in consideration of the current marketplace, the significance of an online presence and the ramifications of cybercrime on a small business’s livelihood, it’s non-negotiable.