The Price of Convenience: How to Protect Your E-commerce Business From Cyber Attacks

Jun 14, 2018

Since 2016, the number of digital shoppers in the U.S. has grown steadily each year, with 230.5 million shoppers anticipated by 2021. Online shopping provides convenience and competitive discounts, but also creates a direct portal for cyber-attackers to victimize consumers.

According to the 2018 Data Breach Investigations Report (DBIR) by Verizon, 58% of cyber breach victims are categorized as small businesses. Why? Because smaller businesses typically have fewer financial resources to dedicate to cybersecurity programs than Fortune 500 companies. This demonstrates that hackers don’t just target big companies such as Target, eBay and Zappos.1

If you operate an online business, certain precautions are essential if you want to protect not only your financial assets and personal data, but the safety of your customers. Understanding a cyber-attacker’s pathology, and the direct remediation steps you can take, will keep your business’s precious data intact.

We Got Our Wires Crossed

Wire fraud is an exceptional cyber security issue in e-commerce. It is most commonly achieved through Business Email Compromise (BEC) - a more targeted form of phishing (spear phishing).

A “real life” wire fraud BEC might unfold something like this:

  • A CFO, CEO or other C suite level executive clicks on what appears to be a legitimate invoice, bill or attachment in an email when it is in fact malicious. For example phishing or malware.
  • When the individual clicks the email it drives to a malicious webpage or runs malicious code on the device — compromising the individual’s personal data.
  • The cyber attacker uses the stolen credentials to pose as the legitimate user to withdraw or steal money.
  • By the time the victim is notified, it’s too late to stop the attacker and both personal data and funds are unrecoverable.

Take Control: what you can do to protect your business

  • Require multi-party authorization for wire transfers, by requiring that multiple people approve outgoing wire transfers — in-person and via email or text message — wire fraud can be prevented. This protocol could present some logistics headaches, but it is necessary to ensure secure wire transfers.
  • Train employees to recognize phishing tactics by hosting third party phishing training. Providing cyber security tips for employss will contextualize an attack, providing real world phishing examples and how to spot it. Upper management should stress the importance of reporting any suspected phishing attempt so it can be properly vetted by the security team.

Yes, We Take Plastic

Most e-commerce businesses accept credit cards, which makes them a goldmine for attackers. The goal of the attacker is simple: gain unauthorized access to whichever server is storing critical Payment Card Industry Data Security Standard (PCI DSS) data, then sell those credit cards on the “dark web.” The dark web is a part of the internet that is only accessible through specific software, configurations, or authorization, allowing users and operators to stay undetected. As of April 2018, the going price for a debit or credit card on the dark web ranges from $5 - $110. Additionally, ecommerce sites are vulnerable to fraudulent transactions due to the proliferation of credit and debit card hacks.

Take control: what you can do to protect your business

Use a trusted third party to store PCI DSS date to mitigate risk. Before choosing a third party, exercise due diligence by reviewing past audits and conducting stakeholder interviews.

If your company plans to store the PCI DSS data on an internal server, make sure to conduct routine scans for any vulnerabilities. A vulnerability scanner will highlight any at-risk software or misconfigurations that are running on the server. This is critical so your company can proactively patch the vulnerabilities or fix the misconfigurations before attackers discover them. Ongoing quarterly assessments can perform scans that will keep you ahead of tomorrow's threats.

I Can’t Believe it was an Inside Job

According to the 2018 DBIR by Verizon, 28% of breaches were perpetrated by an internal actor. It is imperative for e-commerce companies to have internal checks and balances on employees with access to highly sensitive data. There have been countless instances where a database administrator became unhappy and stole sensitive data or sold data access to a malicious outsider. Internal threats can also have a non-malicious source. For instance, an internal user could have a weak password or accidentally download a malicious application onto the server hosting the credit card database.

Take control: What you can do to protect your business

Practice makes perfect. Similar to a fire drill, when a breach occurs company stakeholders should have a plan in place that allows for a quick and successful recovery. This can include an incident response plan, which is tested through tabletop exercises conducted by a professional security team.

Convenience has a price when it comes cybersecurity issues in e-commerce; however, there are simple precautions you can take to protect the personal and financial assets of your business and its customers.

Get a Temperature Check On Your Organization's Cyber Wellness

Contact us for an analysis on where you are today and how to become more secure tomorrow

Contact Us

Message Us 212.842.7005

Sign up for Our Blog!

* All fields are required

By choosing to submit data, you are agreeing to the storage and usage of your contact information to deliver the requested services.