How To Reduce Cyber Threats To Ecommerce: The rapid evolution of online and mobile channels has carved out new markets and brought huge opportunities for emergent and established organisations alike. However, unfortunately the past decade has also witnessed significant disruption to ecommerce payment processes and systems.
The interconnected, anonymous and instantaneous nature of these channels has inevitably led to the development of malicious threats targeting ecommerce and retail services firms, their people and their customers.
These e-crime and digital fraud threats continue to evolve rapidly, with attackers utilizing increasingly sophisticated techniques to target vulnerabilities in people, processes and technologies.
The e-crime threats, if successfully realised, can undermine essential digital services, cause significant damage to brand reputations, and result in considerable financial and operational pain for organisations and their customers.
Worldwide, regulators are also turning their attention to these threats, with enhanced scrutiny of organisational resilience and the introduction of stringent compliance requirements.
The challenge that ecommerce services firms are facing is to deliver richer, integrated services, through multiple remote and digital channels, under significant cost restraint, and in the face of sophisticated e-crime threats.
Recent cyber-attacks highlight the urgency for retail organizations to contend with ever increasing risks to customer protection, continuity, fiduciary responsibility, and operations.
In order to achieve the security objectives, it is necessary to recognise that the security of the services and the protection of the customers’ data are essential. To this end, and specifically to support the current security equation, it is necessary to have an enterprise wide target customer security model.
This should be designed to deliver enhancements to both customer-facing and back office security capabilities, and in particular to improve existing security defences for remote online, telephone and mobile banking channels.
“There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.” – James Comey, FBI Director
Evolving Degree of Threats
The threat landscape is ever evolving and increasingly challenging. Customer data with retailers and e-commerce firms has been increasing at a rapid pace. As per the incremental service provisioning in e-commerce, more data will be generated in the next two years than was generated ever before.
Access to all this data has made the retail industry one of the primary targets for cyber-attacks. Some of the key threats today’s organizations are vulnerable to include:
• User account takeover via robotic attacks, password guessing, HTML injection and Man-in-the-Middle or Man-in-the-Browser. Account peeking is a very common behavior by fraudsters as it allows them to validate the login credentials, identify higher value accounts and understand the controls which must be defeated to complete future unauthorized transactions.
• Business Logic Abuse or the use of portal’s functionality for malicious or exploitative purposes (e.g., abuse of loyalty point programs or shopping cart functionality, fraudulent account set up, Scripted attacks to find valid coupon codes.).
Impact of such abuse may include effect on the genuine customer due to unauthorized use of coupon offers, overall decrease in revenue due to offer abuse, incremental portal overhead due to scripted attacks and site scraping by resellers or coupon aggregator sites.
• Distributed-Denial-of-Service or DDOS attack on the application layer where a deluge of page requests coordinated by a bad actor overwhelms the server and brings the site down.
• Site or Architecture Probing to gather as much information about site structure and security vulnerabilities as possible to prepare for an attack on that site.
• Site & Inventory Scraping or data theft perpetrated by copying large amounts of data from a website, typically via automated scripts.
As these threats evolve, it is clear that traditional techniques won’t be able to prevent all threats. Additional layered security and specialized visibility into these attacks is needed.
Cyber Security issues lead to brand degradation and change in consumer behavior. Attacks are exploiting weaknesses in traditional controls, some very destructive. Traditional controls around Point of Sale and other IT systems are necessary but not adequate – greater emphasis must be placed on preventative controls, rapid detection, and rapid response.
Retail innovations that drive growth (e.g. Digital, Omni-channel retailing, social etc.) also create cyber risk. Cyber risk management strategy must be a component of business strategy, and can’t simply be delegated to IT.
Lack of appropriate control and transparency add to cyber security risk
Despite growing frequency and sophistication of cyber-attacks on the ecommerce industry, payment settlement agreements between credit card networks, the banks and the merchants have remained a closely guarded secret. Neither the government nor any database shares the list of defaulters with the public.
Banks and credit card companies determine fault on a case-by-case basis through private contracts with individual merchants. Fines and the reasons for them remain sealed. Due to the lack of transparency, the majority of customers is not aware of any cyber security breaches and remains vulnerable to cyber attackers.
E-commerce firms and retailers face heat to increase efforts to ensure greater cyber security
In the wake of recent data-security breaches at large retail corporations, retailers have been pushed to spend more to ensure tighter customer data security. While the traditional retailers have been investing millions of dollars to compete with online retailers the cyber-security threats have multiplied their operational expenditures.
Third-party cyber risk
As firms look to exploit the competitive edge they gain from the data they capture about their customers, they are increasingly leveraging the expertise of third parties such as analytics specialists and social marketers.
Couple this with increasingly lengthy and complex supply chains, retail organizations are increasingly becoming enmeshed in very complex, interconnected value chains where sensitive data is shared and dependencies are introduced between business critical systems.
Firms are rapidly waking up to the realization that they often have very little visibility in these areas, and that they do not have a good understanding of where their customers data is travelling, and what their risks are.
We should focus on to map these interconnections, develop robust risk management frameworks, and provide firms with assurance that they have understood and actively managed the risk of each partner relationship.
Inadequate joint efforts by banks and retailers to counter cyber security threats
While collaborated efforts are expected to ensure tighter cyber-security, banks and retailers differ in terms of responsibility sharing. Banks want retailers to bear more of the costs of Replacing cards after breaches occur whereas retailers say banks have been slow to adopt new, more secure debit card technology.
The rapid pace at which technology is changing has provided large opportunities for organizations to develop new business models, services, and products. While the digital revolution has transformed the way we do business, it has also created complex and sophisticated security issues.
Assets and Information that were once protected within the organization are now accessible online; customer channels are vulnerable to disruption; criminals have new opportunities for theft and fraud. With organizations growing organically and inorganically, complexity of managing businesses & security operations are also becoming complex.
So what is needed to address these targeted attacks? How can you gain visibility into these attacks and how can you stop them from causing further damage?
Organizations today thus face a continuously evolving threat landscape where the speed and intensity of attack is incrementing and response time is subsiding. As a result, organizations need to have rapid detection and response capabilities that allow for the synthesis of external and internal threat intelligence in a timely manner.
This “situational awareness” is a required component of an organization’s overall security posture and critical to maintaining the confidentiality, integrity, and availability of its information assets. Some of the key recommendations for an organization to step towards an effective security equation include:
• Set risk appetite and drive focus on what matters. Establish purpose and direction. Clearly articulate your cyber risk appetite and strategy. Support it by requisite action through funding and resourcing.
• Define the right balance between threat-centric vs. compliance-centric programs. Fully integrate cyber risk management into IT disciplines.
• Break down silos. Cyber risk is an enterprise-level issue. Lack of information-sharing is a top inhibitor for effective risk management.
• Be creative about cyber risk awareness. Your weakest link is the human factor. There is not enough talent to do everything in-house, so take a strategic approach to sourcing decisions.
• Incentivize openness and collaboration. Build strong relationships with partners, law enforcement, regulators, and vendors.
• Prepare for cyber-attacks by conducting war games, penetration tests, and exercising the cyber incident response plans.
• Have a threat intelligence mechanism in place – Focus on restructuring the diverse unstructured security data and information gathered from all the security entities and devices (recent and past events) to consolidate intelligent feeds, advice or a product, which could be used to make informed decisions in order to mitigate dynamic threats as pet the environment.