Anthony Webb: E-Merchants – Secure Your Online Sales from Cybersecurity Threats for 2021 and Beyond
Written by Anthony Webb, EMEA Vice President, A10 Networks
Last year, online retailers started to offer prolonged sales periods, in the hopes of recouping revenue lost through the closure of many ‘brick and mortar’ stores, due to the COVID-19 pandemic. Removing this element of ‘seasonality,’ retailers quickly pivoted to predominantly online sales, leading to a significant uptick in users and devices connecting to websites than in recent years.
Good Cybersecurity is Crucial for eCommerce Success
The good news for e-tailers is that overall sales are expected to continue to grow this season. This has added importance when many e-commerce businesses have faced unprecedented disruption. However, one thing is clear: Online sales will take centre stage. In a recent report, it was reported that global ecommerce sales will reach $4.2 trillion and make up 16% of total retail sales and this is only set to continue as we venture into 2021.
However, just as online sales are at the forefront, so should cybersecurity. Retailers aren’t the only ones looking to capitalise on the increase in online spending. With the element of seasonality largely disappearing within e-commerce, hackers have an enlarged window of time to profit. We’ve already seen a huge uptick in cyber-threats due to COVID-19. Now, continuously busy e-commerce channels provide cyber-criminals with additional motivation to launch their attacks using some of the below tactics:
Phishing – Phishing and its variants, including spear-fishing and whaling, are email-based attacks that leverage social engineering techniques to fool recipients into providing sensitive information to the attacker. While spear-fishing and whaling attacks are more targeted than phishing, all three forms attempt to get the victim to read the email, click on a link, possibly open an attachment, and ultimately disclose valuable personal or corporate information.
Ransomware – Ransomware attacks seek to extort money from victims by encrypting access to files or entire systems until they pay the attacker a ransom, have become increasingly popular in recent years. Much of this has to do with the potential to make large sums of money from the ransoms. Another reason for the rise in ransomware attacks is the availability of Ransomware-as-a-Service (RaaS) kits, which are inexpensive to purchase on the black market, making it easy for novice hackers to launch their own attacks. Phishing emails are the top threat vector to distribute ransomware.
Distributed Denial of Service (DDoS) – DDoS attacks are designed to stop a computer, server, website, or service from operating by flooding it with internet traffic generated by an army of bots called a botnet. The tremendous growth in Internet of Things (IoT) devices, many of which are not secured, has made it easier for attackers to take control of more devices and create botnets. DDoS attacks can be especially damaging to e-commerce businesses if customers can’t access their websites to make purchases.
Malware – Malware attacks take many forms including viruses, worms, spam, spyware, and more. Some malware threats such as spam are more of an annoyance, while others such as viruses and worms can spread across a network infecting systems and negatively impacting their performance and user productivity. Similarly, spyware can slow down systems. However, it can also be used to report sensitive information such as passwords back to the hacker.
Injections – Injection attacks such as cross-site scripting and SQL injections are used to exploit vulnerabilities in web applications by injecting malicious code into a program, which then interprets the code and changes the program’s execution. In other words, it gets the application to do something unintended such as alter the behavior of a website or expose confidential data like login credentials to the attacker. E-commerce businesses hit with an injection attack could find their customers redirected to a fake site which illegally harvests customer information.
The Consequences of Poor Cybersecurity
With e-commerce transactions continuing to boom, effective cybersecurity takes on added importance. If e-commerce merchants are not prepared to stop malware, DDoS attacks, and other threats, the consequences of a successful attack could be the difference between surviving and ceasing trading. Here’s what businesses could be facing:
Lost Revenue – Any downtime to a web server that prevents customers from making a purchase is damaging to online sales and can potentially have a severe impact, especially for smaller organisations.
Data Theft – The increase in online shopping is a lure for cybercriminals to launch attacks aimed at stealing corporate and customer data. Phishing emails claiming to have information on fake shopping receipts, shipping status, and customer surveys are very popular in the run-up to Christmas.
Disruption of Services – DDoS and ransomware attacks can target services that we deem essential. E-commerce sites, public utilities, and schools are just a few examples of their victims. Shutting down access to a service, even for a short period time, can have major financial and social impacts.
Damaged Reputation – Damage can extend beyond short-term financial losses and data theft. Consumer confidence and brand reputation can quickly erode when consumers have a poor online experience. Customers aren’t shy about using social media to express their displeasure.
Reduced Productivity – It’s not just customers who feel the impact of a successful attack. If employees can’t access the applications they need to do their jobs, expect to see a drop in productivity with an accompanying rise in undesirable workarounds.
Steps to Take for 2021 and Beyond
Cybersecurity isn’t just something to think about during traditionally busy shopping periods such as Christmas. It’s an everyday concern. Fortunately, there are some things that organisations can do to keep applications, networks, and the business safe from threats, especially during peak online shopping periods.
First, look for a solution that provides DDoS detection and mitigation to ensure services are continually available to legitimate users. Hackers have learned how to weaponise IoT devices to launch complex multi-vector and volumetric attacks, capable of bringing down application servers and entire networks.
Second, protect web-based applications with web application firewall (WAF) technology. Outdated applications are especially vulnerable to attacks. A WAF will secure them from hackers looking to exploit HTTP and web application-based flaws.
Third, find solutions that meet current and future platform needs. Organisations may not have transitioned to the cloud yet, but they’ll likely have some cloud-based apps. They must be sure their solution is ready when the company is ready, whether it is moving to a hybrid cloud or multi-cloud infrastructure. And finally, continue to educate employees on the need for good cyber hygiene. According to a 2019 IBM study, 95% of cybersecurity breaches are caused by human error.
With this shift to online a potentially permanent one, e-commerce merchants should expect these sustained levels of activity going forward, throughout the entire year. Therefore, it is imperative that e-commerce businesses secure applications, servers, and networks from cyber threats at all times.