3 Ways to Minimize Cybersecurity Risks
E-commerce has become big business for a rapidly expanding ecosystem of internet retailers. A recent survey found that eight out of 10 Americans consider themselves online shoppers, and most make half of their purchases on the web now. With this growth comes a downside — more opportunity for cyber attacks. As retailers expand their businesses to remain competitive, their dependence on third-party vendors, partners and suppliers can expose an otherwise secure organization to a costly cyber attack. We saw this happen to CVS, Costco and others when a photo processing partner was breached and the retailers’ customer data, including credit card numbers and email addresses, was exposed. These incidents can drive shoppers away. A KPMG survey found that retailers could lose a fifth of their customers for good over a cyber attack.
Companies can’t operate in isolation, nor should they. More companies are connected than ever before so they can focus on their core competency and leave peripheral services to others. Here are three ways retailers can partner online and stay secure:
1. Minimize third-party risk.
A recent Ponemon study reported that approximately 49 percent of respondents confirmed a vendor caused a breach at their organization. Another study revealed that overall, companies don’t know how many third parties have access to their confidential information and how many are sharing data with others. To understand the risks posed by partners, companies need to first assess what data is shared with whom and then set controls as to the types and amount of data accessed. While a photo services provider might need to have access to a retailer partner’s customer data, it doesn't need access to customer logins on the main site, for example.
Third-party risk will also rise with the increased interdependency of internet platforms. Vendors may use specialized service providers for Domain Name Services, certificate provisioning and other services. Contracting with vendors that maintain effective security programs and understand and mitigate against even the largest Denial of Service (DoS) attacks is a requirement for these underlying technologies. This risk will continue to increase with the growth of the Internet of Things, where more and more devices will be online using often insufficient security practices.
2. Make information sharing an industry best practice.
Companies can’t operate in a bubble when it comes to security; they need information about attacks on other companies to know how to protect themselves, especially given how many customers use the same password on multiple retail sites.
Using shared information wisely is crucial to staying safe. It’s one thing to try to match indicators, such as IP addresses, host names and malware signatures shared by others against internal system and security logs. It’s even more helpful to use that information to identify larger trends, like types of attacks that are increasing as well as new adversaries or behaviors associated with threats.
Effective and timely data sharing also allows a retailer to continuously evaluate its security controls, and identify when it may be under attack. Joining and maintaining a proactive presence in a network like the Retail Cyber Intelligence Sharing Center can often be a useful first step.
3. Be prepared to mitigate the costs of an attack.
Retailers face, on average, at least eight cyber attacks per year, with 74 percent of them considered advanced threats, according to the Ponemon Institute. While the definition of an “advanced attack” is debatable, this does show that retailers must anticipate attacks and take preventative measures designed to detect and block attacks, like using web application firewalls and endpoint visibility software.
DoS attacks launched by botnets in particular can be an issue for retailers, which often lose money for each second their site is unavailable to shoppers. Being prepared for attacks is less costly than cleaning up afterward having done no preparation.
Companies also need to properly vet partners to ensure they take precautions to keep data and networks secure and prevent attackers from leapfrogging into an unsuspecting partner network. Ensuring appropriate reviews of the security programs of partners is time consuming, but pays off dividends in the long run. It’s typically a great time to agree on joint procedures to deal with any unfolding security incident that may take place later on.
Finally, retailers need to know how to respond to an attack, how to lock down systems, determine what data was exposed, alert customers if necessary, and clean up after the incident. It's important to have all the necessary forensics and investigative skills either in-house or contracted through a set of providers that are knowledgeable of the retailer's environment.
IBM estimates data breach costs average as much as $4 million, and top online retailers are at risk of losing up to $1 million for every minute of downtime. Companies can’t afford to have blind faith in the security of their partners.
Maarten Van Horenbeeck is the vice president of security engineering at Fastly, an edge cloud platform that powers fast, secure and scalable digital experiences.