December 7 2023
Introduction to Ecommerce Cybersecurity
Within the e-commerce industry trust is placed between the end user and the provider not just for the delivery of a product, but to ensure that the user’s personal information is protected. A loss of trust from consumers could negatively impact the operation of a platform and result in reduced business.
Ensuring a strong security posture online will help maintain this trust and continue the smooth operation of e-commerce platforms.
As the popularity of e-commerce has risen so has the number of cyber threats which target online businesses. From the start of 2023 until October, Kaspersky identified that 13,390,142 phishing attacks had been performed using e-commerce platforms as a lure.
If attackers are not targeting the end users, they could be attempting to compromise the e-commerce platforms and data hosted within. Again in 2023 Honda’s e-commerce platform was identified to contain a vulnerability with its password reset function. Attackers could have exploited this to change large amounts of user passwords and gain access to the dealer’s sensitive information.
The protection of user and customer data is paramount for any organisation. Falling victim to an ecommerce cybersecurity attack could result in heavy monetary penalties or financial losses. It was reported in 2019 by Robert Johnson III, the president and CEO of Cimcor Inc, that 60% of small e-commerce organisations go out of business following a cyber-attack.
To help secure an e-commerce platform and maintain the trust of users this article will provide information on the following topics:
- UK laws to be aware of.
- General Data Protection Regulation (GDPR)
- Data Protection Act 2018
- NIS Regulations (Network and Information Systems Regulations 2018)
- Payment Services Regulations
- Best practice guide for securing your e-commerce platform.
- Use Strong Authentication and Access Control
- Keep Software Up to Date
- Secure Payment Processing
- Regular Security Audits and Penetration Testing
- Implement a Web Application Firewall (WAF)
- Data Encryption
- Strong Password Policies
- Employee Training and Awareness
- Regular Backups
- Protection Against DDoS Attacks
- Implement Security Headers
- Monitor Suspicious Activity
- Third-Party Integrations
- Incident Response Plan
- Secure Development and Code Reviews
- Employee Awareness
- Data Privacy and Compliance
UK Laws to be Aware of
In recent years new laws have been created to enforce a basic standard for protecting the users of e-commerce platforms against cybercrime and place an element of responsibility with the providers. All e-commerce businesses should be aware of the following laws that are in place which.
GDPR, implemented May 15th, 2018, is a law passed by the European Union which imposes obligations on an organisation regardless of where they exist, if they target or collect data relating to people within the EU.
GDPR aims to ensure the protection of personal data, with breaches of GDPR potentially leading to heavy fines of either 20 million euros, or 4% of global revenue, in addition the subjects whose personal data has been compromised have the right to seek compensation.
The Data Protection Act was the UK’s implementation of GDPR following Brexit. Like GDPR it sets standards for organisations that possess the personal data of its users. These standards specify rights for the subject of the personal data to ensure their personal information is kept secure, transparency over how their data is used, and that it can be removed if they so wish.
The NIS regulations were implemented for digital service providers such as e-commerce businesses as well as operators of essential services. They provide legal measures to increase the level of security of these providers and their underlying network and information systems that provision the digital platforms.
The payment services regulations were implemented to improve protection for consumers and help protect them from fraud. In addition, they stipulate how payment information and transactions stored and operated. Payment service providers that fail to comply with the regulations are at risk of financial or criminal penalties.
For e-commerce organisations cybersecurity frameworks and standards play a crucial role in helping organizations seeking to achieve effective security measures to protect their information systems and data. The UK National Cyber Security Centre’s (NCSC) Cyber Essentials and Cyber Essentials Plus are frameworks designed for organisations to follow so that they can be confident they are implementing cybersecurity best practices. However, it should be noted that these frameworks are not laws but rather guidelines aimed at promoting good cybersecurity hygiene.
Best Practice Guide
The following best practices will help to ensure that an e-commerce organisation will be less at risk of compromise and will be partially or completely compliant with legal and or regulatory requirements.
Use Strong Authentication and Access Control
Implement multi-factor authentication (MFA) for administrative access.
Administrator accounts often contain higher privileges for the assets they control, as well as access to sensitive information. Therefore, they should always be protected with more than just one form of authentication to reduce the likelihood of a compromise.
Limit access rights to only those who need them.
Access rights when not properly assigned can allow users to perform actions or see data they should not have permission to. By following this policy of least privileges and assigning access for only what is necessary to a user this reduces the risk of access rights being abused.
Regularly review and revoke access for employees who no longer require it.
As employees may have access to sensitive information it is imperative that as soon as they are no longer part of an organisation their access is revoked. This will help to protect sensitive information from being compromised or leaked and prevent any malicious actions from being performed by any ex-employees with ill intentions.
Keep Software Up to Date
Ensure the eCommerce platform, plugins, and software are regularly updated with the latest security patches.
Security vulnerabilities are often identified in assets in use by e-commerce platforms, in underlying infrastructure, or third-party assets such as plugins. However, vendors of these products will implement security patches and updates to resolve these vulnerabilities. Therefore, it is important to ensure the latest patches are applied as soon as possible to reduce the likelihood of vulnerabilities being exploited.
Implement an update schedule to avoid falling behind on updates.
Using a regular update schedule will help in maintaining software and ensure that important patches are not missed, or not installed for long periods. It is recommended that security updates are installed within 2 weeks of release.
Test updates in a staging environment before deploying them to the live site.
Implementing patches may break or change functionality within software or on web applications, therefore its recommended to apply all patches on a staging environment first and observe how it operates. This way any unexpected or negative effects won’t affect the live environment and cause problems for end users.
Secure Payment Processing
Use a secure and reputable payment gateway
Using a secure and reputable payment gateway will help ensure that payments are conducted securely and efficiently. This will help to maintain the consumers trust and avoid fraud or illegitimate orders.
The following are recommended:
- net – Has strong fraud prevention.
- Stax – Great for high-value transactions.
- Shopify – Perfect for e-commerce startups.
- Elavon – Works well with existing point of sale systems.
- Stripe – Contains lots of customisation options.
- PayPal – Versatile and has global recognition.
Implement encryption (SSL/TLS) for data transmitted during payment transactions.
Payment transactions should be encrypted during transmission. If an attacker was able to intercept communications between the end user and the payment processor this could put their sensitive payment information at risk and result in fraud or theft. By encrypting the communication this will greatly and almost eliminate this risk.
Avoid storing sensitive payment information like credit card numbers. If necessary, use tokenisation or a third-party payment processor.
Sensitive information such as credit card numbers should not be stored within e-commerce platforms, as it greatly increases the severity of a compromise.
Instead utilise tokenisation, where sensitive data is replaced with unique identification symbols. These symbols contain all the relevant information of the sensitive data, without exposing the data itself.
Alternatively utilise a third-party payment processor which are designed to store payment data and handle transactions securely.
Regular Security Audits and Penetration Testing
Conduct regular security audits and vulnerability assessments.
Utilising security audits and vulnerability assessments can help an organisation to identify easily exploitable vulnerabilities, as well as areas in which they could improve their security posture. By conducting these audits regularly an organisation will help to minimise the likelihood of a compromise.
Perform penetration testing to identify potential weaknesses in your system.
A penetration test performed by trained professionals will potentially uncover vulnerabilities within an organisation that would not be identified by an automated scan. Penetration testers would perform the same steps that an attacker would and will identify the vulnerabilities that could pose a critical threat to an organisation’s platform and infrastructure.
Implement a Web Application Firewall (WAF)
WAFs are designed to filter our malicious traffic which would be sent by attackers. This could be requests that contain payloads for commonly targeted vulnerabilities such as:
- SQL injection which could pose a risk to the confidentiality of sensitive data and underlying infrastructure.
- Or Cross-site scripting that may result in users being tricked into providing their sensitive data to a web page crafted by an attacker.
While WAFs are a good defence against malicious requests they can occasionally be bypassed by a highly skilled attacker. Therefore, alongside its implementation its recommended to ensure secure code practices are followed such as sanitizing all user input fields.
Encrypt customer data, especially sensitive information like passwords and personal details.
All customer data which contains sensitive information should be encrypted at rest and when in transit. This will prevent an attacker recovering the data if they compromise wherever it is contained, or the communications between the two parties submitting the data.
Use encryption protocols like HTTPS to secure data in transit.
To protect data in transit the encryption protocol HTTPS (Hyper Text Transfer Protocol over SSL) would encrypt all the data being sent between two parties. Therefore, an attacker who can intercept and read the communications would be very unlikely to recover any sensitive data from the transmission.
Strong Password Policies
Enforce strong password requirements for employee accounts.
Weak passwords are known to attackers and readily available on lists online to be tried against user accounts. Therefore, it is important to ensure that all employees are using a strong password to reduce the likelihood of an attacker gaining access to their account.
Educate employees about the importance of using unique and complex passwords.
As well as using a strong password employees and users need to understand the importance of this. An attacker who gains access to even a low-privileged user account can use this as a starting point to eventually gain access to high-privileged accounts. If an attacker gains access to an account with high enough privileges this can have disastrous effects such as launching a ransomware attack or causing irreversible damage or corruption to sensitive data or infrastructure.
Employee Training and Awareness
Implement comprehensive cybersecurity training for all employees, including customer service.
All users within an organisation should be educated on the risks of working online and how to avoid threats. Without awareness or training a user may fall victim to a cyber-attack, which cannot just affect the person who was targeted but the whole organisation.
Regular workshops on identifying phishing attempts and social engineering tactics.
Having regular workshops on how to spot a phishing email and other social engineering attempts can help users within an organisation to steer clear of falling for any of these types of attacks. Simulated phishing campaigns can also be performed by professionals to see which users in an organisation are more likely to be tricked by a social engineering attempt and highlight them for further awareness training.
Establishing clear guidelines for handling customer data and sensitive information.
By establishing clear guidelines for handling sensitive data this will reduce the likelihood of it being unintendedly exposed by a user. Guidelines should be easy to understand and comprehensive to cover all aspects of controlling and distributing sensitive data.
Encouraging a culture of reporting security concerns without fear of reprisal.
Users should feel that they can report a security concern such as clicking a link in a suspected phishing email or accidentally exposing some sensitive data without reprimand. In the event of a security breach hiding the issue could lead to further and longer lasting consequences, therefore its important that such events are reported to the relevant authorities as soon as they occur.
Keep your team informed about the latest security threats and best practices.
When staff members are aware of the latest ecommerce cybersecurity attacks and how they have occurred this will help them to be more vigilant to threats and be more educated on what to look out for. Staff with higher security hygiene will be harder to trick therefore increasing the security of an organisation.
Conduct periodic security training sessions.
Periodic training sessions for security will also increase the knowledge of security for staff members. A wide range of topics can be covered such as but not limited to:
- What is phishing?
- How to spot a phishing attempt.
- Why strong passwords are required.
- Risks of leaving a machine unlocked.
Implementing a strong ecommerce cybersecurity hygiene culture in the workforce will make it much more difficult for an attacker to achieve exploitation.
Regularly back up the website and databases to allow for ‘rollbacks’.
In some instances, cyber-attacks or through releases of updates this could corrupt or delete some data or prevent websites from functioning correctly. Therefore, it’s important to maintain regular backups of previous builds and databases. In the event of corruption or data loss the website or database could be rolled back to the previous state to minimise the damage.
Store backups in a secure, isolated location.
To ensure that backups can be used effectively they must be stored in a separate, secure and isolated location. In an attacker was able to corrupt or destroy backups this would lead to incredibly severe delays and make disaster recovery significantly more difficult.
Protection Against Distributed Denial of Service (DDoS) Attacks
Use Content Delivery Networks (CDNs) to distribute traffic and mitigate DDoS attacks.
DDoS attacks are usually effective when targeting one server. Using a CDN will spread the traffic of users accessing a web application to multiple different servers – therefore reducing the likelihood of a DDoS attack being successful in preventing access.
Investment in DDoS protection services to monitor and block malicious traffic.
By investing in DDoS protection services this will help to identify and prevent DDoS attacks in their early stages before they are successful in overloading a server and causing downtime.
Implementation of rate limiting to prevent excessive requests from a single source.
Web applications may allow a user or attacker to repeatedly send the same request with no intervention. When there is no control in place an attacker could repeat the same in large quantities within a matter of seconds and repeat this process until the application either crashes or is filled with arbitrary data. By implementing rate limiting this would restrict users / attackers to only be able to send a set number of requests within a time frame – helping to reduce this risk.
Creation of an incident response plan to address DDoS attacks swiftly.
Creating an incident response plan can help organisations recover from DDoS attacks by having appropriate steps to take to minimise damage. Like performing fire drills in a building an incident response plan will prepare staff what to do in the event of a DDoS attack and ensure that a controlled response to minimise the damage or stop the DDoS attack all together is in place. NCSC provide further guidance on a DDoS incident response plan.
Implement Security Headers
Use security headers like Content Security Policy (CSP) and HTTP Strict Transport Security (HSTS) to mitigate certain types of attacks.
Security headers can be implemented in web applications so that in a user’s browser session certain attacks are harder to exploit. A couple examples are:
- Content Security Policy: Enforces where applications can load scripts or other assets from. This will help to prevent an attacker tricking victim user into visiting malicious web pages by exploiting an XSS vulnerability.
- HTTP Strict Transport Security (HSTS): Forces the user’s browser to send all requests over HTTPS, which encrypts all of the data being transmitted. Therefore, it is very unlikely that an attacker who can intercept the users traffic will be able to recover any of the sensitive data.
Further recommendations for security headers can be found here.
Monitor Suspicious Activity
Set up monitoring systems to detect unusual or suspicious activities.
Monitoring systems can be configured to provide administrators of organisation a heads up if malicious or suspicious traffic is received. Alerting an administrator to suspicious or malicious traffic allows them to proactively block the attackers IP or make sure that malicious requests are blocked.
Implement intrusion detection and prevention systems.
Intrusion detection and prevention systems can provide an automated solution to preventing most forms of malicious network traffic. They are designed to recognise and block requests which they identify as a potential threat.
Vet third-party services and plugins for security before integrating them into your site.
It is important to make sure that it is understood which plugins are in use within an e-commerce platform and that they have been security tested and do not currently contain vulnerabilities. Using plugins that do have vulnerabilities could lead to a compromise of the affected web applications. An example of this is the GDPR breach that affected British Airways when using the Magecart plugin.
Ensure that any third-party services you use follow security best practices.
As trust is being placed in third-party services to potentially have access to your data, or they use functionalities that control the data it is imperative that they also maintain good security hygiene. Third parties that does not meet these requirements should be avoided as any cyber-attack that affects them could result in an organisations own asset being affected.
Incident Response Plan
Develop a plan for responding to security incidents.
Should a security incident occur a response plan should be implemented so that members of an organisation know exactly which steps to take to resolve the issue. By panicking and reacting in an unorganised manner ecommerce cybersecurity issues could have more severe and longer lasting impact.
Creating a breach response process.
In the event of a breach clear steps should be outlined and created that allow for quick resolution and alerting any parties effected. Suggested steps are as followed:
- Identify the source of the breach, i.e. Human error, vulnerability being exploited.
- Confirm exactly what sensitive information was disclosed.
- Resolve the vulnerability which lead to the breach.
- Alert all affected parties of the information that has been disclosed.
Secure Development and Code Reviews
Integration of security measures during the development phase (secure coding practices).
Ensure when developing a product, it follows secure coding practices during the development phase. This will help to reduce the likelihood of vulnerabilities being present in the application on release and make it harder for attackers to exploit.
Regular code reviews to identify and fix vulnerabilities in the source code.
Performing regular code reviews will help to identify and fix vulnerabilities within the code of the application before a new version is released. This will also reduce the chances of a vulnerability being exploited after the application goes live.
Use of automated tools for static and dynamic code analysis.
Automated tools can be used to review code more efficiently and faster to identify any potential issues, which a developer can then manually review and implement fixes for to further secure the application.
Collaboration between developers and security experts for robust coding.
Security experts may be able to identify vulnerabilities within coding that a developer was not aware of. Collaboration between these two parties can lead to more secure and effective code within the application.
Data Privacy and Compliance
Whilst not an ecommerce cybersecurity prevention consideration as such, adherence to relevant data protection regulations (e.g., GDPR, CCPA) will help provide a clear structure when managing and requesting customer data.
The compliance and guidelines which were discussed previously will help an organisation in understanding the risks of managing sensitive data of its customers. In addition, they will provide information on how to secure the data and ensure that best practices are followed so that the likelihood of a breach or a compromise is lowered.
Clear and transparent privacy policies for customers.
To maintain customer trust, it is important they are aware how their data is being used and potentially passed between parties. These policies should be easy to understand and assure the customers that their data is being handled responsibly and safely.
Obtaining explicit consent for data collection and processing.
Consent must be provided but customers or users regarding how their data will be used and processed. Without the consent of the data subject this could result in breaches of GDPR, and recompense for the affected party.
Regular audits to ensure compliance with data protection standards.
Performing regular audits will help an organisation maintain its compliance with all the various standards and requirements. This is important to ensure business continuity, allow the organisation to grow, and increase the trust of the consumer.