Making cybersecurity in the ecommerce sector enforceable
Cyber attacks and and online data breaches are unfortunately regular topics of discussion across a wide range of industries.
In fact, ecommerce losses to online payment fraud alone were estimated at $41bn globally in 2022, up from the previous year. The figure is expected to grow further to $48bn by 2023, according to Statista.
With all this, the race to get ahead of these attacks and keep data secure is paramount - so what can your business do to stay safe?
Security in ecommerce
TechRadar Pro spoke to Pawel Trocki, Chief Product Officer at G2A, a digital marketplace headquartered in the Netherlands, with offices in Poland and Hong Kong
Discussing the security associated with other vendors, Trocki says the best way to enter into any partnership to make sure security is at the forefront is to follow strict procedures.
“There are certain processes and procedures that we follow. It's not like we connect somebody without checking and verifying whether the environment is safe and secure. We process a tremendous amount of data and have a team of people to verify whether the vendor meets our standards,” he says.
“In terms of the standards, we use the same technology as Shopify, Google etc because it’s not like we are niche players. We don’t enter relations that will have our data or our customer data at risk.”
Shopify's compliance covers all six PCI standard categories, and applies to every store using its platform. All stores powered by Shopify are PCI compliant by default in order to keep payment information and business data safe.
“In terms of payments, we are always evolving, having more than 200 payment methods currently. If you look at it from the perspective of a business that needs to invest in certain functionalities and certain solutions, we are following the trend that has traction, because if you invest in everything that pops up, you’ll lose money,” Trocki adds.
“So if this kind of solution, for example, QR code based solutions or Metaverse payment options, will be sustainable, we will definitely be there. Of course, not all of the methods are heavily used, if I will say that probably credit cards, payment cards, and PayPal are the most desired payment methods. The security is maintained just as any other vendor or marketplace is preserving the security. These cloud based solutions are either tokenized or the security layer is provided by the vendor who is PCI DSS certified.”
Testing sites for cyber breaches
It’s not just about the type of cyber security software used that will keep hackers at bay, as Trocki explains the importance of regular testing for phishing attacks.
“We regularly perform fake phishing attacks. Also, because after the pandemic, everyone realized they prefer working from home, we have some software from Fortinet to protect our systems. You have to connect via VPN if you want to have access to our systems,” he says.
“We’ve heard some countries don’t believe that having a central unit that will take care of security is enough. We provide security with training, and with tests so that any employee is aware of breaches or dangers that may appear because we handle customer data and we are very aware of that.
“Whenever there’s a new type of phishing attack, we make sure that our employees are aware of it. That's probably the best way to secure ourselves in terms of platforms and the systems.”
G2A’s main goal isn’t to necessarily enforce security but to create a team that has security in mind.
“We don’t have a separate security department, we have security architects that create standards and do training sessions for developers and employees. We also do external pen tests using external companies a few times a year,” he continues.
“We are cooperating with Akamai in three areas. First is reverse proxy, meaning our content is cached on over 1,000 Akamai servers. We have our own on-prem infrastructure; and our core is in a data center in the Netherlands. We also use Akamai as an application firewall for security purposes and their bot manager tool because around 70% of traffic from ecommerce websites are from bots. You have to manage them because there are good bots and bad bots. We have protection against DDoS attacks and fraud attacks on our website.”
Familiar attacks are easier to test, fake and even duplicate in order to strengthen protection against future cyber breaches of that nature. But what about those newer attacks that aren’t so recognizable?
The possible solution
In terms of the overall security market, the common notion right now is that the current way to prevent attacks is to detect them. The problem is your business can’t detect everything, and it takes some time before you are able to detect something that’s already in the network.
Ken Levine, CEO at computer and network security company Xcitium says, “The industry agrees that there’s malware inside your network now - everybody’s got something bad running in there. The question is, is it really bad? How long has it been there? What's it going to do?
“And so what we do is because we've kind of changed that dynamic a little bit, as the protection ends up being a ‘better after the fact’ tool. Malware is sitting in your network undetected for X amount of time and the average now is a matter of days for the better side before you latch on. Kind of like a parasite. It used to take months for malware to launch, now it’s a matter of hours,” he adds.
“What we do is assume there’s bad stuff coming in, we quarantine it, and then we do an analysis in it then make a verdict on whether it’s okay. If it’s not okay, we get rid of it.”
Xcitium recently announced availability of its advanced endpoint security solution for customers, with or without EDR products.
According to Tim Bandos, EVP of SOC services at Xcitium: “However sophisticated your security stack, there will always be new threats that slip through the cracks. With an estimated 560,000 new pieces of malware created every day, legacy EDR vendors will fail to detect anywhere between 1% and 5% of unknown hostile payloads that cause immense damage.”
Dwell time is the amount of time it takes to detect an initial infection by an attacker from the moment it enters the system. As dwell time increases, so do the chances of damage, disruption or theft from malware, phishing, ransomware and other forms of cyber attacks.
Levine adds that no system that relies on detection alone can ensure all malware will be found and eliminated before it causes damage.
“Traditional detection is unable to detect unknown objects, and this is why breaches and ransoms persist worldwide,” he says.
It’s important to note that this example is just one solution of the several being worked on across global cyber security firms. The fact still remains that there’s no current solution to stop the malware from coming in, just preventative measures from it doing damage.