Looking for B2B E-Commerce Leads? The E-Commerce Times Offers a 100% Satisfaction Guarantee Request Info

Posted By:  ECT News Network on 02/23/2018 in Security

3 Cybersecurity Priorities for SMB E-Tailers

3 Cybersecurity Priorities for SMB E-Tailers

Some small e-commerce website operators may think their relative obscurity offers protection, but the fact is that SMBs are especially vulnerable to cyberattacks and malware.

E-Commerce Times reporter Richard Adhikari recently checked in with cybersecurity experts for advice about what steps can be taken by small and medium-sized businesses to help protect against some of the most common cybersecurity threats and vulnerabilities.

"Very often small businesses don't feel vulnerable to cyberthreats because they assume cybercriminals prefer to launch attacks on large companies," said Stephanie Weagle, VP of Corero Network Security.

"On the contrary, cybercriminals have greater success in targeting small businesses," she told the E-Commerce Times.

The most obvious attacks involve the use of overt malware, such as ransomware, or redirection to potentially competitive websites, noted Chris Olson, CEO of The Media Trust.

Other attacks "may insert embarrassing language on the homepage or stealthily execute unwanted programs such as cryptominers, toolbars and fake surveys," he told the E-commerce Times.

There are three major threats SMB etailers can address effectively.

1. Unvetted Open Source Code

SMBs that use open source software to keep down costs may increase their vulnerability to cyberattack, Olson suggested.

"There is no accountability for the developer community should a feature or plug-in be compromised," he said.

"Thousands of retailers use open source platforms and tools to successfully launch their Web-based commerce operations," Olson noted.

"These open source tools are compromised on a regular basis via extension corruptions or the creation of flawed versions," he explained, "and as traffic and revenues grow, so does the attraction for criminals."

Etailers should avoid using open source code that has not been thoroughly vetted, Olson recommended. "For a modest investment, etailers can identify all executing code, analyze its relevance to website functionality, and remediate anomalous activity that could propagate an attack."

2. Risky Third-Party Web Components

Third-party Web components "are a significant problem for small businesses," said Sam Curcuruto, technology evangelist at RiskIQ.

Their users employ "a lot of plugins and open source code which can be exploited downstream to give hackers access to any Web properties running them," he told the E-Commerce Times.

Among such exploits are keylogger software, which steals credit card data when customers make purchases online.

The Magecart malware package, for example, injects JavaScript code into e-commerce sites running unpatched or outdated versions of shopping cart software from Magento, Powerfront and OpenCart.

Etailers can combat threats posed by third-party Web components by selecting a reputable website hosting provider or Web development company, and "making sure your contracts or agreements with them include routine and periodic security reviews," Curcuruto said.

They also should include a patching service level agreement, or SLA, "that notes how quickly updates will be applied to their servers and machines that might run your website or payment processing," he continued.

That would not only address security concerns, but also ensure compliance with regulations such as PCI-DSS, Curcuruto pointed out.

3. The Mushrooming DDoS Trend

One third of IPv4 addresses were hit by some kind of denial of service (DoS) attack between March 2015 and February 2017, the University of California San Diego reported.

More than a quarter of the targeted addresses in the study were in the United States. Several website hosting companies were major targets. Among the most frequently attacked were GoDaddy, Google Cloud and Wix.

The frequency of distributed DoS, or DDoS, attacks -- which are launched from multiple sources and are almost impossible to stop -- has been rising steadily, as more devices are connected to the Internet and as the Internet of Things takes shape.

"Today's DDoS attacks have evolved into increasingly sophisticated and damaging events," Corero's Weagle said. Dealing with the fallout -- service outages, recovery, communication, and regaining customer trust -- "is a long and costly road."

SMB etailers should pay their trusted ISP or hosting partner for automated DDoS mitigation at the network edge, Weagle recommended.

Your Service Provider's Role

"Leverage the security and infrastructure of Web services such as Amazon Web Services, Google and Azure," advised Don Duncan, security engineer at NuData Security.

The Infrastructure as a Service environment typical of such companies "provides the business continuity needed to keep the lights on," he told the E-Commerce Times.

Further, these services have standard SLAs that let retailers focus on their core business, Duncan pointed out.

Working with such managed service providers will address "SMBs' limited skilled manpower and technologies," said Gabi Reish, VP of product management and marketing at Check Point.

"There is no excuse for SMBs not to integrate a dependable cybersecurity solution," he told the E-Commerce Times.

The cybersecurity industry as a whole "is on a mission to provide strong cybersecurity solutions for SMBs," Reish said. Such solutions "must be very simple to operate and manage."

Cybersecurity Self-Defense

SMB etailers can take several simple steps to protect themselves, RiskIQ's Curcuruto emphasized, even if they lack IT personnel.

  • Set Google Alerts to track mentions of your company name, your key executives' names, and your product names.
  • Maintain password security. "Use complex passwords, as well as different passwords for different online services," Curcuruto advised. "Change them often, especially when a major breach happens with another organization that you have a login to."
  • Keep a clean digital presence online. "Make sure you know where your website is hosted, and the key contacts at the hosting provider," he recommended. "Deactivate or cancel accounts for products and services you don't use, and monitor those that you do by setting up account alerts or enabling two-factor authentication, especially for social networks."

Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology. Email Richard.

About the Experts

Corero Network Security provides real-time, high-performance DDoS defense solutions. Service providers, hosting providers and digital enterprises rely on Corero’s award winning technology to eliminate the DDoS threat to their environment through automatic attack detection and mitigation, coupled with complete network visibility, analytics and reporting. This technology provides cost effective, scalable protection capabilities against DDoS attacks in the most complex environments while enabling a more cost effective economic model than previously available.

The Media Trust works with the world's largest, most-heavily trafficked digital properties, websites and mobile apps, to provide real-time security, first-party data protection and privacy, performance management and quality assurance solutions that help protect, monetize and optimize the user experience across desktop, smartphone, tablet and gaming devices.

RiskIQ digital threat management services provide comprehensive discovery, intelligence, and mitigation of threats associated with an organization’s digital presence. RiskIQ allows enterprises to gain unified insight and control over web, social, and mobile exposures. Its platform combines advanced internet data reconnaissance and analytics to expedite investigations, understand attack surfaces, assess risk, and take action against digital threats.

NuData Security is a passive biometrics and behavioral analytics company. Its flagship product, NuDetect, helps companies identify users based on their online interactions - behavior that can't be mimicked or replicated by a third party. NuDetect analyzes hundreds of device, location, passive biometric and behavioral signals to build an ongoing digital identity. This analysis informs clients of fraud risk and gives them choices about what actions to take even before the transaction.

Check Point Software Technologies is a provider of cybersecurity solutions to governments and corporate enterprises globally. Its solutions protect customers from cyberattacks with an industry leading catch rate of malware, ransomware and other types of attacks. The company offers a multilevel security architecture that defends enterprises' cloud, network and mobile device held information, plus a comprehensive and intuitive one point of control security management system. Check Point protects over 100,000 organizations of all sizes.

Related Articles

Posted By: 

ECT News Network

Show Phone Number
View Profile

Member since 06/10/2017

Contact ECT News Network

Search Blog Articles

Get the ALL EC Newsletter