Posted on Jun 24, 2020
With so many people cooped up indoors for months, online retail has been just about everyone’s best friend: retailers of all sizes — from large corporations to local mom and pop stores – have used their web and mobile applications to deliver food, orchestrate curbside pick-ups, and of course, there’s been plenty of online shopping happening.
But shoppers aren’t the only ones frequenting retailers. Cyber criminals are also targeting online retail, and those ecommerce sites that aren’t up on retail cybersecurity may find themselves the targets of a breach.
This can be particularly devastating for smaller businesses — according to the Ponemon Institute’s most recent Global State of Cybersecurity in Small and Medium-Sized Businesses report, attacks on smaller businesses are increasing, and they’re also increasingly sophisticated, with attackers relying on deception-based attacks like phishing. The problem is, smaller retailers don’t have the funds to bounce back from an attack like a big chain can. If a local store offering curbside pick-up through their new app is targeted, a breach might bankrupt them, whereas a big box store might be able to absorb the hit and move on.
For this reason, it’s important to head off attacks before they happen, rather than simply wait to respond. Fortunately, cybersecurity tools like SecurityScorecard can help ecommerce sites shore up their retail cybersecurity before a breach occurs.
Because of the nature of their business, retailers face unique cybersecurity issues; they take money and ship goods, so there are often many places where bad actors can slip into the process and try to grab information, money, or goods for themselves. Below are five common cyber challenges faced by retailers.
Brick and mortar stores are often robbed for their registers, and ecommerce is much the same — most cybercriminals who rob stores are after money, even if they’re robbing an online store. The retail industry is often targeted by criminals who want to get their hands on customers’ credit and debit card numbers as well as other payment information. As payment styles have changed, so have attacks (cards are no longer present in all transactions anymore, so now criminals try to get other sorts of data, like customers’ personal information and passwords). This can take the form of credit card fraud, attempts to breach point of service systems, or even shipping fraud to steal goods that were legitimately purchased and route them elsewhere.
As retail has moved transactions to web applications, so have cyber attacks moved to the web. Attackers have targeted vulnerable web infrastructures with a variety of attacks, ranging from distributed denial of service (DDoS) attacks — attacks in which bad actors use multiple computers to overwhelm a server with fake traffic — to malware to SQL injections, which inject malicious SQL commands into a site’s existing scripts. Any of these can shut a site down to legitimate customers.
Despite being good, commonly accepted cyber hygiene practice, it’s important to face facts: software often goes unpatched. That’s a big problem; if there is an unpatched vulnerability in your ecommerce web app, a criminal who finds it will definitely use it to gain access and perform some of the attacks mentioned above: like SQL injections (but also PHP and local file injection).
The best way to understand how an attacker is thinking of breaching your organization is see your security from the outside. SecurityScorecard’s Ratings allow you to do that by offering easy-to-read A-F scores. Our readings map your risk across10 groups of risk factors, including web application security, network security, leaked information, and patching cadence.
We let you see where your organization is most at risk — if something hasn’t been patched, if stolen credentials are being sold, or if your web application is being targeted. Then we tell you what steps you need to take to secure your site and network so that your data, and your customers’ information, are safe and protected.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 9 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.