The Current State of U.S. E-Commerce Cybersecurity
To emulate Jerry Seinfeld for a moment: what’s the deal with U.S. e-commerce cybersecurity?
InfoSec journalists and analysts the world over have been reacting to the 2018 Thales Data Threat Report, which paints a grim but not irreversible state of affairs for online businesses. According to the report, half—yes, half—of U.S. retailers suffered a data breach in the past year.
This represents a significant increase over the year prior, in which only 19% reported a breach; at time of writing, 75% of U.S. retailers have suffered at least one e-commerce cybersecurity failure.
What can explain this state of affairs in e-commerce cybersecurity?
In part, it is because data breaches are not singular events—they have cascading effects across the internet and across the U.S. e-commerce marketplace. Once a data breach compromises end-users usernames and passwords, hackers will use this stolen login information to engage in credential stuffing.
This type of attack sees hackers using the stolen login information to spam everywhere simultaneously, looking for reused passwords and usernames. Because so many users do in fact reuse their credentials, the hackers are often successful…leading to more data breaches.
Research by Shape Security indicates that credential stuffing is successful 3% of the time, costing e-commerce businesses $6 billion a year. Moreover, 90% of online retail login attempts are credential stuffing attacks.
Antivirus, Detection, and Encryption Issues Persist
Another factor to keep in mind is that e-commerce cybersecurity is often outright inadequate.
According to the Thales Data Threat Report, only 26% of U.S. retailers’ e-commerce cybersecurity platforms use encryption to secure their most sensitive data. This is despite the fact that, more perhaps than any other economic sector, retail has embraced cloud migration and IoT adoption—which leads to a more porous IT perimeter.
Adding to the tension, e-commerce cybersecurity is often reliant on legacy antivirus solutions, which can only detect compromised endpoints half the time; further, the time to detect a digital compromise can take over a year—long after the threat has done damage.
Awareness Doesn’t Always Mean Action
It’s one of the great challenges of the modern age: just because retail enterprises are aware of their cybersecurity risk does not mean they will act on that knowledge or act according to best practices.
The Thales Data Threat Report notes that U.S. retailers are becoming more aware of their digital vulnerability, but their security investments still heavily favor tired legacy antivirus solutions—which have been proven to be ineffective to IT perimeters at best and actively detrimental at worst. Worse yet, U.S. e-commerce cybersecurity still tends to see relatively paltry investments, and 41% of retailers still don’t see a need to spend on data security.
Good Old-Fashioned Modern Advice
The Thales Data Threat Report found that 84% of U.S. retailers say they plan on spending more on their e-commerce cybersecurity. This is largely positive news but without knowing what to focus on, this money can go to waste.
Here’s some good e-commerce cybersecurity advice for your retail enterprise:
Make Endpoint Security One Part of the Whole
Endpoint security, which evolved out of traditional antivirus, is the most-well known subsection of cybersecurity—and thus the one that sees the most investment from enterprises.
Don’t get us wrong: preventing and deterring threats is a hugely important aspect of good e-commerce cybersecurity (and cybersecurity overall). But the cybersecurity paradigm is shifting to a more detection-focused model, and for good reason—no preventative measure is 100% effective.
So if your retail business is looking into improving its cybersecurity, consider investing in solutions that will complement and supplement your endpoint security. SIEM and identity and access management can find and remove credential stuffing or penetrative attacks while your endpoint security blocks malware and ransomware.
Only by their powers combined can you rest relatively easy.
Know The True Extent of Your Perimeter
Endpoint security creates an IT security perimeter by securing all of your endpoints. But wait—what about the cloud? Or the IoT? Or mobile devices? These are all part of your network, but are they part of your security perimeter?
Make sure your endpoint security solution can and does cover these aspects of your IT perimeter and keep it from becoming porous. The more secure your attack vectors, the less likely a hacker will try anything on your network—they’ll seek out an easier target instead.
EDR, EDR, EDR
We’re in a detection world at the moment, and endpoint detection and response (EDR) has become a hot capability in endpoint security. Indeed, EDR can catch an additional 26% of digital threats on enterprise networks—no sum to sneeze at! So make sure your endpoint security has EDR ready to deploy and make sure your IT security team can handle it as it can be demanding.
Indeed, digital security can be demanding and stressful for online retailers…but the alternative is far worse!