eCommerce, Big or Small – Are You Being Hacked Right Now?
eCommerce has changed the way we shop and has brought huge benefits to consumers and businesses, but it comes with increased risks. Criminals are increasingly exploiting the weaknesses in businesses’ IT systems, applications and processes.
According to the British government statistics, there were 2 million cyber crimes last year and that number is increasing fast. That’s because cybercrime is potentially very lucrative; and the risk of getting caught compared with other crimes is relatively low.
We know from our own research that 79% of all businesses, both large and small, are at risk.
Why should a small eCommerce business care?
Because your business is just as much at risk as any other business. Cybercrime could cost your business time and money. In fact, it could put you out of business altogether. It’s not just the direct financial loss – for example, being held to ransom following an attack – like the NHS was. It’s also the cost and time of dealing with attacks and getting your business back to normal, the damage to your reputation, customer confidence and future business.
Many independents have run their own studies on just how much an attack can cost a merchant. According to Worldpay/Vantiv, the average cost of a breach for a small to medium sized organisation in the US is $117,000, which could be catastrophic for most. For the larger businesses, IBM estimates the average cost of an attack to be a staggering $3.86 million, and the average cost of a data breach is $148 per customer. If that’s not reason enough, the law requires you to protect customer information - and it's getting tougher.
Carphone Warehouse was fined a substantial £400k for not protecting its data. New regulation (GDPR), which came into force in May 2018, carries the maximum potential fine increases from £500k to £20 million or 4% annual global turnover – whichever is higher.
Is there someone sneaking in your eCommerce environment now?
The average window of compromise for finding out an intruder has found their way into your eCommerce environment is 4-6 months, so your customer data could be getting stolen as you read this article. The time scale is less than ideal - just take a minute to think about the amount of data that could be stolen in that time. The reason for it taking such a long time is due to eCommerce merchants not having a way of access to see what is going on in their website from a cyber security perspective.
In terms of being in the best position to avoid a breach and loss of data there are two layers of protection advised;
- WAF (Web Application Firewall)
- Threat Detection System, which gives cyber security insight into your eCommerce environment
“Do I need it though?” and/or “I can’t justify spending money on web security!”
The most common question people have when inquiring about additional layers of website protection, is - “Do I really need it?”
The answer is more complicated than a simple yes or no. The requirements of PCI DSS, which governs how you should trade online, does not explicitly include the implementation of a WAF or Threat Detection System. It does, however, require you to monitor Logs and File Changes.
Unfortunately, many businesses see PCI Compliance as an inconvenient cost to doing business, something they have to do. From a mindset perspective, it is understandable when these businesses then seek to do the absolute minimum to achieve compliance. However, where this often ends up with the business experiencing a breach - if they’re thinking purely about how to minimise their compliance overhead, rather than taking a “security-first” approach, they become the “low hanging fruit” that criminals love.
The breach invariably involves payment card data and all of a sudden the liabilities and costs begin piling up - usually dwarfing the investment that would have been required to secure their business in the first place. As a result - and understandably - most breached organisations have a very different view on security and compliance after a breach.
And this is before you consider GDPR....
GDPR fines are potentially far more serious for a business, sharply increasing the likelihood of a small to medium sized businesses to go into administration as a result. The case for securing your business has never been as strong - and the benefit of doing it well is that with the appropriate protection and monitoring in place, a business can substantially reduce the time taken to identify a breach, which in the long run, will save the business considerable time and money.
How can we help?
Foregenix has over ten years’ experience in forensic analysis of hacked businesses and has worked with some of the biggest data breaches across the globe, this experience has been used to develop a range of cyber security solutions specifically targeted at securing online merchants and preventing such compromises. Forensics is part of our DNA; therefore, we bake in and dynamically update all our products with the latest Malware and Attack MOs (we call them Indicators of Compromise) that our Digital Forensics and Incident Response (DFIR) team see daily.
One of our solutions, FGX-Web, is an advanced, cloud-based, online website security solution and complies with the Payment Card Data Security Standards, which is a must if you accept, process or store credit card data.
FGX-Web protects your business against the two main types of attack:
- Denial of Service (DDOS): attacks that prevent you from doing business – selling to customers and getting paid
- Data breaches: unauthorised access to information, for example customer credit card details. These losses are very serious and have costly consequences for your business
FGX-Web works the same as a burglar alarm that would be installed for a face-face merchant store. The Threat Detection System or Alarm sits on the web root of your server and monitors your website for Malware, unprotected payment card data, File Integrity Monitoring (monitoring changes in your website), Website Configuration, Access Log Monitoring. The scanners will alert you by email should there be anything high risk that needs to be looked at right away. Now ideally, you want to stop a burglar from entering the premises in the first place, so this is where the WAF comes into force. Think of it as a gatekeeper that sits in front of your eCommerce website blocking out 99.9% of online based attacks. These include: DDOS, SQL injection, Cross Site Scripting, Application Vulnerability Exploits, Injected code (malware), Bad robot attacks and many other attack types.
You think with the technology available to us these days, there would be an impenetrable solution available that would protect you from absolutely anything and everything - unfortunately that just doesn’t exist. We believe FGX-Web to be the most comprehensive website security solution on the market, but there are areas of your website security that may rely on users, third parties, hosting providers and others.
That’s why we include a breach warranty, ranging from £2,500 to £50,000 for every website we provide our protection service to. The warranty covers PCI related forensic costs and bank liabilities that are associated with having a website breached and payment card data stolen.
Eventually, as attacks on website applications become increasingly advanced, we will see security solutions becoming a necessity. At this moment in time, many businesses seem to be holding off on spending that extra money, opting out until it's too late - this reactive approach needs to be turned into a more proactive one, so we can all get ahead of the game. Do yourself, your business and your clients a favour and get your website secured by clicking on the button below.