***We enjoy shining the spotlight on fellow experts in tech, business and dispute management. Maddie Davis, co-founder of Enlightened Digital, has news (and advise) to share about cyber attacks in ecommerce. Enjoy!***
The foundation of any customer-consumer relationship is trust: trust in the quality of a product, the efficiency of service and the knowledge that sensitive payment details will be kept between the two parties. Unfortunately, as long as commerce has been around, so has fraud, marking a constant battle businesses have fought for decades.
With the rapid evolution of ecommerce painting a picture of a world in which shopping is largely done online comes a new cause for concern when it comes to the safety of customer data. The typical online transaction requires users to input anything from simple personal identifiers like names and addresses to more confidential information like credit card numbers, security codes and even social security numbers.
Cybercriminals benefit from stealing the above information by using it for any number of nefarious purposes, including identity theft, sabotage, personal or political grudges and, most commonly, for pure financial gain through the sale of sensitive data to others.
These headlines have become too frequent and exponentially harmful to wave off as unfortunate but isolated cases. In fact, just this month British Airways reported a data breach in which data was stolen from nearly 400,000 credit card transactions made over the past year.
What is cyber security?
It may seem as though businesses are powerless to stop cyber attacks, but that isn’t the case. The field of cybersecurity has emerged as an answer to the numerous data breaches that have been carried out since the dawn of the internet. By ensuring the integrity, confidentiality and availability (ICA) of a system’s data, cybersecurity experts help to serve as gatekeepers for your business.
One of the best ways to understand the value of a comprehensive security strategy in the online age is to dive into some of the most common cyber attacks, as well as some possible solutions. Let’s take a look at a few of those now.
A play on “fishing for information”, this refers to cybercriminals using bulk emailing tactics to gain access to sensitive information under the guise of an email from an established site like a social media platform, bank or technical support team. By masquerading as something that you recognize and likely trust, the person or group behind the phishing scheme hopes that you will lower your guard enough so that you open the fraudulent email, possibly clicking on a link injected with malicious code.
Other types of phishing include voice or text phishing using fake caller IDs, domain spoofing, website forgery and social engineering. In any case, hackers count on users thoughtlessly opening a suspicious email or investigating the contents of a message — including any links — thoroughly. One method businesses are using in an attempt to combat this sinister practice is educating their employees and user base on how to recognize a phishing scheme, as well as sending out an alert when IT staff detect a possible phishing attempt targeting their business.
Similar to phishing, and in many cases using similar techniques, cyber fraud is defined as a crime in which either a computer or network was used or was the target. According to the FBI’s Internet Crime Complaint Center, cyber fraud accounted for reported losses exceeding $1.4 billion.
These crimes are typically motivated by financial gain, with two of the most common being email compromise, as identified above, as well as fraudulent returns or “chargebacks.” Chargeback fraud occurs when a criminal makes an online purchase and then requests a refund after receiving goods and services. This is especially prevalent among major online retailers like Amazon, who rely on their massive inventory of goods and expedient shipping as the backbone of their business.
Businesses can track and prevent fraudulent chargebacks through the use of scalable enterprise software that keeps shrinkage costs low by providing a dispute process aimed at targeting consumer fraud.
Ransomware involves the encryption of another person’s or company’s data with the intent to demand a ransom in order to release their information back to them. However, the criminal might decide not to restore access even after the ransom has been paid, and returning to a compromised system isn’t always worth capitulating to demands.
On the other hand, rebuilding systems from scratch is a costly affair. The Pennsylvania Senate Democratic Caucus recently paid Microsoft over $700,000 to completely redo their network and IT infrastructure after refusing to fold to a ransomware demand of about $30,000.
Though costly in the short term, restructuring your security system is something any organization must do in order to guarantee the safety of their data, so it’s worth the investment. Making sure systems are up-to-date, including all security patches, and backing up important files will ensure that you don’t lose critical data even in the event of a serious breach.
Distributed Denial of Service (DDoS)
A DDoS attack targets a specific function on a webpage (and in the scope of certain larger attacks, an entire website), making it impossible for a service to be delivered. This involves the brute force overloading of a system through a strategic abundance of malicious requests for data so that they overwhelm a system’s bandwidth capacity, thereby “crashing” the site. DDoS attacks can also exploit app weaknesses, crippling your site by shutting down a valuable business channel. For businesses that rely on their ecommerce profits, crashed servers could add up to thousands of dollars in lost revenue per hour.
Typically, DDoS attacks are carried out through infected endpoint security. Hackers use botnets, or collections of systems injected with malware, in order to gain access to a server that they can then systematically wear down through information overload. Carnegie Mellon University’s Software Engineering Institute suggests designing the architecture of your system to be as resilient as possible. This can include decentralizing your servers (it’s especially important to geographically disperse your servers if you operate largely on the internet), eliminating single points of failure, ensuring a diverse system of network pathways and investing in more heavy-duty hardware and bandwidth to minimize vulnerabilities.
Perhaps even more alarming than a DDoS attack, remote exploits latch on to system vulnerabilities without prior access to it. That means there’s no need for a botnet, Trojan horse or any other tool commonly used by hackers to leave a door open for entry. This usually only affects systems with glaring security errors in their frameworks, but it’s not uncommon for a group of cybercriminals to regularly monitor larger organizations, especially financial institutions, searching for a flaw that will allow them access to a system. Upon gaining access, an individual can appoint administrative privileges to themselves, theoretically giving them unfettered access to the ins and outs of an entire system.
One common theme throughout all of the above cyber attacks is the existence of human error. Whether that refers to insufficient IT staffing, the use of out-of-date, unpatched software or system frameworks rife with vulnerabilities, a large portion of attacks can be chalked up to a need for a strengthened cybersecurity strategy. Otherwise, businesses are essentially leaving the door unlocked and the lights on for hackers who are looking to get their hands on consumers’ personal data.
So what preventative measures can your business take right now? For one, invest in hiring a strong IT team and outsource supplemental tasks to third-party security vendors and software companies that have experience dealing with the dark side of the internet. Make sure you communicate with them so you know what their responsibilities are as well as what your team is responsible for updating and maintaining to avoid any lapses.
This constant vigilance also applies to the software you use to perform daily business functions. It’s important to take a critical look at your company’s current and future needs and upgrade accordingly. As more and more devices become interconnected, the cloud has sprung up as an answer to both administrative and security issues plaguing traditional hardware-only systems.
For many larger organizations, such as hospitals, these were previously home to isolated silos of data that were incredibly difficult to back up and decentralize. In fact, according to industry leaders like Mark Hurd of Oracle and former US Chief Information Officer Vivek Kundra, cloud-based systems are more secure and predicate their existence on the basis of constant innovation, making it that much easier for brands to stay on top of emerging tech trends. This is vital in an age where hackers have begun to utilize more complex forms of cyber warfare, including artificial intelligence and machine learning.
It seems like every day there’s another headline about yet another company being the target of a massive data breach, compromising the personal data of millions of their users. Because these events are becoming all too commonplace, it’s important to understand what a business can do to ensure that it’s offering the most airtight and pleasant ecommerce experience it possibly can.
As individuals, dealing with the looming threat of a cyber attack can seem overwhelming. The good news is that even at the singular level, there are things you can do to keep your data safe. The Department of Homeland Security recommends using strong passwords and two-factor identification processes, using encrypted forms of internet communication while at work, creating backup files, and keeping software and operating systems up to date.
Beyond that, investing in the right software and IT infrastructure and regular employee training sessions can also help keep your customer’s data out of the hands of cyber-criminals at a much larger organizational scale. Simply put, data breaches and cyber attacks are a serious violation of privacy, both for the business and the consumer, in any industry. If your ecommerce enterprise is to succeed, it has to take into account the importance of this trusted relationship and work hard to protect it.
Meet Our Guest
Maddie Davis is co-founder of Enlightened Digital and a tech-obsessed female from the Big Apple. She lives by building and redesigning websites, running marathons, and reading anything and everything on the NYT Best Sellers list.