Almost every month a new incident involving a big retailer, e-commerce or web platform makes the news headlines. Meanwhile, Gartner says that worldwide information security spending will reach $71.1 billion - almost 8% growth, as organisations become more threat-aware. Meanwhile the global cost of cybercrime exceeded 400 billion dollars, most retail fraud is now committed online, and in 2014 alone hackers managed to steal more than 61 million records from retailers. Even though organisations are spending more, they are continuing to lose money.
We will try to analyse the most common managerial and operational mistakes retail organisations make when defending against hackers.
Underestimating the value of their data on Black Market
Many online businesses, e-commerce and online retailers still seriously underestimate the Black Market value of the data they possess and handle every day. Customer databases from online stores are probably one of the most expensive on the Black Market, because they usually have correct, up-to-date, and complete customer records, sometimes with credit card numbers or other financial data. A better quality of records can only be found in e-banking databases, but those are not as popular on the Black Market, so are traded far less.
Completeness and accuracy are very important factors for databases pricing on the Black Market. Even spammers prefer to purchase personal records stolen from an online shop rather than from a blog or a free forum, because they may better target their subsequent spam emails for a higher click through rate, which consequently generates more income.
Obviously, cyber criminals who make money via stolen credit cards or identity theft need as much information about their victims as they can obtain to bypass Fraud Prevention Systems. Therefore, customers of online stores are perfect targets for them as well.
Gaining a false sense of security from big budgets
Quite often, companies tend to purchase several very expensive solutions (such as SIEM or DLP) from well-known security brands, without really analysing whether the solution is actually what they need and is appropriate for their business environment. Unfortunately there are no magic solutions that can suddenly resolve all their problems in default configuration.
I have witnessed large e-commerce businesses that spent several tens of thousands of dollars on WAFs or IPSs solutions, and then failed to enable them (due to high amount of legitimate users blockage in default configuration). I have even witnessed large companies where security teams were reading penetration test report six months after delivery, while top management was convinced that they were doing very well insuring corporate cybersecurity according to the industry best-practices. Obviously, I am not surprised that hackers are still making headlines.
Failing to conduct proper and independent risk assessment
As we hear about attacks on the Targets and eBays of this world, many SME e-business owners gain a false sense of security, believing that they will not be attacked as their customer databases are not big or interesting enough to hackers.
This assumption is incorrect because, in the majority of cases, hackers are not looking for customers and data from a specific web shop - they are looking for [commercially] exploitable data. All retailers are at risk and should have a cybersecurity strategy in place.
Before spending one single cent on cybersecurity, the very first step is to conduct a thorough risk analysis. A risk analysis is the vital base, without which it’s just impossible to build and maintain a secure infrastructure. First of all you need to properly identify sector specific, regional and corporate cybersecurity risks, as all of them should be taken into consideration.
Then you need to understand how important the consequences and associated losses of these risks are. Finally, you need to sort the risks by their priority for your business. When identifying the risks, don’t rely on your in-house team only. The more external experts you have, the better it will be. Turn to your colleagues from other companies to see which risks, problems and incidents they have had recently. Many, if not the vast majority of, security breaches occur because a security team hasn’t taken a particular risk into consideration, or didn’t assign it with the right priority during allocation of human and financial resources.
Failing to select both efficient and effective products
Only when your cybersecurity risks are properly identified, analysed, understood and prioritised is it the right moment to select the right solution to mitigate the risks. In today’s overheated security market, many companies fail to identify solutions that would be both efficient and effective for their infrastructure. Efficient means doing the job well in comparison to others from the same niche, for example, an award-winning antivirus that technically outperforms other AV solutions can be considered as efficient.
However, a solution’s efficiency does not guarantee in any manner that it will be effective for your business environment and related risks. Effective means doing the right and appropriate thing for your particular circumstances. For example, an antivirus will hardly replace a professional DLP solution, and if your main concern is an insider threat then AV is not effective solution to mitigate it. Even if AV sales manager tell you the contrary.
Sticking to one supplier or vendor
Sometimes companies tend to source cybersecurity solutions from one vendor/reseller in order to simplify the buying process and have a single point of contact for any cybersecurity issues. In fact, very few companies can offer you a complete portfolio of products and services without outsourcing or subcontracting. Obviously, vendors, especially large companies, will try to sell you everything they can, however such practice is far from being technically efficient. Every single vendor should provide you with specific expertise where its products or services outperform the others on the market. Otherwise your cybersecurity budget and efforts will be in vain.
Information security products and services definitely need diversification. For example, web application security involves regular vulnerability and malware scanning, web penetration testing services, integrated and managed Web Application Firewall, data integrity monitor, and IDS that will alert you to any anomalies. Obviously, even for this relatively short list, it’s difficult to find a company that will provide you with top-quality across all of these items without calling out their partners or third-party suppliers.
Talk to your colleagues, read analysts’ reports, check the media and independent reviews, and make a short-list of suppliers that you are interested in working with.
At the end you will be able to compare their offerings and see which company inspires you with confidence. And try to avoid working with resellers and third-party integrators – these guys very often try to sell you solutions that bring them more money, not more security to your network.
Getting information from wrong sources
Statistics are not always appropriate for cybersecurity. For example, sometimes, a sudden jump in data breaches only reflects one big hack (e.g. Target) that impacted the total number of compromised records. At the same time, many security incidents are never publicly disclosed and therefore never make it into any statistics. Many security consultants and analysts can provide you with nicely written reports about the recent trends and statistics in cybersecurity. Quite often, however, these reports omit or fail to highlight the real risks, talking rather about marketing hype trends, such as Advanced Persistent Threat (APT) protection or Dark Web threats.
If you want to understand the latest trends on web application security for example – read bugtraq and vendor-neutral white papers about new vectors of web attacks. Talk to your local law enforcement agencies – they can share interesting experience about the latest cybercrime cases in your domain of activity about which infosec media will probably never write. Finally, visit websites like XSSposed and see how all modern WAFs are being by-passed on multinational companies’ live websites.
Perceiving security as a follow-up, not as a continuous process
Many large e-commerce companies tend to give priority to the development of new functions, features, or products, completely forgetting about securing them before deployment. In the aggressive and highly-competitive business world it’s a pretty understandable approach – if your competitor will be the first company launching a new mobile platform – his shares will go up, while yours will go down.
However, think about the consequences if tomorrow your company achieves a sensational headline about the biggest data-breach in your sector. Keep in mind that once stolen, your data will remain forever on the Black Market, and the losses you will incur may last many years, as you cannot predict when hackers will decide to launch targeted phishing campaigns against your customers. Therefore, bear in mind that any data breach can have long-standing repercussions for you and your company.
By Ilia Kolochenko,CEO of High-Tech Bridge and Chief Architect of ImmuniWeb.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
comments powered by Disqus