11 eCommerce Security Threats and How to Mitigate Risk

Written in collaboration with Rewind

‍

As our lives and businesses become increasingly digitized, cybercrime has made its way as something we should all be concerned about. In the past, individuals or small businesses wouldn’t have been particularly targeted, but that’s not the case anymore.

Because of the rapid acceleration in cybercrime, cybersecurity is now one of the fastest-growing segments in technology. As soon as one threat is identified and mitigated, new ones spring up to take their place. Security experts must be ever-vigilant to the emergence of smarter and more destructive threats with a wide range of objectives.

To complicate matters, malicious actors don’t all have the same goals. Money is always a driving principle, but sowing chaos, planting untruths, and destroying online reputations are just as prevalent. The perpetrators could be anyone from an individual to a group of scammers or politically motivated organizations, and nobody is exempt from risk.

The Threat Environment From an eCommerce Perspective

eCommerce businesses are targeted for a long list of reasons. If they fall victim to eCommerce security risks, they stand to lose a lot.

According to a recent study published by IBM, the average cost of a data breach is in the range of $3.86 million globally and $8.64 million in the United States alone. The study also reports that the average time it takes to identify, control, and recover from a breach is 280 days. Assuming an organization can continue operations, its reputation may be irreparably destroyed.

eCommerce has grown exponentially in our post-pandemic world and now accounts for more than 20% of all retail, for a total of $861 billion in 2020.

If eCommerce systems are breached, sensitive customer data, including personally identifiable information (PII) and payment card information, could be exposed.

To date, some of the biggest breaches include:

• Walgreens exposed PII of up to 10 million customers due to an error within their mobile app’s messaging feature.
• J. Crew fell victim to a credential stuffing attack that exposed customer accounts and information, including the last four digits of their credit cards, billing addresses, and expiry dates.
• Marriott potentially exposed PII of 500 million customers through leaked employee credentials.
• Capital One’s database was hacked by a former employee, who obtained personal credit information and social security/social insurance numbers of more than 100 million individuals in the US and Canada.

These are just a handful of examples, but it demonstrates that even the most trusted and diligent companies are at risk. What we can take away from this is that any organization is vulnerable. No matter how well you think you are protected, you could be at risk without even realizing it.

Major Ecommerce Security Threats to be Aware of in 2022

Here is a list of the top 11 active eCommerce security risks today:

• Lack of security protocols. Your employees must be trained and aware of company security policies. Periodic updates are required to cover the latest threats. New hires should be required to read and sign your security policy to enforce accountability.
• Unpatched or outdated software represents a potential backdoor for malicious actors. In addition to your firewall, anti-virus, and end-point security system, be sure the SaaS apps and plugins you install are from reputable companies and remove all outdated software from your system immediately.
• Social engineering is a collection of tactics waged against your employees to convince them to give up login credentials or account information. Some of these campaigns are so sophisticated they are nearly impossible to spot. Have your employees report any suspicious requests and educate them on what to look out for.
• Bots can be configured to scrape competing eCommerce sites for pricing and inventory information to undercut your sales. They could also tie up valuable inventory in shopping carts so that it looks like you’re stocked out, leading to a loss of revenue.
• DDoS (Distributed Denial of Service) and Denial of Service attacks have a single objective: to disable your website. DDoS leverages multiple unsecured computers and devices to flood your system with requests until the site crashes.
• Trojan Horses are malicious applications, often disguised as legitimate software. The user downloads the app onto their system, where the trojan proceeds to complete its mission, either to steal payment information, PII, company data, or to modify or block data.
• Payment card fraud can take many forms. Bad actors can flood a merchant’s systems with small purchases made on stolen card info to find one that works—then the sky’s the limit. You’ve not only lost the value of the product, but you’re also on the hook for the refund once the fraud is detected. Other fraudulent practices include purchasing a product, using it, then requesting a refund.

• SQL injections target your query submission forms to access your databases, injecting destructive code, extracting, modifying, or deleting system data, or issuing commands to the operating system. Attackers can spoof identities, change account balances, void transactions, or expose all data on the system.
• Malware refers to a vast body of security threats delivered via code. This can be annoying at least and devastating at worst. Malware can bring any company to its knees, and it doesn’t just target large organizations.
• Skimming seeks to capture payment card information in real-time during a transaction.
• Scraping extracts pricing and inventory data from eCommerce sites to replicate the same information on a competing and fraudulent site. 

Mitigating the Risk: Taking Action

Here are a few essential security practices you should implement immediately:

• SSL/TLS enabled HTTPS, the secure (encrypted) version of HTTP that transfers information between a website and a browser. 
• Payment Gateways facilitate more secure payments as they take payment card information off your site, thus lowering risk. You might also consider using a third-party payment processor like PayPal, Stripe, or Square.
• Secure your servers and admin panels by employing strong passwords and role-based access. You can also think about enabling multi-factor authentication.
• Firewalls are an inexpensive and effective way to protect your network perimeter.
• Anti-virus and anti-malware software are foundational to any eCommerce security protocol. Choose solutions with real-time protection and always purchase from a reputable vendor. 
• Employee and client training is an essential practice for any organization. Your team should be well aware of your security policies, and the policies themselves should be updated regularly to ensure compliance. 
• Cloud backups are a way to protect your eCommerce business from costly downtime. While backups aren’t a cybersecurity tool in themselves, they are an essential failsafe in the event of a breach or data loss for any reason. 

If you’re looking for a way to protect your business from costly downtime, Rewind is the leading platform for eCommerce that enables companies to back up, restore, and copy the critical data that drives business. Companies such as Hint, MuteSix, and Hawke Media, all work with and trust Rewind. As a Stairway to CEO listener, you can get a FREE 30-day trial of Rewind and start mitigating your risk against security threats today!

If you’re interested in how these companies were built, you can hear their inspiring founder stories on the Stairway to CEO podcast; Episode 99 with Kara Goldin, the Founder & CEO of Hint, Episode 28 with Steve Weiss, the Founder & CEO of MuteSix, and Episode 7 with Erik Huberman, the Founder & CEO of Hawke Media.

Written in collaboration with Rewind, a leading provider of SaaS apps. Since 2015, Rewind has helped over 100,000 businesses back up their data on Shopify, QuickBooks Online, BigCommerce, GitHub, Trello, and more.

‍