The world has quickly shifted from brick and mortar to a digital landscape, and the result is a booming e-commerce world. This has been a trend for the past two decades, and COVID-19 has made this model not only a convenience but also a necessity.
For the retail world — including tool and equipment rental—a quality e-commerce platform provides not only goods and services but, more importantly, it offers a seamless, easy-to-use customer experience. Critical to this experience is the security of the customer’s data, transactions, and delivery. In the digital world, information can be disseminated quickly. Stolen data can have a significant impact on consumers and retailers.
Adapting security to an e-commerce model
To safeguard against security breaches, asset loss, and fraud, assess the risk involved with the e-commerce platform. It’s all about the customer, the data, and the transaction—and looking at each facet to ensure everything is done in a controlled, predictable manner.
This is challenging because e-commerce platforms are entire ecosystems consisting of databases, mobile and web applications, inventory, and financial systems. From a mobile app perspective, security must account for the fact that an outside interface connects to a retail outlet’s system to complete transactions. The app design must prevent an outside adversary from manipulating the application to a negative impact on the company.
Before developing an app, threat modeling needs to be completed to determine potential risks in the design. After development, complete penetration testing needs to occur to evaluate security flaws. Adversaries frequently use low-tech tactics to accomplish their objectives. High and critical findings must be remediated before releasing to production to mitigate potential risk.
It’s important to remember, however, that security for e-commerce is never finished. New vulnerabilities, risks, and business requirements emerge every day
With third-party software, emphasize third-party risk management. Out-of-the-box tools for transactions require looking at actions between one vendor and another to see if there are any risks to the process. It’s important to review vendor policies, penetration tests, and overall security posture. Choose a vendor based on quantitative and qualitative data.
Implementing security best practices
There are several best practices to consider for e-commerce security.
- Bake security into the development life cycle for the e-commerce site or app, and adhere to a secure software development framework. In general, fixing security flaws found late in the development lifecycle can cost significantly more than identifying them early in the process. Have a clear plan and design. A standard benchmark is the Open Web Application Security Project (OWASP) Top 10. In general, OWASP Top 10 covers 80 percent to 90 percent of typical attack vectors. The remaining percentage is tied to the retail outlet’s business model and companies will need to build security into the platform design accordingly.
- The Center for Internet Security (CIS) Top 20 provides a baseline to help companies adhere to a security framework. The No. 1 rule is to know the physical and data assets. Setting system standards for each asset is also key. For example, follow a hardening standard, limiting an e-commerce platform to only doing the actions that it needs to do.
- For user access controls, always follow the Principle of Least Privilege (PoLP). This ensures that administrators and employees only have access to the data and systems that they need. Make multifactor authentication (MFA) a hard requirement for employee and customer access. MFA can include a password, along with factors such as SMS to a phone number, biometrics, or geolocation.
- Establish a data protection program to safeguard Personal Identifiable Information (PII), credit card/financial data, and other sensitive information relative to the retail outlet. Apply classifications and labels so that wherever data is, administrators can identify, report, and monitor it for any adverse actions. Define policies according to the data classifications, classify data, and protect per the policy definition.
- A well-defined vulnerability management program is critical. Focus on scanning, testing, and remediation of identified vulnerabilities. Treat high and critical vulnerabilities with urgency, as they are especially attractive to attackers. Unfortunately, it can prove difficult to remediate all vulnerabilities. Therefore, rely on defense-in-depth—or having multiple layers of security controls as opposed to relying on a single control.
- Be mindful of customers’ right to privacy. Develop a program to account for legal and regulatory obligations tied to business requirements and local/state/federal laws. Breaches consistently involve the theft of data; in particular, customer PII.
Offering a safe, seamless experience
The goal of security should be to build and maintain trust with the customer, protect the business and the customer, and enable the business to accomplish its mission. When customers trust that a company is protecting their personal and financial information, it leads to stronger relationships, a positive brand reputation, and return transactions.
It’s important to remember, however, that security for e-commerce is never finished. New vulnerabilities, risks, and business requirements emerge every day.
That makes security a complicated field that ultimately must be included in all areas of the business. A quality security program needs enforcement from the executive team and buy-in from the delivery teams. Security needs the right investment from the top for the tools and services needed. For many businesses, the best path to get started is to invest in a strong security partner. The field is ever-changing and complex and requires a consistent delivery to be effective.
Overall, security is not a technology, tool, or person, but rather a process of defining and remediating risk.