If you’re in charge of an online retailer’s security, you might be suffering from very high blood pressure. The media constantly reminds us that when it comes to cybercrime, things aren’t getting better. Hackers know that big profits can be made from hacking, and if they manage to break in and steal credit card details – they’ve hit the jackpot.
A successful attack can harm the reputation of an online business irreparably by destroying the trust of customers. This knowledge can easily force them to make knee-jerk decisions, when what they really need is a rational and proportional approach to the actual cybercrime risks.
Businesses needn’t start shelling out money on the latest technology, as many of the solutions they have may be perfectly fine for the level of risk. But what they do have to do, constantly, is tune and manage the defensive systems and security controls they have. If new systems are needed, then it needs to correlate correctly with the actual threat they face.
Online retailers have a particular stringent set of requirements they to follow in the Payment Card Data Security Standard (PCI DSS). They’ll need to be compliant, needing an annual online security assessment and quarterly network scan on e-commerce systems.
This can obviously be complicated, so it’s recommended that any retailers undertake an evaluation of what PCI DSS means to them if they haven’t already done so. It won’t be just the merchant involved – this also includes third parties they use which store, process or transmits cardholder data.
The technology available to help secure e-commerce systems can range from two-factor authentication to biometric security. There are firewalls that can be applied at the network level, while intrusion detection controls are becoming common, which can detect any attempt to gain access.
These technologies are often very sophisticated, but only as good as the people that use them. This is why it is vital for any reputable retailer to implement governance, risk management and compliance frameworks (GRC). GRC defines security roles, responsibility, incident management and threat response.
Every retailer is different, the risk is different and the people involved will be different. This is why GRC is an excellent way to find out what is needed in terms of testing internal and internet-facing processes.
PCI DSS would obviously come under GRC, but it will also manage a retailer’s vulnerabilities with an understanding of what it means for the business. It will also help with security skills and training, minimising the ‘insider threat’ – employees aiding in an attack, whether they mean to or not.
The security processes that you put in place to protect your business are only going to be as good as the people who use them. This is why awareness is crucial, and the only you can do this is by giving getting the right security intelligence to the right people.
This awareness is even more important when you consider the growing use of mobile devices like smartphones and tablets in the workplace, as well as cloud technology. You can’t have your head in the sand and ignore what’s happening. You need your business to keep up with these changes, find out where the risks are, and do something about them.
And it’s possible to cope, as long as your business is happy to adopt new strategies and make the right investments. You’ll be thinking that this sounds like hard work, and yes it can be. But there is guidance available for companies so that they can make the right decisions, and make sure they don’t become the next headline.