For online retailers, turning browsers into buyers has always been the holy grail of their business operations. But with a spate of high-profile hacks and breaches, it is just as challenging for some to keep their sites open for business.
By Katrena Drake, director of European operations, FireHost
The consequences of cyberattacks are far reaching. Not only does the downtime caused by hacks equal lost sales, it can also spell long term reputational damage and regulatory fines. The Information Commissioner’s Office has the power to impose penalties of up to £500,000 on firms that fall foul of the Data Protection Act by losing confidential data.
It’s unsurprising that hackers pay particular attention to retail sites. With more payments now processed online than ever before, and with valuable information at risk, retail sites make for rich pickings.
An ecommerce site must therefore take every step necessary to ensure that it is not vulnerable to attack, whether from career cybercriminals looking for financial gain or just a hobbyist hacker defacing a site just for kicks.
Hackers have a whole host of tricks they can draw on to infiltrate and disrupt sites. These start with relatively simple Distributed Denial of Service (DDoS) attacks, where a website is swamped by multiple, simultaneous page requests, making it impossible for any legitimate visitors to access the site.
Over recent years, more sophisticated tools have also emerged, including cross-site scripting and SQL injections which allow hackers to take advantage of vulnerabilities to gain access to highly prized information, such as customer passwords and credit card data, and can be carried out whilst avoiding detection.
Few retailers now host their own operations, instead, they rely on specialist hosting providers to manage their websites and servers on a day-to-day basis. Increasingly, these sites are hosted in the cloud, which offers cost advantages and allow retailers to be more responsive to market conditions. For example, they can scale up their operations during busy times – weekends or in the run up to Christmas – or scale down during quieter periods.
But whilst outsourcing makes commercial sense, it does require retailers to trust a third party to protect their site. It is therefore vital that they check the security utilised by their hosting provider because not all services are created equal.
Indeed, some cloud providers have merely added a few security defences to their existing infrastructures or offer software to be added, while many others cannot even tell customers where their websites – and therefore their customer records – are hosted, let alone what laws are in place to protect their data.
However, as previously mentioned, not all providers are created equal and secure hosting options are available. At a bare minimum, retailers should check for PCI DSS compliance, which is a code of conduct that sets out how retailers should manage customer credit card data.
This will provide baseline assurance that data is securely held and processed. In addition, there are other security features that help ensure the integrity of a retailer’s entire operations, and are capable of deflecting even the most sophisticated attacks. It is the responsibility of the retailer to ask where the data is stored, what security appliances are used, and if disaster recovery is available.
While both PCI compliance and security become much trickier in the cloud, largely because numerous websites are hosted on shared infrastructures, cloud-based services are now emerging that allow retailers maximum flexibility over their operations, whilst at the same time offering compliance.
For many etailers, a move to cloud will actually improve their protection, as it provides smaller firms with access to solutions that otherwise may be beyond their buying power.