As India propels (with more force than ever) into a more digitised world due to the coronavirus pandemic, we are sure to witness an era that will be fueled by the mobile and cloud ecosystem. However, the digitised age comes with the curse of cyberattacks and threats of its own. Even before the pandemic started, India saw a 37% increase in cyberattacks in the first quarter of 2020, as compared to the fourth quarter of last year. The report released by PwC India in July 2020 asserted that with diminishing physical boundaries, the need to protect businesses from opportunistic threats has become more critical. For years, e-commerce platforms have been at the top of the target list for hackers. They view these sites as potential treasure troves of data awaiting to be unearthed. E-commerce platforms rely on technology and user trust, two of the most significant tenets to build business. As a cyber attack is a breach on both accounts, it is a huge monetary as well as reputation loss.
A 2020 study by Accenture revealed that most organisations are getting better at mitigating threats and becoming cyberattack resilient. E-commerce platforms are increasing investments in innovation to prevent such attacks to illustrate their commitment towards preventing and limiting the damage. However, if the cases of attacks on companies like Twitter, BigBasket, etc. in 2020 are anything to go by, hackers are getting more sophisticated and fearless. They have even moved the focus of their end-point attacks. Earlier, it used to be an attack on just the platform, now they have shifted base to indirect targets such as third party vendors in the supply chain.
There are certain measures that e-commerce platforms must undertake to minimise potential mishaps:
1 Use a web application firewall like Sucuri or Cloudflare
No matter how secure one may believe a website is, it is vulnerable to hacking attempts, malware injection, and distributed denial of service attacks (DDoS). E-commerce websites know that having vulnerable files, plugin, software, or misconfiguration on their servers may have financial and reputational loss. Thus, it is imperative that all ecommerce platforms embed security measures like Sucuri or Cloudflare to scan the website traffic and block any unnecessary threats even before they reach the intended website. Both these applications are among the best to provide website firewall, CDN, and DDoS protection services to help hide the original IP addresses from publicly accessible domains
2 Conducting a VAPT
With companies being forced to operate from remote locations, they simply cannot afford to compromise on any of the industry best practices to secure their operations. Hackers have taken undue advantage of the crisis to gain unauthorized access to sensitive information. A VAPT (Vulnerability, Assessment and Penetration testing) will help companies not only analyze but also devise a plan of action to protect vulnerabilities within the ecosystem
3 Using a strong SSL certificate
In 2021, having a SSL (Secure Sockets Layer) certificate is hardly an option, it is an absolute necessity. Users must not trust any website without one. Consumers may easily identify this by the green ‘lock’ symbol that is visible on the far left hand side of the URL. It is representative of the brand’s commitment towards protecting valuable data. E-commerce websites normally install them to request sensitive information such as payment details, passwords, login credentials, etc. The software uses a pair of keys to authenticate identities and encrypt information sent over the internet. Once these encryptors are in place, they act like a lock to make the connection more secure and prevents hackers from gaining access to private details of the consumers
4 Security certification – ISO 27001
An ISO 27001 is a certificate that aims to protect the confidentiality, integrity, and availability of the information in a company. E-commerce companies implement it to manage the security of important assets such as employee and user details, information about third party vendors, financial data, and intellectual property. Achieving the ISO 27001 certification allows organisations to demonstrate to their users that they take information security seriously and can be trusted with the same. It helps to find out where the risks are and then enables systematic treatment by implementing security controls, thereby protecting the platform
5 Ensuring a bug bounty program
Bug bounty programs are essentially a measure undertaken by companies to encourage experts to check for vulnerabilities in their system in exchange for a reward. As global cybersecurity threats continue to terrorise us, bug bounty programs have become an effective tool in helping e-commerce companies identify risk exposures at an early stage. It ensures that companies are ahead of the game by being proactive and predictive. Unlike traditional testing services that were known to foster a culture of fear, bug bounty programs help create an atmosphere for openness and responsibility. Not only does it add to the brand credibility, but it also helps companies establish disclosure programs at the earliest
6 Transparency with the end-consumer
As companies continue with their efforts, history can attest to the fact that being transparent with the end consumer is of more significance when dealing with any possible malware injection or leakage of data. E-commerce companies must frequently share advisories about OTPs, dual authentication for any existing customer related action etc. to ensure that users are well aware. Depending on the type of business, it is imperative that organisations educate customers about their data collection practices and policies and have a fall-back risk mitigation strategy
Each Person for themselves on the internet
Consumers too must undertake certain practices to ensure protection of their data. Simple hygiene checks such as looking over your card statements for any unidentified transactions, re-confirming the payment details before completing the transaction, using a wallet with a low balance, etc. can go a long way in avoiding data breach. One must be careful to not share any OTP over the phone to any representative; use an up to date malware/anti-virus software; and avoid having the same password for all websites. Even after finding the “green lock” sign as consumers, we must be mindful of website URLs (in case of spelling errors) we open and click on the lock symbol to verify the owner.
According to a report by Center for Strategic and International Studies, the USA and UK had the most daunting cyberattacks between 2006 and 2020, followed by India, Germany, and South Korea. Against the backdrop of increasing global tensions, the Government of India has become sensitive towards the significance of data protection. While it is difficult to draft and adopt a cohesive national strategy, cyber activists believe that vocalisation and demystification about policies, strategies, and awareness will go a long way.
Authored by Siddharth Bhansali, Founder, Noesis.Tech