Ask Anything About: Cybersecurity

It can be difficult to keep up with every new term or technology available today. Instead of nodding along in agreement, however, it is important to ask questions that will truly help you understand what is being discussed - even if those questions are simplistic in nature.

For this reason, Website Magazine launched its "Ask Anything About" series (inspired by Reddit's popular Ask Me Anything threads) to pair some basic question about a topic with an expert who could answer them in greater detail. We're just getting started, so if you missed "Ask Anything About: Amazon" or "Ask Anything About: Blockchain" check them out. Next up: Dark Posts.

Our expert for "Ask Anything About: Cybersecurity" is Brian Dhatt, Chief Technology Officer (CTO) of BigCommerce. Prior to BigCommerce, he served as CTO at Borderfree where he led all aspects of product and technology, and previously held senior leadership positions at Jetsetter, Gilt City and Best Buy. In other words, your cybersecurity education is in good hands.


How would you explain what cybersecurity is to your least tech-savvy friend or family member?


Brian Dhatt, Chief Technology Officer of BigCommerce: Cybersecurity is the set of techniques and processes that are used to protect an organization, a network or an individual from digital attacks. As it relates to ecommerce, cybersecurity involves protecting customers' personal information, including name, address and credit card number.


There are two kinds of cyber attacks most common in today's ecommerce landscape: account takeover and identity theft. Account takeover occurs when a fraudster uses phishing tactics to trick customers into revealing usernames and passwords, then logs in to the customer's account, changes the password and makes unauthorized purchases. Identity theft, on the other hand, is when fraudsters hack into databases to steal personal information. While it's important to be aware of both, businesses should focus their mitigation strategy on identity theft caused by database breaches.


How concerned do ecommerce site owners, marketers and other employees need to be about their company's cybersecurity?


Dhatt, BigCommerce: The unfortunate reality is that as more of our lives are conducted through digital means, cyber attacks become more commonplace. In fact, recent studies show that the first six months of 2017 saw 918 data breaches - a 164 percent increase from that same period in 2016. Business owners need to treat site security as a top-level business priority particularly given the far-reaching impact that a single breach can have on numerous aspects of a business. By prioritizing security and doing so in a public way, brands are establishing trust with their existing and potential customers, which helps to drive long-term loyalty and conversion.


Are consumers any safer when they purchase from an ecommerce marketplace than an individual website?


Dhatt, BigCommerce: Whether shopping on a marketplace or an individual ecommerce website, consumers can protect themselves via strong mechanisms. Payment options like PayPal and authenticated security mechanisms like Apple Pay provide a level of assurance to consumers that their most sensitive information will be held and transmitted securely regardless of the nature of the retailer. 


What role is social commerce playing in cybersecurity?


Dhatt, BigCommerce: Social commerce has the opportunity to make ecommerce safer.  The endorsement of a shopper's trusted friends and network will go a long way to helping new customers find new retailers and products.  As with anything on social media, the shopper will have to ensure the recommendation is authentic and not spam. 


"I'm a U.S.-based retailer, do I really need to care about forthcoming General Data Protection Regulation?"


Dhatt, BigCommerce: The short answer is yes. The General Data Protection Regulation, or GDPR, is a new regulation that requires businesses to better protect the personal data and privacy of EU citizens. That it addresses citizens, rather than the companies themselves, is an important distinction because it extends the regulation's reach to include any business that may have customers in one of the 26 specified countries. Many ecommerce companies have a multinational focus, which means they will be held to GDPR standards regardless of the location of their corporate headquarters.


The new regulation goes into effect May 25, 2018, and businesses should be preparing for it now. Not only are non-compliant businesses subject to hefty fines, but they are held liable for any EU citizen data that is lost and risk being served a class action lawsuit.


What common site elements are making ecommerce companies vulnerable?


Dhatt, BigCommerce: The idea that a site's only vulnerability is on its checkout page is a common misconception. In reality, any page where information could be entered poses a risk for ecommerce companies.


As an example, retailers often host a blog for article and recommendations. While the retailer may spend time to harden their ecommerce platform and certify it for standards like PCI, they may not spend the same amount of time on security for their blogs or other associated systems. In the case of a security issue, customers often do not differentiate between the core ecommerce platform and other systems and may lose confidence in a retailer regardless of the source of the issue.


In addition, ecommerce companies are more reliant on third-party solutions for marketing, analytics and more. It is crucial that they understand the security posture and best practices to secure these third-party integrations.


How much can retailers really lose if their sites get hacked?


Dhatt, BigCommerce: The Association of Certified Fraud Examiners suggests that almost 50 percent of small businesses fall victim to fraud at some point in their business lifecycle, which costs an average of $114,000 per occurrence. The financial loss can be detrimental enough, but for many companies, a site hack can cause lasting damage that extends far beyond the financial losses incurred.


In a highly competitive marketplace, brand reputation is critical. A data breach, and the business' response to it, can destroy customer trust and cause irreparable damage to a company's brand perception. According to a KPMG study, a security breach would discourage 58 percent of consumers from doing business with a particular brand in the future. Even more telling, the National Cyber Security Alliance found that 60 percent of small businesses collapse within six months of a security breach.


Consumers place a lot of trust in online businesses and in return, expect that their data be protected from harm. It's the responsibility of those businesses to be proactive in their cybersecurity efforts and safeguard that consumer data by whatever means possible.


Does a site's hosting and/or other vendor choices matter with cybersecurity? Why/why not?


Dhatt, BigCommerce: Absolutely. Every vendor that a site works with is a potential entry point for hackers, which makes it critically important to not only have a cybersecurity strategy for your specific site, but to also know the measures that your vendors are taking to mitigate risk. When going through the vendor-selection process, there are several questions that you should be asking to better understand that vendor's approach to security:


  1. How is personally identifiable information (PII) stored and handled?
  2. How is data access and change audited?
  3. How do you identify and mitigate security vulnerabilities?
  4. Who has access to client, customer, order or shopping data?

When it comes to the specific website platform, some choices are better than others. As a general rule, SaaS platforms tend to offer more security than on-premise solutions, primarily because businesses using an on-premise solution are responsible for maintaining and updating security features. This can be a costly investment, both in terms of time and resources. SaaS providers, on the other hand, usually have full-time teams committed to site security, and automatically update your site to include the most current security features.

Between different SaaS vendors, differences can exist. Look for a platform that is transparent about their security strategy, as well as one that offers intrusion detection software, human monitoring services and sitewide HTTPS, among other things.


Can retailers completely safeguard their sites from attack?


Dhatt, BigCommerce: As cybersecurity measures increase in sophistication, so do the hackers trying to break through them. While businesses will never be able to completely safeguard their sites from attack, there are things that can be done to provide the best chance of avoidance:


  • Remain vigilant. Knowing trend information about how, when and from where customers shop will make it easier to pinpoint any irregularities within your order history.
  • Use reputable payment gateways. Trusted gateways like PayPal, Stripe and typically offer safeguards to help stop fraudulent transactions before they are completed.
  • Invest in security monitoring tools like Signifyd, or work with a vendor that partners with fraud monitoring and detection companies to add an extra layer of protection to your site.
  • Have a plan. It's important to be proactive about your website security, and create a plan of action in the event that your site is hacked. By establishing protocol and training employees in advance, you'll have a better chance of minimizing any damage that results from an attempted or successful hack.

One final thing to know about cybersecurity failures: nearly 90 percent of cyber attacks are the result of human error or behavior. Beyond investing in technical preventative measures, one of the best ways to limit the potential of data breaches is to ensure that employees receive training on how to safely interact with and protect sensitive company and customer data. 


Keep Reading: