Security

3 Cybersecurity Threats SMB Etailers Should Not Ignore

Some small e-commerce website operators may think their relative obscurity offers protection, but the fact is that SMBs are especially vulnerable to cyberattacks and malware.

“Very often small businesses don’t feel vulnerable to cyberthreats because they assume cybercriminals prefer to launch attacks on large companies,” said Stephanie Weagle, VP of Corero.

“On the contrary, cybercriminals have greater success in targeting small businesses,” she told the E-Commerce Times.

The most obvious attacks involve the use of overt malware, such as ransomware, or redirection to potentially competitive websites, noted Chris Olson, CEO ofThe Media Trust.

Other attacks “may insert embarrassing language on the homepage or stealthily execute unwanted programs such as cryptominers, toolbars and fake surveys,” he told the E-commerce Times.

There are three major threats SMB etailers can address effectively.

1. Unvetted Open Source Code

SMBs that use open source software to keep down costs may increase their vulnerability to cyberattack, Olson suggested.

“There is no accountability for the developer community should a feature or plug-in be compromised,” he said.

“Thousands of retailers use open source platforms and tools to successfully launch their Web-based commerce operations,” Olson noted.

“These open source tools are compromised on a regular basis via extension corruptions or the creation of flawed versions,” he explained, “and as traffic and revenues grow, so does the attraction for criminals.”

Etailers should avoid using open source code that has not been thoroughly vetted, Olson recommended. “For a modest investment, etailers can identify all executing code, analyze its relevance to website functionality, and remediate anomalous activity that could propagate an attack.”

2. Risky Third-Party Web Components

Third-party Web components “are a significant problem for small businesses,” said Sam Curcuruto, technology evangelist at RiskIQ.

Their users employ “a lot of plugins and open source code which can be exploited downstream to give hackers access to any Web properties running them,” he told the E-Commerce Times.

Among such exploits are keylogger software, which steals credit card data when customers make purchases online.

The Magecart malware package, for example, injects JavaScript code into e-commerce sites running unpatched or outdated versions of shopping cart software from Magento, Powerfront and OpenCart.

Etailers can combat threats posed by third-party Web components by selecting a reputable website hosting provider or Web development company, and “making sure your contracts or agreements with them include routine and periodic security reviews,” Curcuruto said.

They also should include a patching service level agreement, or SLA, “that notes how quickly updates will be applied to their servers and machines that might run your website or payment processing,” he continued.

That would not only address security concerns, but also ensure compliance with regulations such as PCI-DSS, Curcuruto pointed out.

3. The Mushrooming DDoS Trend

One third of IPv4 addresses were hit by some kind of denial of service (DoS) attack between March 2015 and February 2017, the University of California San Diego reported.

More than a quarter of the targeted addresses in the study were in the United States. Several website hosting companies were major targets. Among the most frequently attacked were GoDaddy, Google Cloud and Wix.

The frequency of distributed DoS, or DDoS, attacks — which are launched from multiple sources and are almost impossible to stop — has been rising steadily, as more devices are connected to the Internet and as the Internet of Things takes shape.

“Today’s DDoS attacks have evolved into increasingly sophisticated and damaging events,” Corero’s Weagle said. Dealing with the fallout — service outages, recovery, communication, and regaining customer trust — “is a long and costly road.”

SMB etailers should pay their trusted ISP or hosting partner for automated DDoS mitigation at the network edge, Weagle recommended.

Your Service Provider’s Role

“Leverage the security and infrastructure of Web services such as Amazon Web Services, Google and Azure,” advised Don Duncan, security engineer at NuData Security.

The Infrastructure as a Service environment typical of such companies “provides the business continuity needed to keep the lights on,” he told the E-Commerce Times.

Further, these services have standard SLAs that let retailers focus on their core business, Duncan pointed out.

Working with such managed service providers will address “SMBs’ limited skilled manpower and technologies,” said Gabi Reish, VP of product management and marketing at Check Point.

“There is no excuse for SMBs not to integrate a dependable cybersecurity solution,” he told the E-Commerce Times.

The cybersecurity industry as a whole “is on a mission to provide strong cybersecurity solutions for SMBs,” Reish said. Such solutions “must be very simple to operate and manage.”

Cybersecurity Self-Defense

SMB etailers can take several simple steps to protect themselves, RiskIQ’s Curcuruto emphasized, even if they lack IT personnel.

  • Set Google Alerts to track mentions of your company name, your key executives’ names, and your product names.
  • Maintain password security. “Use complex passwords, as well as different passwords for different online services,” Curcuruto advised. “Change them often, especially when a major breach happens with another organization that you have a login to.”
  • Keep a clean digital presence online. “Make sure you know where your website is hosted, and the key contacts at the hosting provider,” he recommended. “Deactivate or cancel accounts for products and services you don’t use, and monitor those that you do by setting up account alerts or enabling two-factor authentication, especially for social networks.”

Richard Adhikari

Richard Adhikari has been an ECT News Network reporter since 2008. His areas of focus include cybersecurity, mobile technologies, CRM, databases, software development, mainframe and mid-range computing, and application development. He has written and edited for numerous publications, including Information Week and Computerworld. He is the author of two books on client/server technology. Email Richard.

1 Comment

  • They should also look at early detection and response to cyber threats which is a need to avoid cyber breaches before it reaches you.

    Thanks,

    Rupesh

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Richard Adhikari
More in Security

E-Commerce Times Channels