Ecommerce Website Security Best Practices

From Macy’s to Amazon, eCommerce websites receive anywhere from 200 million to 2 billion visitors in a year.

Of course, that is huge when compared to a startup eCommerce website but you should consider the number of pages these websites host. There are millions of product pages and hundreds of offer landing pages on major eCommerce websites.

Now, what does that have to do with security? Ecommerce websites have countless pages and companies cannot monitor each to ensure complete security. They cannot even just block out countries for spam traffic, especially when the growth target is global.

At the same time, not securing any one of the hundred or thousand pages might mean the entire website going down. Similarly, not blocking traffic might mean anyone can trigger bot traffic attacks to crash the server or increase the cloud-hosting costs.

That makes security important, right? Why not pump in more money and get more security professionals on board?

Ecommerce businesses scale often quickly and unpredictably. Apart from Amazon and eBay, most major companies have grown to multi-million status in the last few years. Initially, they do not have the resources to manage security when the focus is on growing, and later they have so much to manage that covering all security bases seems impossible.

Security Outlook at Major Ecommerce Companies- How do they do it?

Target learned about application security quickly after the massive data breach in 2013. Soon, other companies selling online sunk their teeth deep into it too. The entire eCommerce sector learned that while the physical layer is secured easily through antivirus, data loss prevention, and similar measures, there is little control over the web and mobile applications. The fact was also validated by Gartner Research, which claimed that 70% of the cyberattacks are happening at the application layer.

So, what did they change in the last couple of years? How do they manage security?

Chief Technology Officer (CTO), Chief Information Officer (CIO), and/or Chief Information Security Officers took over the existing security structure in eCommerce businesses and infused it with managed security service for application security.

Take Shoppers Stop for instance. It’s a major global retailing group with over $440 million in revenue and more than 14,000 employees. Their online retail business has grown massively and so has the security concern over the cloud.

According to their Solutions & Technology Vice President, Mr. Anil Shankar, their entire com infrastructure is on cloud and web application security is critical. Web app scanning and firewall have been integral to their security.

Shoppers Stop currently uses Indusface’s AppTrana to find vulnerabilities on-demand scan and block hackers with DDoS attacks.

Depending on the internal organization structure, most eCommerce companies have CTOs, CEOs, or/and CISOs looking over the internal security protocols while partnering with managed security providers for application security, which is a more volatile domain with fewer certified professionals equipped to deal with possible catastrophes.

Pooled Intelligence with Managed Security

Can an internal application security team get hands on the bot, packet data, and machine signatures and correlate that data to flag suspicious traffic?

Here’s an example. At Indusface, we have a massive collection of attack data from over 800 customers that our security team analyzes. So if we know that IP 123 has tried to attack Company XYZ, we’ll flag it and monitor it for all the customers. We might even block it completely based on how powerful the data is against specific kinds of traffic.

Most eCommerce websites are also pestered with spam traffic that crashes the server. This is a distributed denial-of-service attack on applications and looks pretty similar to your regular traffic. In fact, attackers can hire bot traffic for as little as $5. Think of competition or disgruntled employees shutting down your website on the big sale day for hours.

While your focus is on business, managed security experts also keep an eye on zombie traffic and relate that data to a region, IP, bandwidth, ping frequency and a number of other parameters to ensure that the traffic is real. If it’s not, the web application firewall blocks it instantly.

Security Tips for Starting-Up Ecom Companies

Before bigger investment amounts, before that enormous list of customers, and before the success, there is hard work and tough decisions of what to invest for growth. For most new-age growth companies and startups, appointing separate security teams and affording CIO/CISO is out of the question.

However, this doesn’t mean that security is irrelevant at the growing-up phase of your business. On the other hand, it is critical.

• 72% of businesses that suffer a major data loss shut down within 24 months. (National Small Business Association)
• 64% of the people are unlikely to shop or do business with a company hit by a data breach. (Gemalto Survey)

Even startup commerce websites cannot let competitors or other factors crush them with data breaches. That’s why CEOs, CTOs, or Product Heads often take charge of the overall cybersecurity and control web app security through a managed service provider. Indusface has a Scanning + Web Application Firewall to solve the hacking and DDoS issues for such companies. Irrespective of the changes or pages on your e-commerce website, scanning finds issues and reports them while WAF blocks hackers from exploiting the weaknesses.