From Macy’s to Amazon, ecommerce websites receive anywhere from 200 million to 2 billion visitors in a year.
Of course, that is huge when compared to a startup ecommerce website but you should consider the number of pages these websites host. There are millions of product pages and hundreds of offer landing pages on major ecommerce websites.
Now what does that have to do with the security? Ecommerce websites have countless pages and companies cannot monitor each to ensure complete security. They cannot even just block out countries for spam traffic, especially when growth target is global.
At the same time, not securing any one of the hundred or thousand pages might mean entire website going down. Similarly, not blocking traffic might mean anyone can trigger bot traffic attacks to crash the server or increase cloud-hosting cost.
That makes security important, right? Why not pump in more money and get more security professionals onboard?
Ecommerce businesses scale often quickly and unpredictably. Apart from Amazon and eBay, most major companies have grown to multi-million status in the last few years. Initially, they do not have resources to manage security when the focus is on growing and later they have so much to manage that covering all security bases seems impossible.
Target learned about application security quickly after the massive data breach in 2013. Soon, other companies selling online sunk their teeth deep into it too. The entire ecommerce sector learned that while physical layer is secured easily through antivirus, data loss prevention, and similar measures, there is little control over the web and mobile applications. The fact was also validated by Gartner Research, which claimed that 70% of the cyberattacks are happening at the application layer.
So, what did they change in the last couple of years? How do they manage security?
Chief Technology Officer (CTO), Chief Information Officer (CIO), and/or Chief Information Security Officers took over the existing security structure in ecommerce businesses and infused it with managed security service for application security.
Take Shoppers Stop for instance. It’s a major global retailing group with over $440 million revenue and more than 14,000 employees. Their online retail business has grown massively and so has the security concern over the cloud.
According to their Solutions & Technology Vice President, Mr. Anil Shankar, their entire ecom infrastructure is on cloud and web application security is critical. Web app scanning and firewall have been integral to their security.
Shoppers Stop currently use Indusface’s AppTrana to find vulnerabilities on-demand scan and block hackers with DDoS attacks.
Depending on the internal organization structure, most ecommerce companies have CTOs, CEOs, or/and CISOs looking over the internal security protocols while partnering with managed security providers for application security, which is a more volatile domain with fewer certified professionals equipped to deal with possible catastrophes.
Can an internal application security team get hands on the bot, packet data, and machine signatures and correlate that data to flag suspicious traffic?
Here’s an example. At Indusface, we have a massive collection of attack data from over 800 customers that our security team analyzes. So if we know that IP 123 has tried to attack Company XYZ, we’ll flag it and monitor it for all the customers. We might even block it completely based on how powerful the data is against specific kind of traffic.
Most ecommerce websites are also pestered with spam traffic that crashes the server. This is distributed denial of service attack on applications and looks pretty similar to your regular traffic. In fact, attackers can hire bot traffic for as little as $5. Think of competition or disgruntled employees shutting down your website on the big sale day for hours.
While your focus is on business, managed security experts also keep an eye on zombie traffic and relate that data to a region, IP, bandwidth, ping frequency and a number of other parameters to ensure that the traffic is real. If it’s not, web application firewall blocks it instantly.
Before bigger investment amounts, before that enormous list of customers, and before the success, there is hard work and tough decisions of what to invest for growth. For most new-age growth companies and startups, appointing separate security teams and affording CIO/CISO is out of the question.
However, this doesn’t mean that security is irrelevant at the growing up phase of your business. On the other hand, it is critical.
Even startups commerce websites cannot let competitors or other factors crush them with data breaches. That’s why CEOs, CTOs, or Product Heads often take charge of the overall cybersecurity and control web app security through a managed service provider. Indusface has Scanning + Web Application Firewall to solve the hacking, and DDoS issue for such companies. Irrespective of the changes or pages on your e-commerce website, scanning finds issues and reports it while WAF blocks hackers from exploiting the weaknesses.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in the security industry and had held various mgmt/leadership roles in Product Development, Professional Services, and Sales @Entrust.