According to industry reports, more than half of all cyberattacks on ecommerce websites in 2021 were carried out by bots, including sophisticated bad bots that can mimic human behavior. With many ecommerce platforms bundling just a traditional WAF (web application firewall) as the only line of defense against bot attacks, sophisticated bots are triggering fraud and account takeovers (ATO) with ease.
September 2021 recorded an unprecedented rise in Distributed Denial of Service (DDoS) attacks across ecommerce platforms, attributed by the ecommerce security community to the “Meris” bot. DDoS attacks spiked on Black Friday and Cyber Monday, with some reports stating the YoY increase in 2021 was over 200%.
Webscale’s security technology stack defended against more than 76 million malicious bot requests in November 2021 and bot attacks accounted for 68% of all attacks.
With the unprecedented growth of ecommerce over the last two years, bad actors have increasingly targeted the sector. 82.5% of ecommerce businesses that participated in Webscale’s 2022 Global Ecommerce Security Report survey said they experienced at least one cybersecurity related incident during Cyber 5.
Yet, there has been a steadily growing gap in the readiness and capability of ecommerce businesses to identify, defend, and protect their web applications from sophisticated attacks. Automation leaves a lot to be desired across many available security solutions, with many businesses continuing the concerning trend of “throwing people at the problem.”
360-degree Security Blanket for your Storefront
The Payment Card Industry – Data Security Standard has four levels of compliance for ecommerce businesses to follow.
These requirements are intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. PCI-DSS compliance can be achieved by means of an external audit performed by a QSA (Quality Security Assessor) or ISA (Internal Security Assessor).
Multi-factor Authentication (MFA)
Ecommerce admin pages are common targets of attacks because gaining access here provides an open door to your entire site. Multi-factor authentication (or 2-factor authentication) often includes two levels of authentication by means of a code being sent to the user via push notifications, email, or SMS to confirm the login. This is critical as it ensures only real admins can get to the admin page, even before credentials are entered.
Secure Sockets Layer (SSL)/Transport Layer Security (TLS) Support and Termination
SSL/TLS certificates encrypt data and protect it from misuse during its transport from customers on an ecommerce website and the server. Look for a security solution provider who offers automated procurement and renewal of certificates.
Cloud Web Application Firewall (WAF)
A WAF monitors user traffic and application infrastructure in real-time, enabling always-on security with application-aware, customized rules to protect against sophisticated attacks.
More than 50% of traffic hitting an ecommerce website are bots and not all bots are good for the business. Modern commerce demands real-time bot monitoring, detection and management capabilities that proactively identify suspicious browsing and attack patterns, and mitigate malicious bots through IP reputation and machine learning techniques.
Even during the 2021 Cyber Week sales, ecommerce storefronts around the world reported increased DDoS attacks. When under a suspected DDoS attack or a flood of bots, merchants need a single-click protection by instantly forcing the application to only allow humans in, keeping the bad bots out, so the application can function normally serving customers, while the security solution identifies the attacker more precisely.
Content Security Policy (CSP) Protection
Ecommerce businesses are required to extend their security cover beyond traffic and application infrastructure, to the browser, because malicious third-party scripts can be executed at this level. Content Security Policy (CSP) is a HTTP security standard introduced to prevent XSS (cross-site scripting) attacks. With real-time CSP protection trust between the browser and application server can be enhanced by validating “trusted” domains executing scripts, and blocking or reporting any blocklisted domains from executing scripts on the browser.
Modern security requires a perimeter-less solution beyond the front end that provides a 360-degree view of the customer. Edge computing is an extra layer of security that helps mitigate attacks across an expanding threat surface. It’s zero-trust security model is designed for the agile, fast, and ‘always on’ customer base, replacing the traditional ecommerce security measures. Its distributed network architecture also helps in preventing a complete business shutdown in case of a breach. Business leaders have the option to disconnect only the affected node – before it spreads across the network ecosystem.
A comprehensive fraud detection solution, consisting of AI/ML, positive profiling, and smart use of third-party intelligence via an orchestration engine combined with a team of specialized fraud analysts, will offer merchants the best chance of achieving the right balance between fraud prevention and maximizing the revenue from genuine customers.
Visibility and Control
In order to become proactive rather than reactive in the approach to security, merchants need an intelligent visibility and control tool that can offer a single pane of glass view into the health of the digital business (cloud delivery infrastructure, traffic, sources, conversions and user experience) as well as a simplified DIY policy and rules engine.
At Webscale, based on our experience over the last 8 years managing and securing thousands of storefronts, we outline a straightforward 4-step plan to get ahead of cybercrime.
- Evaluate the security vulnerabilities of your business and the economic value of a data breach (compliance fines, customer litigations).
- Create a cyber threat strategy that covers your business’ complete ecosystem—customers, partners, vendors, and employees.
- Invest in automated, comprehensive cyber security solutions that offer full visibility into infrastructure, traffic, and assets, and an expert team (internal or external) that understands cloud and ecommerce.
- Enforce a zero-trust strategy. Educate employees about cyber security best practices, the company’s data policy, and the cost of non-compliance.
For a complimentary security audit of your ecommerce storefront write to firstname.lastname@example.org.