E-Retailers and Cyber Criminals: Plan for the Worst

 

Cyber criminals can dramatically alter the trajectory of organizations.

Since the day I started a blog, I painstakingly built an audience.  My audience started as just spam bots and my wife, but I eventually managed to pass a million readers. 

 

I offer this unsolicited glimpse into my life not to grandstand but to set the stage for empathy. At my core, I understand the position of grinding out success.  You build something carefully over time and take pride in the achievement.  And you realize that the wrong move can imperil it in a heartbeat.

 

With a blog, someone could hack it and publish something horrible, turning off my users.  I could probably recover, explaining myself and making apologies.  But some readers would vanish, never to return.  I would then need to pick up the pieces and redo my work.

 

But with a business, money, and clients? Negative publicity or a breach of trust could set me back financially and even change the course of my career.  If that sounds extreme, consider this eye-popping statistic: 

sixty percent of small companies that suffer security breaches go out of business.  

 

 

E-Commerce and the Trust Factor

 

E-retailers sell relatively low-priced items to relatively anonymous people, en masse.  These customers turn over financial information for purchases.  And they do so not with an appreciation for the e-retailer handling it securely but rather the expectation of security as basic table stakes.  Rightfully so.

 

Should the purchase transaction go well, the user trusts them ever so slightly more.  But should cyber criminals perpetrate a breach, all trust evaporates.  That customer leaves, never to return, and probably tells everyone he knows also not to visit.  Poof.  Trust destroyed and credibility seriously damaged.

 

E-Retailers as Targets for Cyber Criminals

 

 

E-retailers have something very valuable to cyber criminals.  They have money on the move. E-retailers, by their very nature, put money in the relatively vulnerable position of changing hands.  And cyber criminals, by their very nature, try to exploit that.

 

So as a purveyor of e-commerce, forget about the notion that you might escape their interest. Even a humble blogger like me doesn’t escape their interest.  They constantly try to breach my site to promulgate spam and run link-building schemes.  With actual money up for grabs?  They won’t give you a moment’s rest.

 

The question thus becomes one of planning.  Sure, plan for the worst. But also plan in terms of both prevention and contingencies.

 

 

Threat Modeling

 

First, let’s talk prevention.  You need to do more than installing a bunch of tools or pay consultants to come in and secure your operation.  Instead, do some more basic planning. Those activities may arise as a result of this planning, but don’t put the cart before the horse.

 

Understand the concept of threat modeling.  Threat modeling involves reasoning through who might attack you, why, and how.  This involves obvious considerations, like cyber criminals stealing people’s credentials.  But it also involves less obvious considerations.  Can a bitter former employee still access your system?  Do you have staff vulnerable to social engineering?

 

Some organizations have developed formal processes around threat modeling.  OWASP, for instance, has a great deal of information on this topic.  Learn about this exercise, go through it, and come out of it with a series of actions to take.

 

Once you know what to do, prioritize these actions as a function of risk and return on investment.  Calculate the odds and cost of a breach and use that to plan accordingly.  You don’t want to inoculate against a low-probability, relatively unimportant breach when you have critical business needs in other areas.  But you also don’t want to leave yourself vulnerable to reputation-destroying hacks that cost your customers money.

 

 

Mitigation and Recovery Planning

 

Threat modeling will help you a great deal.  But it falls under the general heading of prevention, and prevention should make up only half of your strategy.  You also need to plan for mitigation and recovery.

 

Think of it this way.  You may have some sort of alarm system for your home.  The idea behind such a system is to do as much as possible to prevent criminals from breaking in.  But you don’t then blithely pass on homeowner’s insurance.  The alarm keeps people out.  But the homeowner’s insurance says, “Even if they get in, we can get through this.”

 

You want to take the same approach with cyber criminals that you do with their physical counterparts.  Do everything reasonable to keep them out, safeguarding your livelihood against them.  But as you do that, understand what happens if they somehow get in.

 

Plan for this eventuality in two chief ways: mitigation and recovery.  Mitigation involves figuring out how to mute the damage as it happens.  Your threat modeling has identified possible breaches for you.  Plug them up, but also go through the exercise of imagining the best thing to do as they happened.  What would you say to customers?  Would you cut off access to certain public services?  How quickly could you do that, and what would set these events into motion?

 

In addition to mitigation, plan for recovery as well.  Once you have neutralized the threat, what next?  How would you get things back online?  What will you offer your customers by way of apology?  Even think about how you might win people back into the fold.  And, of course, think about how to keep the threat neutralized.

Never Stop Planning

 

It may sound daunting, but I should mention in closing that you can’t ever stop this planning.  In other words, you don’t sit down one day, model all possible threats, and then pat yourself on the back for having closed the loopholes forever.  You might approach building security this way, but in the fast moving world of e-commerce, your threat modeling and recovery plans have a short shelf life.

 

You earn your living trying to make money honestly by selling goods or services, and you work hard at it.  Cyber criminals earn their living trying to relieve you of that money.  Unfortunately, they also work hard at it.  This forces you to remain vigilant.

 

Once you’ve done your threat modeling exercise, it will seem a little more comfortable and approachable.  Use that.  Schedule periodic sessions to go through that same exercise, filling your task backlog with security items and checkups so that you can stay ahead of the game as much as possible.  It may seem onerous and painful, but I promise you, it’s not nearly as painful as getting that middle-of-the-night phone call about a business-killing breach.

You might also like