A vast number of security and privacy topics are relevant within the eCommerce realm today, far too many to discuss in a single article.
Here, I want to briefly touch on the current state of complexity of governance and compliance in eCommerce environments.
New trends in retail and legislation
Global retail is growing, with a projected sales volume of $25.03 trillion for 2019, while eCommerce is projected to account for 14.1% of the total retail market, adding up to roughly $3.5 trillion in sales. Current estimates predict that eCommerce sales will account for 90 to 95% of the total retail market.
Looking at these sales numbers and the projected growth estimates, it shouldn’t be surprising that the overall focus of retail is shifting towards eCommerce.
Unfortunately, this trend, with its higher potential for “profit”, lower risk and wider reach, and without physical (geographical) limits, is also being abused by criminals.
Governments are following these trends and the possible dangers by implementing new laws and regulations or at least having drafts in the pipeline. Privacy was a hot topic in 2018 when the GDPR became effective in the European Union, and it has continued to be a hot topic in 2019. The high potential of fines – and the actual fines distributed – has had a big influence on this focus.
eCommerce legislation and regulation
If we take a look at global laws and regulations, we can see that among the UNCTAD member states (United Nations Conference on Trade and Development), at least half of them have one or more laws across multiple categories:
- 79% of the member states have implemented e-transaction laws, and another 9% of the members have e-transaction laws in draft;
- 52% of the member states have implemented consumer protection laws, and another 6% have consumer protection laws in draft;
- 58% of the member states have implemented data protection and privacy laws, with 10% having such laws in draft;
- 72% of the member states have implemented cybercrime laws, and another 9% have these laws in draft.
Of these areas of law, the focus in 2019 has been on data protection and privacy, either by improving GDPR compliance and following up on consumer requests or by preparing for new privacy laws such as the California Consumer Privacy Act (CCPA) in the United States and the Lei Geral de Proteção de Dados (LGDP) in Brazil.
This governmental focus has also considerably increased awareness among consumers. Approximately 76% of online consumers consider data privacy and security as very important factors when deciding where to buy, according to the 2019 global online shopping survey from 2Checkout.
The fines under GDPR can go up to 4% of a business’ global revenue, or €20 million, whichever is higher. An online retailer in Poland recently found this out the hard way: unauthorized access to personal data of this retailer’s 2.2 million customers led to a fine under GDPR of approximately €645K.
The top ten largest combined fines under GDPR add up to more than $443 million. It is clear that privacy authorities are increasing their efforts, and continued fines are being imposed by data protection authorities. More laws will likely be implemented in the coming years (CCPA and LGDP in Q1 2020), and the focus on data protection and privacy will only increase.
Of all the industries affected by cybercrime, retail accounts for 18% of eCommerce and traditional stores’ incidents, which makes it the most endangered industry. Credit cards are still a profitable target for criminals. Out of all cybercrime incidents, credit card data is compromised in 36% of all cases.
Although there is a decrease in compromised credit card data overall, the shift from physical to eCommerce transactions increased CNP (Card Not Present) data incidents to 25% of all incidents. Within eCommerce, CNP data incidents are responsible for 84% of all incidents.
Verizon’s DBIR (Data Breach Investigation Report) shows a shift from POS (Point Of Sale) incidents to web application incidents. Where POS went from 63% of total breaches in 2014 to 6% in 2018, web application total breaches went from 5% to 63% in the same time frame.
As discussed earlier, a data breach will not only cost you your data, it will also cost you your reputation, as well as an additional fine, under the relevant law. A KPMG study shows that 19% of consumers indicated they would not continue to do business with a retailer after a breach. Another 33% indicated they would stop their business for at least an undefined period.
Part of the increase in data breaches, as research from Juniper shows, is due to the fact that eCommerce merchants are late in implementing the latest relevant controls. This research estimates that retailers will have lost $130 billion in CNP fraud alone between 2018 and 2023. Furthermore, as this Advisera report points out, simply complying with laws and regulations does not guarantee the security of data.
It is apparent that by not implementing the correct technical and organizational measures, especially around processing payment card data, unnecessary and high risks will likely occur for eCommerce businesses.
Distributed Denial of Service
DDoS (Distributed Denial of Service) attacks are a different type of threat, that can bring down not only your data and your revenue but also your reputation.
A DDoS research report from Kaspersky Lab shows that 20% of all companies with 50+ employees have been victimized by at least one DDoS attack. That same research also shows that 50% of these attacks lead to a disruption of service, and 24% to complete unavailability. It is clear that costs can be high when services are unavailable for an extended period of time: About 30% of the DDoS victims suffered downtime between one day (14%) to one week (9%), or even up to several weeks (7%). Unfortunately, downtime is not the only effect; the research from Kaspersky shows that sensitive data is also lost as a result of 26% of DDoS attacks.
The cost of launching these attacks is, surprisingly, quite low. Attackers without too much knowledge can download a free tool that works. For as little as three dollars, attackers can buy DDoS-as-a-service, making this a low-cost, high-impact threat. With an average loss per attack of $53K for SMBs and $417K for enterprises, planning for and mitigating the effects of DDoS attacks is a topic that should not be neglected in any eCommerce environment strategy.
As is evident, while eCommerce is becoming bigger and more dominant, so are its threats. Serious players, who want to play big in this market, must take their security and compliance seriously.
About the Author
Tom van der Stoop is a Senior Consultant at Roots GRC Consultancy, focused on information security, privacy, and quality.