In February 2020, the world’s biggest retailer, Amazon, fended off the largest distributed denial of service (DDoS) attack in history. As peak traffic volume hit 2.3 Tbps, e-commerce security experts declared this attack as “a warning we should not ignore.”
DDoS attacks are nothing new. Every day, security teams deal with these malicious attempts to overwhelm their companies’ websites with bot traffic. In the last year, the landscape shifted in favor of attackers, as many companies switched to a remote working model. For instance, 95% of IBM staff currently works remotely. Also, increased social distancing drives more people to shop online.
Now, the internet is thriving with new opportunities — for businesses and threat actors. Explore common e-commerce security threats and see how your company can safeguard against future DDoS attacks.
Growing Threats to Retail Cybersecurity
In the U.S. and Canada, there has been a 129% year-over-year growth in e-commerce sales. This surge in sales is a double-edged sword for retail businesses.
Just as they have a bigger platform to grow their business, they are also thrust into the spotlight in front of threat actors.
Retail Security Threats: More Powerful DDoS Attacks
In 2000, 15-year-old Michael Calce, known by the online alias ‘Mafiaboy,’ launched one of the most significant DDoS attacks in history. He took down Yahoo!, E*TRADE, Amazon and eBay from his home computer. Since then, DDoS attacks have soared above 2 Tbps and show little signs of slowing down. As more companies function online through remote working, the chances for threat actors to target companies through DDoS attacks have risen.
‘Hacktivism’ offers protestors a way to promote a political agenda online, including if they disagree with a specific brand or business.
While the COVID-19 pandemic defined much of 2020, it is not the only global issue today. There is growing unrest about the environment, banking fraud and the negative impact of capitalist behaviors on the world.
Major retail brands like Amazon are easy targets for activists. A sophisticated DDoS attack can potentially cost the target company up to $2 million.
Vulnerable VPN Servers Enable Retail Security Threats
Although the high-volume attacks grab the news headlines, bad actors can also strike a lower volume to avoid triggering any alerts in e-commerce website alarm systems.
Workforces all over the world rely on VPN services for remote login purposes, as many employees are working from home. With their growing importance, VPNs could be an opening for an attacker. In theory, threat actors could use a targeted attack to take an entire workforce offline, which would cause massive disruption to a company.
Lack of On-Site Security Staff
When the world transitioned to remote work, many employers faced the prospect of losing valuable in-house staff, including IT professionals. Without security staff on-site, it is harder to organize an effective response effort in the wake of an attack.
Using several avenues like social media, email and direct mail to convey brand messaging, your business can connect with prospects at multiple touchpoints in the customer journey.
This approach is an excellent marketing strategy. However, it also provides several access points for threat actors to intercept messages between retailers and customers.
Fraudsters exploit people in many ways online. For example, they may use phishing email scams where threat actors masquerade as a retail store in order to obtain sensitive data from customers, like addresses and bank account details.
E-Commerce Website Security Strategies
As retail security threats continue to rise, companies must take more precautions to protect their data. After all, an attack on a vulnerable system could easily compromise consumer data, and may also damage the brand’s name.
Historically, a DDoS attack is one of the biggest challenges for retail cybersecurity teams because perimeter defense measures don’t work. Here are seven steps you can take to protect your business from retail cyber attacks:
1. Devise a DDoS Policy Against Retail Cyber Attacks
When a DDoS attack hits, your first step in response can determine how everything ends. All retail businesses need to set out clear guidelines for their staff, so they know what to do during an attack.
Educate your workforce, and establish outage repair and response strategies before an attack hits. By taking a proactive approach to setting protocols, you give your team a clear incident response strategy to follow. This, in turn, is critical in order to minimize the damage.
2. Establish Your Traffic Baseline
By developing good practices for keeping an eye on traffic, you can train staff to recognize the signs of a DDoS attack. Through this regular surveillance, your IT team can understand the website baseline for normal traffic and will be able to detect any unusual or suspicious traffic spikes quickly.
3. Educate Your Customers About E-Commerce Security
Retail cybersecurity tends to have an internal focus on company practices and employees. However, it’s important to think about the customers, too. Take steps to educate your customers about safe online shopping practices.
With diligent communications, you can ensure they aren’t using weak passwords, sharing sensitive data, or visiting any suspicious links or websites that could compromise their accounts or your business.
4. Boost E-Commerce Security With Multiple Defense Layers
While perimeter security will not thwart a DDoS attack, it is good practice to implement multiple levels of protection strategies. You can utilize several layers of defensive techniques, such as:
- Anti-malware programs
- Content filtering
- Load balancing
- Two-factor authentication
5. Use APIs to Boost E-Commerce Website Security
In e-commerce, customer data enables retail websites to improve their targeting. From retargeting ads to custom product recommendations, it’s easy to see the value of collecting data. However, it’s wise to use third-party gateways for payment processing. With an application programming interface (API), you have another layer that protects customer data and your company if an attack does happen.
6. Use Cloud-Based Providers for Traffic Overflow
As DDoS attacks get more powerful, it’s more likely that on-premises hardware will fail during an attack.
Even the world’s biggest companies would be wise to enlist the help of third-party DDoS mitigation services with cloud-based servers. These experts can then rapidly derail attacks to save a lot of time and money in the recovery effort. The cloud has much higher bandwidth and greater resources than private networks.
If an attack does happen, these providers can use their cloud servers to handle massive traffic overflow, ensuring your website doesn’t crash. Better yet, a cloud-based app will absorb malicious traffic before it hits your system.
7. Run Simulations to Test Your E-Commerce Security
After you have security measures in place and staff prepped with their incident response plan, you can run tests to mimic real-world DDoS attacks. Doing this also enables a retail company to gauge their current security posture. As part of this process, conduct multiple tests and analyze the response to assess ongoing risks and find flaws in your defense.
It’s Time to Prepare for Retail Cyber Attacks
DDoS attacks are no longer solely the domain of hacktivists seeking to simply disrupt a website’s services. Instead, e-commerce companies can be a massive target for refined attacks that attempt to steal data and hold it ransom.
Retail businesses must make e-commerce security a priority, starting with educating their staff and implementing a robust incident response strategy.