BSI guiding UK small retailers to safe online trading as peak shopping season approaches
19 November 2020
Many small organizations are experiencing the world of e-commerce for the first time this year, having moved online to continue operating the business against the unfolding pandemic. In the UK, co.uk domains between the period of January and October 2020 saw an increase of 31,000 new registrations[1].
While the move online brings many benefits including a wider reach and increased revenue, it can present security risks that businesses may not be aware of. Web-based attacks remain in the top five cyber threats for businesses year-on-year, second only to malware threats, according to a recent European report². This trend highlights the need for organizations to be proactive, especially SMEs and start-ups. Organizations need to understand the risks and invest in relevant security controls to defend against potential highly sophisticated and targeted cyber-attacks.
While many customers have already begun their Christmas browsing, the busiest online shopping days – Black Friday (27 November) and Cyber Monday (30 November) – are fast approaching. As smaller retailers brace themselves for the inevitable surge of online traffic, having just made the move to online, the cybersecurity and information resilience team at BSI has provided a valuable guide for new online businesses on how to increase their cybersecurity for safer customer shopping:
Ensure website security levels are at a premium: Supporting secure encrypted online connections will provide much needed reassurance to customers that personal and financial data is safe when making a purchase. Symbols such as the closed padlock on the website address bar or the Secure Digital Transactions Kitemark will confirm security levels to customers.
Always install the latest software updates across all devices: Be proactive with patch and configuration management³ by developing formal processes that ensure critical patches are applied in a reasonable timeframe. Likewise, all internal and external systems should be configured in line with best practice such as CIS and NIST benchmarks to protect against potential attacks.
Set customer password requirements to complex: Ensure that where customers are required to create an account for website purchasing that the password or passphrase selection is set to complex. Customer accounts that are secure with complex passwords for access will provide defence against any hackers trying to gain access, steal data or process unauthorized transactions.
Ensure online payment systems are secure and PCI compliant: Select an appropriate payment processor that prioritizes security and fits the website purchasing process. Any organization who accepts credit card payments has a contractual obligation with the acquiring bank to be PCI compliant. This proactive approach to security also supports GDPR by keeping credit card details safe and secure. It is advised that once compliance to PCI is achieved, businesses should highlight it on the website to provide the additional reassurance to customers.
Beware of email fraud This is where scammers will try and place large orders with a high value, repeat purchase requests or request immediate time frames. Always verify emails for authentication prior to processing orders and regularly monitor for any suspicious purchase requests.
Prevent delivery or collection theft: Businesses should perform adequate due diligence on the supply chain, especially with delivery companies. Ensure that any subcontractors hold relevant certifications such as ISO/IEC 27001, ISO 9001 and PCI DSS Compliance which provide reasonable assurance of a secure and structured manner of operation. In addition, where click and collect services are in operation, ensure that customers details are verified before order is handed over.
Proactively monitor for any duplicate websites and social media accounts: Carry out daily checks for any fraudulent websites or social media accounts that are claiming to be the same business. If there are any, gather information, make contact, alert customers, and engage with the fraudulent website service provider if there is no response.
Stephen Bowes, Global Practice Director for Data Management and Security Technologies at BSI explains: “One of the key business trends of 2020 has been organizations pivoting online in response to Government restrictions. This is largely a positive trend, however as the volume of data transactions increases, especially at this time of year, cyber attackers will be looking for opportunities. They’ll be seeking to exploit small and vulnerable organizations, and the trust model of online shopping, so it is vital that organizations know how to stay safe online.”
“Our advice outlines the main areas where improvements can be made to ensure a business can stay ahead of any potential costly cyber-attacks. There is still time to be proactive and implement these vital safety measures. Doing so will strengthen a retailer’s online security posture, improve their information and supply chain resilience, reduce risks, and ultimately will ensure that their customers have a good shopping experience,” concludes Stephen.
The Consulting Services team at BSI provides an expansive range of solutions to help organizations address challenges in cybersecurity, information management and privacy, security awareness and compliance.
For more information visit https://www.bsigroup.com/en-GB/our-services/cybersecurity-information-resilience/
ENDS
Notes to Editor:
[1] .IE Domain Profile Report 2020
https://www.nominet.uk/news/reports-statistics/uk-register-statistics-2020/#
²Reference ENISA threat landscape report 2020
³Patching repairs computer applications or software that are vulnerable or flawed. Patches are designed to update, improve, or fix bugs or security flaws. Configuration management is a process used to maintain computer systems, servers, and software to ensure and meet performance expectations.
