BSI guiding U.S. small retailers to safe online trading as peak shopping season approaches

November 19, 2020

Many small organizations are experiencing the world of e-commerce for the first time this year, having moved online to continue operating the business against the unfolding pandemic. While the move online brings many benefits, including a wider reach and increased revenue, it has created a greater opportunity for malicious actors to take advantage of both retailers and consumers.

So far this year, small ecommerce businesses have averaged over 90 successful fraud attacks a month, with mid-large size digital companies averaging over 650¹. Furthermore, web-based attacks remain in the top five cyber threats for businesses year-on-year, second only to malware threats, according to a recent European report². This trend highlights the need for organizations to be proactive, especially small and media-sized enterprises (SMEs) and start-ups. Organizations need to understand the risks and invest in relevant security controls to defend against potential highly sophisticated and targeted cyber-attacks.

While many customers have already begun their Christmas browsing, the busiest online shopping days – Black Friday (November 27) and Cyber Monday (November 30) – are fast approaching. As smaller retailers brace themselves for the inevitable surge of online traffic, having just made the move to online in many cases, the cybersecurity and information resilience team at BSI has provided a valuable guide for new, and existing, online businesses on how to increase their cybersecurity for safer customer shopping:

1. Ensure website security levels are at a premium: Supporting secure encrypted online connections will provide much needed reassurance to customers that personal and financial data is safe when making a purchase. Symbols such as the closed padlock on the website address bar or the Secure Digital Transactions Kitemark will confirm security levels to customers.
2. Always install the latest software updates across all devices: Be proactive with patch and configuration management³ by developing formal processes that ensure critical patches are applied in a reasonable timeframe. Likewise, all internal and external systems should be configured in line with best practice such as CIS and NIST benchmarks to protect against potential attacks.
3. Set customer password requirements to complex: Ensure that where customers are required to create an account for website purchasing that the password or passphrase selection is set to complex. Customer accounts that are secure with complex passwords for access will provide defense against any hackers trying to gain access, steal data or process unauthorized transactions.
4. Ensure online payment systems are secure and PCI compliant: Select an appropriate payment processor that prioritizes security and fits the website purchasing process. Any organization who accepts credit card payments has a contractual obligation with the acquiring bank to be PCI compliant. This proactive approach to security also supports GDPR by keeping credit card details safe and secure. It is advised that once compliance to PCI is achieved, businesses should highlight it on the website to provide the additional reassurance to customers.
5. Beware of email fraud: This is where scammers will try and place large orders with a high value, repeat purchase requests or request immediate time frames. Always verify emails for authentication prior to processing orders and regularly monitor for any suspicious purchase requests.
6. Prevent delivery or collection theft: Businesses should perform adequate due diligence on the supply chain, especially with delivery companies. Ensure that any subcontractors hold relevant certifications such as ISO/IEC 27001, ISO 9001 and PCI DSS Compliance which provide reasonable assurance of a secure and structured manner of operation. In addition, where click and collect services are in operation, ensure that customer details are verified before the order is handed over.
7. Proactively monitor for any duplicate websites and social media accounts: Carry out daily checks for any fraudulent websites or social media accounts that are claiming to be the same business. If there are any, gather information, make contact, alert customers, and engage with the fraudulent website service provider if there is no response.

Stephen Bowes, Global Practice Director for Data Management and Security Technologies at BSI explains: “One of the key business trends of 2020 has been organizations pivoting online in response to government restrictions in response to the COVID-19 pandemic. This is largely a positive trend, however as the volume of data transactions increases, especially at this time of year, cyber attackers will be looking for opportunities. They’ll be seeking to exploit small and vulnerable organizations, and the trust model of online shopping, so it is vital that organizations know how to stay safe online.”

“Our advice outlines the main areas where improvements can be made to ensure a business can stay ahead of any potential costly cyber-attacks. There is still time to be proactive and implement these vital safety measures. Doing so will strengthen a retailer’s online security posture, improve their information and supply chain resilience, reduce risks, and ultimately will ensure that their customers have a good shopping experience,” concludes Stephen.

The Consulting Services team at BSI provides an expansive range of solutions to help organizations address challenges in cybersecurity, information management and privacy, security awareness, and compliance. For more information visit www.bsigroup.com.

-ENDS-