Careless click or two and here come the hackers

How nice it is to shop from the safety of your home by moving the mouse across the screen and selecting any product that comes to mind! Consumers around the world are increasingly choosing this method of shopping, especially after the pandemic years, as it facilitates browsing, comparisons, and offers greater options than the old-fashioned wandering through stores. The growth rate of the global e-commerce market peaked in 2021 and is expected to maintain a growth rate of at least eight percent over the next few years.

Statistical data shows that this is the case. In 2023, e-commerce remains a dominant force with a 47 percent growth in retail by 2027, according to Euromonitor International. In the EU, last year’s demand from two age groups: 25 to 34 years and 35 to 44 years has driven this growth. As many as 87 percent of individuals from these groups purchased or ordered goods or services online last year.

A very serious threat

So many monetary transactions of online stores and users clicking on them open the door to threats in the form of cyber attacks targeting such e-platforms and their customers. Such attacks pose a serious threat not only to customers’ financial data but also to the reputation of companies operating in the digital environment. Therefore, protecting customer data has become a priority for every serious e-commerce business. Companies are now investing large sums of money in advanced security technologies and protocols to protect themselves from increasingly sophisticated threats. The introduction of complex security measures such as data encryption, two-factor authentication, security audits, and continuous monitoring of network activities is now standard practice in the industry. While these investments significantly increase security and customer trust, they are a large cost for companies, especially those that are just in the startup phase of their business.

Balancing between providing a top-notch customer experience and maintaining high security standards can be challenging, but it is essential for the long-term success and sustainability of e-commerce platforms. What is the situation on the home front when it comes to security? We checked with the president of the eCommerce Croatia association, Marcel Majsan, who says that one of the key goals of the association is to increase trust in online shopping, which is why great attention is paid to market education, legal analyses, and certification of webshops. As Majsan says, the association has also introduced a service for verifying fake websites developed exclusively for customers.

Help for e-commerce businesses

– We are actively working on educating the market about cybersecurity as a new Cybersecurity Act came into force in February, which is part of the NIS2 directive. The directive on measures for a high common level of cybersecurity is a key legal framework of the EU aimed at improving cybersecurity in member states. Due to rapid technological development and increasing digitalization, NIS2 brings stricter requirements and expands the scope of application, which is why we have already held several lectures on this topic for our members this year. We will soon launch cooperation with leading security companies to provide our members access to top-notch tools and technologies, and within our association, we plan to offer guidelines and recommendations for implementing security measures, says Majsan.

Regarding investments in security, Majsan says that estimates of investments in security measures and technologies vary depending on the size and specifics of each e-commerce business. However, global trends show that companies invest between 10 and 15 percent of their IT budget in cybersecurity.

– In Croatia, specific data is not always publicly available, but we estimate that larger e-commerce businesses invest significant amounts in security measures to protect their users and data, he adds.

The biggest challenges are the lack of awareness about the importance of cybersecurity, the shortage of specialized professionals, and financial constraints for implementing advanced security measures. Additionally, the rapidly changing technology and tactics of cyber attacks require constant updating and adaptation of security strategies, which can be challenging for smaller companies. Nevertheless, employee education is the first and most important step that everyone must take, which is not so expensive or time-consuming, as the security problem often starts with the individual.

The most common phishing

Confirmation of this is the fact that one of the most common threats is phishing, which is used to steal customer data. Attackers impersonate legitimate organizations to deceive users and obtain their personal information. The solution to this problem includes educating users to recognize phishing attempts and using tools against it. Another major threat is malware, which can infect user devices or e-commerce servers. It can steal data, damage the system, or cause other forms of harm. Preventing malware involves using antivirus software, regularly updating systems, and implementing measures to prevent the entry of malicious software. There are also distributed denial-of-service (DDoS) attacks, which are also a serious threat. The goal of a DDoS attack is to overload e-commerce servers so that they become unavailable to users. The solution for this type of attack includes implementing DDoS protection and using content delivery network (CDN) services to mitigate the impact of the attack. That’s not all. SQL injection attacks are also a common threat to e-commerce. In these attacks, malicious SQL queries target databases, which can be damaged or have data stolen. The solution for this type of attack includes using prepared statements and regularly testing for vulnerabilities to identify and eliminate security gaps.

– In addition to these software threats, e-commerce businesses also face physical threats. For example, we recently had a power outage that, had it lasted longer, could have significantly limited operations. Besides cyber threats, e-commerce businesses can be affected by weather disasters, power grid failures, fires in server rooms, or even threats from dissatisfied former or current employees. Solutions for these threats include business continuity plans, data backups, and physical security of facilities, says cybersecurity expert Matko Antun Bekavac from CyberArrange Security Solutions.

However, it is not only stores that are targets of attacks. Customers are also exposed to various threats such as phishing, identity theft, fake e-commerce websites, and malware. In phishing attacks, users are deceived by fake emails or websites pretending to be legitimate to reveal personal or financial information. Identity theft involves the illegal use of customers’ personal data for financial fraud or identity theft. Fake e-commerce websites are designed to look like well-known stores but are actually used to collect sensitive data or commit fraud. Although fraud and threats are increasing, Majsan claims that the state of cybersecurity in the Croatian e-commerce sector is improving, but there is still room for improvement.

– Compared to some Western European countries, Croatia lags behind in certain areas, especially in the implementation of advanced security technologies and training of personnel. Nevertheless, the increasing awareness of the importance of cybersecurity and investments in this area is a positive trend, says Majsan.

What to do

If an attack occurs, there are steps and procedures that every e-commerce business must take to protect itself and its customers. Bekavac says that the most important thing is to use SSL/TLS encryption, which is a key measure to secure communication between customers’ browsers and e-commerce servers. This is the basic protection that every e-commerce business must implement.

– Regular software updates and employee education are also crucial. Updating operating systems, applications, and security patches along with continuous employee education can significantly improve the security state compared to all other measures. Strong passwords and authentication are the next step. Therefore, it is important to encourage users to use strong passwords and implement two-factor authentication (2FA) for added security, he says, adding that database encryption and access restriction are also extremely important.

However, he notes, there are often reports of password leaks because they were not hashed and were stored as plain text that anyone can read and understand. Data encryption and proper access management can significantly reduce the risk of such incidents. It is also important to use web application firewalls (WAF) and antivirus scanners. These tools help protect against various types of attacks and malware.

– Finally, regular security checks and testing are desirable. This should be done by an external company to ensure objectivity and expertise in assessing security measures and identifying potential vulnerabilities, concludes the cybersecurity expert.