The holiday season is a busy one for shoppers, retailers, and customers alike. Unfortunately, the upswing in holiday shopping presents cybercriminals with many opportunities to disrupt e-commerce operations.
While an organization’s own network may be well-secured, this doesn’t mean the organization is safe from attack. Supply chain attacks have become increasingly common as hackers target the weakest link and use it to gain access to more hardened networks.
Identifying and plugging supply chain security holes is an important part of gearing up for the upcoming holiday season.
Behind the scenes, an e-commerce company is rarely working alone. A consumer may shop for and purchase goods on one organization’s website, pay for their purchase through a second company and have it delivered to them by a third.
Accomplishing this seamless customer experience requires information sharing and integration between an organization’s website and the services of each of its vendors. However, this convenience can also cause security risks.
E-commerce companies should carefully review what data they are sharing with supply chain partners, additional third-party vendors, and subcontractors and limit this to only what is necessary for the outside companies to fulfill their roles.
Supply chain vendors should also provide defined policies and controls and be required to meet those standards as terms of their business agreement. Ultimately, the e-commerce companies are liable even if the subcontractors were at fault for not providing adequate security.
In addition, requiring your supply chain to perform regular vulnerability scans, an annual penetration test, security assessments, and security accreditations should also be considered to ensure they are keeping a good security posture.
Behind many supply chain websites lies the cloud. The growth of cloud computing means that most organizations have placed some or all their data storage and processing on cloud deployments.
The cloud is convenient, but it often creates security issues due to mismanagement and misunderstanding due to two main concerns: the use of file sharing and syncing services and applications, and the notion that security is the responsibility of the cloud provider.
Many organizations have been the victim of data breaches caused by placing sensitive information on publicly accessible cloud storage. In fact, a significant number of events Avertium sees in the enterprise environments we monitor through our managed security services stem from the use of file-syncing services such as DropBox and Google Drive, among others.
Companies with less mature security models are often drawn to the convenience and accessibility these services offer at a low entry-level price. From a security perspective, unless these tiers are examined for features that should be inclusive in the respective business environment, they can present a significant security gap. These solutions are insecure if not maintained properly or thoroughly vetted for security-focused feature sets.
Additionally, many companies assume their cloud vendor is responsible for and has adequate tools, policies, and procedures in place for protecting the data with which they are entrusted.
Using cloud services does not transfer the company’s risk to the vendor, rather it is a shared responsibility. Providers typically offer basic controls, which is helpful; but in the event of compromise the company – the data owner – is liable.
Confirm your vendor is aware of these points and has acted accordingly. A review of the supply chain cloud security settings to ensure they meet your organization’s standards is a good idea going into the holidays.
The internet of things (IoT) is growing rapidly, and a popular commercial application is sensors. IoT sensors monitor products or machinery throughout their lifecycle and report back on their status automatically via the internet.
IoT sensors serve a valuable purpose, but, like anything connected to the internet, they can be a security liability as well if not properly configured and secured.
Hackers target these gadgets to gain visibility into an organization’s internal operations, database or even to feed false information to the company. Any IoT devices connected to your network, including supply chain management, must be properly set up and connected to a protected network.
The interaction between different parts of the supply chain in online e-commerce is often implemented via application programming interfaces (APIs). An API improves the efficiency of operations by allowing automated interactions between different organizations’ back-end systems.
The bounty of business systems popping up on a regular basis combined with an API’s ability to quickly and easily connect these applications to each other has created API sprawl and an associated myriad of risks. If APIs are not inventoried and actively monitored, an attacker can locate and access them, making them a source of valuable data.
APIs are often designed for direct communications with “trusted” parties, so they may not be configured with security in mind. Communications may not be encrypted or may have inadequate mechanisms for authenticating the remote party. For instance, API management systems may reject invalid login attempts but are often not sophisticated enough to stop clients from continuously trying new combinations to eventually gain access.
During this hectic – and, possibly, the most profitable time of the year, making the effort to utilize these guidelines will go a long way toward a successful holiday season and continue into the New Year.
Learn about Avertium's managed security services and consulting to augment your existing security policies and solutions and reach out to us with questions.