Ecommerce experts and professionals weigh in on the top cyber threats during the holiday season and provide insight on how to manage the influx of web traffic
The latest data from Adobe Digital Insights shows Cyber Monday 2017 to be the largest online sales day in history with $6.59 billion, marking a 16.8 percent year-over-year (YoY) increase. Although the biggest day in ecommerce may be behind us, this is no time to rest on our laurels, as the rest of the holiday season will continue to bring an onslaught of website traffic and cyber threats.
To help ecommerce companies best prepare for the most important time of year, I asked industry experts and practitioners about the biggest threats they’re facing and their most valuable advice for managing the influx of web traffic.
Jay Allen, Digital Operations at Genuine Parts Company
One of the top concerns we and other ecommerce companies should have during the holiday period is basic, but it’s to keep the site up. Some serious threats to this are distributed intelligent crawling and DDoS attacks. This is especially a concern as it can severely stress your infrastructure during an already high traffic period. The impact of which could be core features of your site being brought down during one of the highest revenue periods of the year.
The best thing any company can do for managing their traffic during the holiday season is to have already tested and understood the capacity of different portions of their infrastructure. Afterwards, spend the time to create a plan of action for teams to follow in case of incidents. Have controls in place to be able to bypass or degrade certain features of your site that may not be mission critical to the checkout process, such as inventory checks and updates or batch vs real-time order processing.
Roberto Gennaro, Chief Digital Officer at RedTag.Ca
While we as customers are looking for great deals during the holidays, it also becomes a huge opportunity for hackers looking to steal data from brands and websites.
One of the biggest threats to ecommerce companies is, with the amount of phishing scams today going into your inbox and social sites with clickbait, it's very easy to click on a link that has malicious content embedded.
Botnets that are used as-a-service, some are buying botnets by the hour to cause load restrictions on sites/brownouts and create a poor customer shopping experience.
It is more important than ever to be able to spot and eliminate any type of threat or technical difficulty that will cause any type of downtime. Being able to reduce the risk and mitigate as much as possible, having qualified human traffic to your site and stripping out all the bad bots is key to site performance.
Having the right resources available and allowing legitimate traffic to get through to your site while blocking any bad/bot traffic along with site security should be at the forefront of all site owners.
We need to take preemptive measures in preventing any known vulnerabilities from being exploited while ensuring that all of our IPS devices have the latest updates in place.
Many retailers like us will increase network traffic to allow more capacity to accommodate for the rise in online shopping this coming holiday season. Keep your site response time low as customers today have a selection of other stores a click away, and keep your promise to deliver a great customer experience while limiting any user frustration because of poor site speed.
Bryan Glenn, CTO at ShopAtHome
You should always assume that the biggest cyber threats will originate inside your company. You have to operate as if hack attempts occur on a daily basis and stick to the fundamentals. Hackers will always look for the easiest exploits possible and work toward more difficult exploits. For instance, keeping servers and software patched would have made the Equifax hack much more difficult to pull off. We’re also seeing a stark rise in the number of hack attempts involving brute force login attempts utilizing known lists of usernames/passwords acquired illegally. Implement automation and instrumentation that can not only alert you, but will bounce traffic from sensitive endpoints.
It’s often boring to say that companies should stick to the fundamentals, but I firmly believe doing the basics right will mitigate a wide variety of hack attempts. Investing in security can be difficult for small companies, but can’t be overlooked.
Be religious about monitoring your application load times. Constantly monitor page load times and leverage tools that let you see where your performance bottlenecks live. Whether it’s image optimization or a poor performing database call, you need visibility into the entire stack.
Shmaya Krinsky, CTO at Renegade Furniture
Not being updated. Hackers are constantly looking for vulnerabilities, so make sure all your plugins & third party softwares are updated with the latest patches. Turn off all connections no longer needed and remove older/not active users.
Scale up! Everyone is busier this time of year, and the cost of adding some power to your servers will always outweigh the risk of overloading.
Rami Essaid, Co-Founder and Chief Product and Strategy Officer at Distil Networks
The biggest cyber threat to ecommerce organizations doesn’t come from the outside world; it’s internal. The landscape of known threats has not changed over the past couple of years, and while each are very serious, the most dangerous threat is not being prepared. Too many companies still do not have an answer for the basic threats that we see each year. You should go down the list and make sure you have an answer on what to do for each of the following:
- DDoS / Extortion threats
- Competitor induced brown outs
- OWASP top 10 vulnerabilities
- Infrastructure hitting capacity
- Outage from your cloud vendor (DNS, Hosting, CRM, etc)
Have a mechanism to prioritize the traffic that makes you the most money. While it may be great to idealize infinite scalability, sometimes that may not be possible. In the case where you can’t serve everyone, it is important to know that not every web visit is created equal. Understand your customer segments and have a way to prioritize the most important groups. Filtering out bots is a simple example, but you can also prioritize domestic visitors, for example, or customers coming in from paid advertising. At the end of the day, the goal is to make money and you should optimize for that priority.
About the Author
Rami Essaid is the Chief Product and Strategy Officer and Co-founder of Distil Networks, the first easy and accurate way to identify and police malicious website traffic, blocking 99.9% of bad bots without impacting legitimate users. With over 12 years in telecommunications, network security, and cloud infrastructure management, Rami continues to advise enterprise companies around the world, helping them embrace the cloud to improve their scalability and reliability while maintaining a high level of security.Follow on Twitter More Content by Rami Essaid