CIOReview | | 19 SEPTEMBER 2023With third-party software, place emphasis on third-party risk management. Out-of-the-box tools for transactions require looking at actions between one vendor and another to see if there are any risks to the process. It's important to review vendor policies, penetration tests, and overall security posture. Choose a vendor based on quantitative and qualitative data.Implementing security best practicesThere are several best practices to consider for e-commerce security. Bake security into the development life cycle for the e-commerce site or app, and adhere to a secure software development framework. In general, fixing security flaws found late in the development lifecycle can cost significantly more than identifying them early in the process. Have a clear plan and design. A standard benchmark is the Open Web Application Security Project (OWASP) Top 10. In general, OWASP Top 10 covers 80% to 90% of typical attack vectors. The remaining percentage is tied to the retail outlet's business model and companies will need to build security into the platform design accordingly. The Center for Internet Security (CIS) Top 20 provides a baseline It's important to remember, however, that security for e-commerce is never finished. New vulnerabilities, risks, and business requirements emerge every dayto help companies adhere to a security framework. The No. 1 rule is to know the physical and data assets. Setting system standards for each asset is also key. For example, follow a hardening standard, limiting an e-commerce platform to only doing the actions that it needs to do. For user access controls, always follow the Principle of Least Privilege (PoLP). This ensures that administrators and employees only have access to the data and systems that they need. Make multifactor authentication (MFA) a hard requirement for employee and customer access. MFA can include a password, along with factors such as SMS to phone number, biometrics, or geolocation. Establish a data protection program to safeguard Personal Identifiable Information (PII), credit card/financial data, and other sensitive information relative to the retail outlet. Apply classifications and labels so that wherever data is, administrators can identify, report, and monitor it for any adverse actions. Define policies according to the data classifications, classify data, and protect per the policy definition. A well-defined vulnerability management program is critical. Focus on scanning, testing, and remediation of identified vulnerabilities. Treat high and critical vulnerabilities with urgency, as they are especially attractive to attackers. Unfortunately, it can prove difficult to remediate all vulnerabilities. Therefore, rely on defense in depth -- or having multiple layers of security controls as opposed to relying on a single control. Be mindful of customers' right to privacy. Develop a program to account for legal and regulatory obligations tied to business requirements and local/state/federal laws. Breaches consistently involve the theft of data; in particular, customer PII.Offering a safe, seamless experienceThe goal of security should be to build and maintain trust with the customer, protect the business and the customer, and enable the business to accomplish its mission. When customers trust that a company is protecting their personal and financial information, it leads to stronger relationships, a positive brand reputation, and return transactions. It's important to remember, however, that security for e-commerce is never finished. New vulnerabilities, risks, and business requirements emerge every day. That makes security a complicated field that ultimately must be included in all areas of the business. A quality security program needs enforcement from the executive team and buy-in from the delivery teams. Security needs the right investment from the top for the tools and services needed. For many businesses, the best path to get started is to invest in a strong security partner. The field is ever changing and complex, and requires a consistent delivery to be effective.Overall, security is not a technology, tool, or person, but rather a process of defining and remediating risk.
< Page 9 | Page 11 >