As on-line purchases grow and grow (expected to represent 71 billion euros in 2016), the French Federation for e-commerce and online sales (FEVAD) is working hard to raise awareness of cyber-security. Part of its efforts involve the publication of a (thick) white paper intended for company managers and business unit managers who want to reduce their risks and protect their activity for the long term. Illustrated with real-life cases of cyberattacks (ransomware, DdOS, etc.) and backed by testimonials from e-merchants, IS security professionals and a number of entities familiar to members of Le Cercle (ANSSI, CESIN, Clusif, etc.), the publication aims to be informative, practical and educational.
First of all, it makes a general observation: there is a rise in the number of attacks that are often minor but more targeted, more sophisticated and affecting growing numbers of people with the goal of stealing data or content. Plus, experts have noticed a recent development: malicious operations targeting entire sectors (finance, media, distribution, etc.). The authors underscore just how vulnerable e-merchants are; their employees are poorly informed, their sites were not designed natively for security, and to top it all off, maintenance is neglected. Then the paper provides a series of recommendations that start with risk mapping – “the starting point of any cyber risk control method” – and the establishment in house – and throughout the entire eco-system – of a “risk culture”.
The authors insist that e-merchants really don’t have any choice in the matter: these methods are essential and sometimes even mandatory. First of all because of the new EU rules on data protection (GDPR) that require companies set up new procedures by 2018. But also for the very survival of the activity: “It is absolutely vital that customers trust the systems that record and process their personal and financial data! E-merchants can be held liable.” In this context, “personal data protection will be the next major project for all CISOs working for e-commerce sites in coming years”. The white paper considers CISOs to be key players at the crossroads between business and technology who, “in addition to their technical skills, also need to understand all of the business issues.”
More information on the FEVAD website.