Data breaches seem to be a regular feature in the news nowadays, especially since GDPR regulation kicked in a couple of years back. This higher frequency of articles announcing newly-hacked-victim-organisations gives an idea of the growing scale of the security problem - a trend that we have been talking and warning about for years.
Organisations particularly at risk of compromise are online businesses - eCommerce websites. In fact eCommerce websites are currently (and have been for several years) the most targeted type of organisation within the Payment Card Industry - simply because the crime is so much easier to execute. The reward for criminals is not as high as targeting a bank, but the crime is a lot easier to pull off and scale too.
The Foregenix Digital Forensics and Incident Response team is one of the most active PCI Forensic Investigation teams globally. According to banking partner sources in the UK and across Europe, we help more hacked eCommerce organisations with our forensic and incident response capabilities than all of our European competitors combined. The reason for telling you this is to make the point that we get to see emerging trends a lot earlier in the trend cycle due to the volume of hacked eCommerce websites that we are helping.
What we learn from all of these investigations is then passed on to our clients and partners to educate them in protecting their businesses from similar attacks.
The unique view that we have on early cybersecurity trends in the market has led us to create solutions that help small to medium sized eCommerce businesses protect themselves against the threats we're encountering daily. Two of the products we’ve developed are:
We monitor over 12 million websites globally for attack trends, vulnerabilities and risk of compromise. We can tell you very quickly if your website is at risk of being breached, or if it is already hacked. We provide this for free to use, enabling adhoc scans as well as ongoing monitoring of an eCommerce website for threats: www.foregenix.com/threatview.
Help yourself - it’s FREE with no strings attached - and uses the latest threat detection capability from our Threat Intelligence Group.
In conversations we have with clients and prospects, the subject often turns to the cost of a breach and what exactly could a small to medium business expect to pay. A considerable number of articles have been written over the years highlighting the cost of a data breach to small and medium sized organisations. Here are a couple of articles we’d recommend you reading:
Feedback that we have had from the card brands, acquiring banks and breached organisations is that the typical cost for a breach of an eCommerce merchant processing over 10,000 cards in a year is €18/card. When you factor in the average time between breach and detection being 5.5 months (based on our forensic team's experience), it is fairly easy to work out how many cards could have been stolen and what the associated costs could be.
As a first example, let’s imagine an eCommerce business was processing 60,000 transactions (let’s assume a unique card per transaction to keep it easy) in a year. And let’s assume the business was average in their capability to detect the hack.
This excludes forensic investigation costs and any other potential fallout such as legal, PR, etc.
You can see how the numbers stack up quickly. Fortunately the card brands have favourable terms for businesses who identify the breach and notify their bank and the card brands quickly - in fact there are a few ways to get the cost down, but all require the victim to be proactive, to work with their bank and the brands and to sort out the breach quickly. Our advice would be to contact your acquiring bank to get more detailed information as this is not published publicly.
As a second example, let’s imagine a small eCommerce business, processing under 8,000 transactions (let’s assume a unique card per transaction again) in a year. Let’s assume again that they’re also average in their capability to detect the hack.
A point to add to this is that no GDPR penalties have been factored into this article - there are a huge number of articles with information on the GDPR penalty structures. A good place to view the penalties issued by the ICO is: https://ico.org.uk/action-weve-taken/enforcement/
If you’d like to get proactive about your website security and reduce the risk of a breach - you can create a free ThreatView Community Account to monitor your eCommerce website's security and risk status here: