Studies reveal worrying trends as platforms go out-of-date and cyber attacks increase. HAL WILLIAMS reports.
SMALL businesses in the UK are targeted by up to 65,000 cyber attacks daily — and around 4,500 of those hacks are successful, costing companies £2.48m per instance.
Lockdown measures have changed the IT landscape. Just 11 percent of UK businesses believed — pre-lockdown — that their entire workforce would be able to work remotely. That shot up to 70 percent once lockdown hit, and more than half managed to transition in less than 48 hours.
Little governmental consideration was given, at the time, to the security of IT and Cloud. Half of the companies canvassed in a study by global recruiter Robert Walters and data provider Vacancysoft admitted that they did not have adequate cybersecurity provision to maintain a 100 percent remote working model.
Some 44 percent of consumers say they would stop using an online company that was breached during an attack. A warning shot for e-traders: in May this year there was a 168 percent spike in e-commerce transactions. Online sales represent 27.5 percent of total UK retail sales this year — a figure expected to grow to almost 33 percent by 2024.
And the problem is not confined to Britain. Almost 97 percent of European e-commerce firms using one particular website platform are at high hacking risk, according to more research, this time from cybersecurity company Foregenix.
This study, which analysed 113,000 websites in Europe using the Magento 1 e-commerce platform, also reveals 430 sites — 0.38 percent of the total — are currently being hacked and card data is being stolen.
Foregenix found 52 percent of the 40,000 Magento 2 websites analysed were at “high” or “critical” risk. The rate for merchants’ websites currently being hacked and losing data stands at 0.25 percent. North American rates for Magento 1 and 2 platforms at high risk correspond to European figures, but “critical risk” for European merchants is lower.
Darius Goodarzi, principal of Information Security and IT Risk at Robert Walters, said cyber attacks had hit an all-time high in recent years. “As the general public became increasingly aware of personal data and privacy issues — including the introduction of GDPR — cyber security increasingly became a ‘differentiator’ for brands in a market where customers demand more transparency.
“The tech industry has set the tone, with brands such as Apple and Whatsapp putting security at the centre of their marketing message. For e-commerce, on the other hand, the pace at which the sector grew during Covid-19 raises questions as to whether their cyber security has been up to par with the sharp increase in traffic to online sites.”
Cybersecurity job vacancies within the Consumer Goods and Services sector have increased by 17 percent over the past year.
Marlborough-based Foregenix monitored over 275,000 Magento websites globally using its WebScan solution in May and July. It searches for malware, security patches (for Magento 1) and analyses the website framework implementation for vulnerabilities, such as unprotected admin pages.
The global data showed that while Magento 1 users fell in June and July, the take-up for Magento 2 went up for the same period.
“Magento 1 websites are a major concern in the industry following the end of life for the platform in June,” says Foregenix co-founder Benjamin Hosack.
“Websites built on Magento 1 have a decaying security posture and the risk of being targeted and compromised is increasing.” Hosack recommends migration to Magento 2 or another platform. “While Magento 2 offers continuing security support, it is still crucial for merchants to remain vigilant and be proactive to reduce the risk of their own and clients’ data being compromised.”
Foregenix has signed a strategic partnership with e-commerce hosting firm Sonassi, part of the iomart group, to provide more protection to firms planning to upgrade their website platforms. Sonassi MD Neil Christie says the Magento community has been “targeted by criminals for the last couple of years”, causing considerable damage. “Our partnership with Foregenix is a strategic move,” he said.
The joint effort will give Sonassi’s clients access to Foregenix’ FGX-Web solution, which monitors for threats and suspicious behaviour and alerts users to attacks and possible breaches as they migrate to more secure platforms.
According to Foregenix’s research, there are more than 200,000 e-commerce companies worldwide using Magento 1 — and since June they have no longer been supported for upgrades.
It is predicted that the current national £68bn spend on cybersecurity will need to be doubled to stay on top of the problem in the UK. But in a period of rapid, non-legislated change, the question remains about where accountability for data breaches lies.
Nathan Tittensor, of UK-based cybersecurity consultancy i3Secure, says the legal sector should begin considering its security posture. “It deals with high volumes of confidential information, (but has) never been mandated to have certifications around security,” he said.
“Although we are starting to see firms achieve certifications such as ISO 27001 to demonstrate they have robust practices and enhance customer trust, it is remote working that has really shone a spotlight on the sector and they should act fast before it is faced with the consequences of personal information being mishandled when not on-site in offices.”
Due to regulation, the banking and financial sector maintains top position for IT security. Cybersecurity hires in recent years have been driven largely by the need to facilitate secure open banking and stave off automated fraud.
Ajay Hayre, senior tech consultant at Robert Walters, said: “This has truly been the year for fintechs, who have increasingly been stepping into the space of traditional banks — playing an active role in the government bailout scheme, as well as obtaining licences to be able to deliver traditional banking services such as direct debits and overdrafts.
“The urgent need for this sector to protect data in transit or in the cloud has led to a surge in cybersecurity hires of 37 percent since 2018. If fintechs follow the gold standard of their elder, more experienced siblings — traditional banks and financial service institutions — then their security protocols will not be of concern.”