The seemingly endless stream of hack attacks virtually mandates e-commerce providers to reassess their data security principles and procedures. What used to be considered best practices may now not even be minimally adequate. Savvy e-commerce providers will keep raising their cybersecurity bar to deter attacks, whether planned or opportunistic. This article offers five basic tips to help you assess and improve your security posture.
1. Know Your Data, Network and Systems
What data do you collect and why? Given the exponential growth of e-commerce, it is not surprising that most data systems were developed and grown organically rather than strategically. When asked why certain data is collected, or stored, or not expunged at regular intervals, the most typical response is: “We’ve just always done it that way.” It’s not easy to reassess your data collection storage, transmission and access privileges in a single bite, so consider an incremental approach. Pick one manageable data stream for a pilot assessment and use the results to inform how you tackle the bigger enterprise.
2. Determine What Data Is Most Sensitive to Your Customers and Employees, and Critical to Your Company?
Not all data is created equal. Classify your data according to sensitivity. Don’t worry about which lexicon to use, but give some thought to how many tiers make sense for your company. Once you decide which data sets deserve what kind of protection, calibrate your response to a compromise of those sets accordingly.
3. Articulate Your Protection and Detection Objectives
Simple steps can lead to huge improvements. Many e-commerce platforms require multi-tasking managers, and as jobs evolve and people migrate, it’s often challenging to have the discipline to reassess whether an individual’s access privileges need to be modified to reflect their current responsibilities. Strengthening access controls is the single easiest step to take to improve your data security. Enacting and enforcing the principle of least privilege is an integral part of improving access controls.
As much as we’d like to protect and detect everything, focus on logging and monitoring your most important data assets. As you reassess what data you collect and why, carry that thinking over to what kind of logging and monitoring that data deserves. Equally important: Ensure that your vendors follow these same principles.
4. Train Your Employees and Key Management Stakeholders on the Risks You Face, and the Required Response in the Event of a Compromise
Develop an incident response plan. This is the most important (but, unfortunately, often most postponed) step you can take to improve your cybersecurity position. Assume that outside intruders will gain access. No firewalls are perfect. If you have not been hacked (are you sure about that?), you almost surely will be some day. The value of an incident response plan cannot be overstated—not just as an essential tool to react to a breach, but equally importantly, for the focus it can provide for key stakeholders as they participate in its development. This is not something that should be delegated to IT. Include all key stakeholders (especially legal counsel to preserve privilege) in developing the plan and as part of the incident response team itself.
There are plenty of plan templates available—but your plan needs to reflect your organization’s resources and priorities. This is not a one-size-fits-all process. Make sure that whatever plan you develop, it defines basic communication objectives and assigns the lead communicator. The plan should articulate escalation protocols to anticipate the changing dynamic of any incident.
Practice the plan at least annually.
5. Execute the Plan
Each incident is different, but the basic principles remain the same:
- Investigate the incident.
- Engage outside support as appropriate, especially forensic experts.
- Assess the incident’s impact.
- Secure your systems.
- Mitigate the damage.
- Notify law enforcement if appropriate.
- Notify your insurance carrier.
- Anticipate the tension between prompt messaging and incomplete data.
- Comply with data breach notification laws.
Robert Cattanach is a partner at the international law firm Dorsey & Whitney. He has previously worked as a trial attorney for the United States Department of Justice and was also special counsel to the Secretary of the Navy. Today, he practices in the areas of regulatory litigation, including cybersecurity and data breaches, privacy and telecommunications, civil and criminal enforcement proceedings and international regulatory compliance.