With the COVID-19 crisis forcing retailers and restaurants to close their doors, some are thinking of shifting quickly to selling products online to bring in at least some revenue.
But an expert warns managers not to leap into e-commerce without thinking of cybersecurity and privacy issues.
“A lot of smaller retailers that are not traditionally into e-commerce are rushing in quickly, and there’s a concern not only about fraud but also web and business security,” says Greg Young, Trend Micro’s vice-president of cybersecurity.
A quick but poorly thought-out e-commerce process can be a back door into a business, he pointed out. In addition, e-commerce means new data worth stealing such as payment and customer information that has to be protected. It also opens the possibility of goods being fraudulently obtained through stolen payment card numbers. Finally, there’s the possibility of online fraud due to charge-backs and returns. These are things that make e-commerce exceptionally risky to just jump in and do without care, Young said. “You can do it quickly, but do it carefully.”
One of the biggest mistakes he says he’s seen are firms doing everything themselves — online credit and debit card payments and building a Web front end. “I understand they don’t want to spend a lot of money on it,” says Young. “But customers who rely on outsourcing like Shopify and other platforms certainly have a lot less risk.”
He offers these three tips:
- “Outsource what you can, only do what you must. ” For speed to market and risk management, outsourcing to trusted parties will cost you some money but the trade-off is worth it.
- When considering a cloud e-commerce provider ask what the service offering is, how does it protect your customers from data theft and fraud, what are the fees, does it handle returns and charge-backs, what help desk service does it offer. “The ones with the cheapest rates may not be the best for security,” Young adds.
- “Scrub information you don’t need to save.” Don’t keep credit card information; don’t keep customer information. Remove whatever data you can after a transaction is done except the minimum needed to keep a record. “Unfortunately, most businesses tend to be hoarders of personal information, and they tend to keep too much of it. It’s an asset that can be stolen, and you have to pay to secure it.”
- “Web security and encryption are hard.” Try to use established products where possible. Don’t try to invent e-commerce security yourself.
Retailers also have to be ready for e-commerce, Young added. He recalls a CTO who was brought into a company to set up an online storefront — before the pandemic hit — who ended up being fired because the organization couldn’t handle all the challenges. (Ironically, he adds, that firm’s revenues are up today because it finally implemented e-commerce satisfactorily.)