E-commerce has become part of our daily lives. The size of this market is such that it has been considered a critical infrastructure of the European Digital Single Market.
Holistic approach to e-commerce security
Economically vibrant ecosystems always attract criminals and unscrupulous traders, and e-commerce is no different. “The cornerstone is how to ensure trust,” says ENSURESEC project manager Luís Sousa from INOV in Portugal. “This meant achieving trust between all the various e-commerce actors, including software vendors, e-commerce operators, payment service providers, delivery companies and customers.” Sousa and his colleagues felt that what was missing was a holistic approach to the protection of the entire sector. This was the starting point of the ENSURESEC project.
Mapping critical cyber and physical assets
The project team began by mapping the most critical assets of e-commerce – the servers, delivery trucks, e-commerce websites, etc. They then assessed how these assets interconnect, to identify key vulnerabilities and threats. “We have built a substantial body of knowledge from this work,” adds Sousa. “This enabled us to identify key vulnerabilities, such as third-party software often used by SMEs.” This is a vulnerability that criminals often seek to exploit. Another key area of risk concerns human vulnerability. For example, criminals may impersonate known brands and encourage consumers to click on a bad link, or unscrupulous vendors might mislead them with fake reviews.
Training consumers in online awareness
To address these concerns, the project sought to deliver both technical- and consumer-focused solutions. “We launched a training and awareness campaign to tackle the so-called ‘human factor’”, notes Sousa. “We wanted to help consumers to identify and avoid not just phishing and other common social engineering threats, but also unethical practices. If we can better educate citizens to identify and react to threats, then the whole e-commerce ecosystem becomes more resilient.” A dedicated consumer-focused website with awareness-raising videos and advice has since been launched. This resource is free, and currently available in six languages.
Comprehensive e-commerce security toolkit
On the technical side, the project team developed an integrated platform of tools to prevent, monitor, assess and mitigate key vulnerabilities and threats identified within the e-commerce critical infrastructures. These include tools that run through systems, checking for flaws during the design phase, as well as tools that map all cyber, physical and human assets to provide feedback to users on potential risks. There are also solutions that help assess the maturity of e-commerce organisations regarding security practices. Some 19 tools were also designed to monitor interactions between servers, computers and physical assets, and to respond to incidents. For example, these can provide users with a list of suggested mitigation actions. The platform is modular, so that users can select the tools and configurations that best suit their needs. The ENSURESEC solution was demonstrated in three different use cases targeting, respectively, cyberattacks on a large retailer’s e-commerce platform, physical attacks on an online pharmacy supply chain, and cyber-physical attacks on a bank providing online payment services. The project team also developed policy recommendations, to help legislators ensure that trust is at the heart of regulations concerning e-commerce. Moving forward, Sousa and his colleagues intend to fine-tune several of these tools, with a view to bringing the platform closer to commercialisation. The idea is to ensure that this resource is fully accessible to SMEs.
ENSURESEC, e-commerce, consumers, cyber, e-commerce security, cyberattack, online, phishing,