As a father of teenaged children, I sometime marvel at the level of network-connectedness of that younger generation. It is fair to say that for these and future generations, it will be next-to-impossible to be a productive member of society without surrendering to the myriad social media applications and other online platforms.
Our transformation to a fully-connected society is similar in many ways to the transformation business has gone through over the past 15-20 years, ultimately leading to a state where no business can exist today without having at least started down the path of becoming an online business.
The notion of the ‘online business’ was born in the mid-to-late 1990’s largely as brick-and-mortar stores took to the new platform of the World Wide Web. In 1999, the online sales of products sold through physical stores totaled approximately $20 billion, or nearly two-thirds of all sales on the Web. Today, ecommerce sales in the U.S. alone are over $335 billion, and are projected to increase to $523 billion by 2020.
But the idea of the online business is by no means limited to ecommerce today. The emergence of Software-as-a-Service, online transactional platforms and social media have extended the idea of a business run, or services delivered, largely online to a wider array of industries.
Stages of Connectedness
Businesses can be loosely categorized into different stages or phases of online transformation. The earliest stages would include adoption of online tools and resources to increase employee productivity and mobility. Few if any businesses haven’t made this leap.
Second phases of the transformation into an online business would be characterized by the use of online services or platforms to support partner or customer engagement or interaction. The extension of internal business processes to the outside world via the Internet in many ways represents the tipping point for broader exposure and risk.
Third phase would include deployment and management of online transactional platforms that become critical for revenue generation. Clearly any business engaged in ecommerce would fall into this category, as would financial services organizations conducting online transactions.
The final phase would be organizations needing to support globally deployed websites or applications reliably and securely to deliver services. This is a particularly important step as it comes with the need to make IT assets broadly available to the public, yet maintain security and protection of sensitive data.
Each of these phases comes with increased benefits but also increased threats from cyber-security. Organizations from online retailers (ecommerce), financial services, online gaming, social media or entertainment, and even the travel industry have transformed the way they do business and in so doing have become increasingly network-dependent. We look at protecting online businesses differently from others due to the unique nature and the heightened level of impact felt from cyber-security threats.
Targeted threats against online business
For online businesses, cyber-security threats pose particular risk as attackers seeking to take advantage of the knowledge that these businesses cannot afford downtime or loss of customer trust. In providing protection for a wide array of online businesses, Radware has a broad perspective on these threats. There are some common characteristics of the threats and the way online businesses respond to the risk they pose:
- Sensitivity to website/service availability: for any business, downtime of websites or online services is bad. But for online businesses, the translation into revenue loss is direct and immediate. As a result, online businesses need to stay vigilant against the category of attacks that threaten service/site availability, such as DDoS attacks.
- Risk posed by customer data loss: Online transaction fraud costs industry an estimated $3.5 billion annually. Much of this activity is attributed to the theft of consumer credit card information breached by application attacks that exploit online business applications. The impacts of transaction fraud also extend beyond the immediate transactions. Consumers consistently say that if their sensitive data is breached, they will likely no longer conduct business with that merchant.
- Sensitivity to latency: while downtime costs are obvious, it can be easy to overlook the impact on performance degradation. Any sources of latency, whether you’re talking about attacks or implementation of security controls, can have a significant impact. According to recent studies, 40% of customers now will wait 3 seconds or less before moving on to a competitor site, meaning the impact of performance loss is extremely tangible for online businesses.
- Threat of encrypted attacks: Attacks leveraging encrypted traffic as an attack vector are on the rise, further challenging many of the cyber threat solutions currently in place. Most cyber-attack mitigation technologies do not actually inspect SSL traffic, as it requires decrypting the encrypted traffic. Online businesses need to ensure solutions can address the needs of high capacity mitigation, support all common versions of SSL and TLS, and can isolate suspicious encrypted traffic using behavioral analysis to limit legitimate user impact.
There are many ways organizations can look to protect themselves. Large companies may have extensive security teams dedicated to implementing and managing the optimal security controls for their network. In this type of environment, you are likely looking for the most comprehensive security technologies to support you.
However, not all organizations can afford to hire large security teams, but their need for cyber security protection is still as real and relevant. For this kind of environment, you should seek out a security vendor that has extensive experience providing Online Business Protection to a wide array of customers in the core industries that make up the loosely defined segment. You want this partner to be able to handle all kinds of attacks, from application DDoS, to volumetric floods, to SSL-based and other encrypted attacks, and more. You may also want a partner with the expertise to provide security as a managed service, minimizing impact on existing security resources.
Look for a solution provider that can build tailored architectures that map to the growing and evolving needs for protection. Three common architectures are defined in our new ebook, Opportunities, Threats and Security Strategies for Online Business. While ultimately the solutions architectures can be customized based on needs, these architectures have served a mix of customers well over the year. I encourage you to consider where you sit on the online business spectrum, and how enhanced security can help provide protection for critical network-based services.