The threat of your customers being attacked directly on the client-side is more real today than ever before. Magecart are knocking on everybody’s door – you, your 3rd parties, and even their 4th parties. This is happening continuously, with Magecart looking for opportunities to steal your valuable data for sale on the dark web.
It’s a complex and ever-changing problem. So what stage are you at in the customer hacking lifecycle?
1. Denial
You haven’t taken the time to assess the threat.
You say things like ‘We’re too busy right now to be worried about theft of clients’ data. Maybe next year?’ Your boss says, ‘We aren’t really large enough to be targeted’. The security manager says ‘We are already great at security, we don’t need any more’.
Your response is not surprising given the lack of knowledge of the threat and the fact that you’ve not been attacked yet. You don’t have a reactive or proactive plan if you are attacked, but you’re not going to be so that’s ok. A white hat security researcher emailed you about a patching issue. You ignored it.
2. Pain
You are trying to implement some form of proactive security measures, but you and your team are alone in your mission.
The development teams are doing what they normally do, there is no budget for tools nor any executive sponsorship. If something does happen you are unsure of how you will respond as a business. You know it’s coming, you know it will be you on the hook if it happens. Most people are preparing for the Black Friday marketing campaign. You quietly add it to the risk log.
3. Anger
You have just been hacked.
You may have detected it yourselves or someone pointed it out to you. You immediately question “Why us?”. You report it to management, who immediately panic and suggest numerous reactionary fixes. Some of these fixes may have longer-lasting impacts – but who cares? You stopped it, right?
The attack is quite big and has impacted some customers so you now have to report it to the ICO. Everyone is bracing themselves for a massive amount of financial pain and reputational damage. You console yourself – it’s just a random attack, and you were unlucky! You took the right measures, they were just clever.
People avoid you at the slightly more somber ‘End of Stoptober’ celebration.
4. Despair
You’ve been breached multiple times.
People are in panic mode. The second attack struck six days later and it has really shaken the organisation. Discussions starting on Twitter have made their way into some online security magazines – it turns out someone reported the breach weeks earlier and you ignored the communications.
Numerous customers have been affected. It’s now just a question of what level of news outlet will pick it up once the ICO has been made aware. You delayed the ICO report longer than you should have done.
A sales consultant from an attack prevention company calls to say they can help. The price is significantly higher than the last time they called. You ignore them.
5. Realisation
You’re aware of the threat and actively trying to deal with it.
Your security team is already familiar with client-side breaches. You have been put in charge of the process of detection and prevention. Your CTO has returned from a board meeting with signed off-budget that you helped to prepare and you have started looking into solutions. It’s a minefield.
There aren’t that many solutions because this is a hard problem to solve. This, in turn, raises the cost. The solution operates at different levels from the development process to production monitoring solutions. You’re asking: “do we need one or all of them? What truly is the risk?”
You are hoping solutions will be simple to implement, and that at least one of them will give you some cover.
6. Working Through
You have one security measure in place.
You have purchased a really simple solution that monitors your outgoing traffic – you have some cover. You even have a base level response plan which has a communication plan with the business and the ICO.
The next step is to ensure that security is at the forefront of everything you do. You ensure your teams are engaged in bringing in the right solutions to suit your business, your appetite for risk and your budget. You feel confident if a breach happened tomorrow, it can be contained. You go out for a celebratory meal – you are almost there.
7. Prepared
You have a multi-layered approach to security in place.
You have multiple solutions to catching threats. These range from code obfuscation to 3rd party synthetic and real user monitoring.
Whilst attacks can still happen, you have a reactionary set of procedures. This includes proactive protection and detection efforts. If the worst happens you can react quickly and effectively, minimising the financial and reputation risk to your organisation. You won’t be a sensational and devastating news story, you are someone whom the industry looks to for inspiration. You are asked to talk at an event, well done!
So where are you in the client-side hacking cycle? We hope you missed out steps 3 and 4 on your journey!
Maybe you are at an early stage and want to know more? Or perhaps you are quite advanced but always looking to bolster your armoury. RapidSpike can help.
