It is natural to assume that threats to an eCommerce store come from outside of the business. Retailers are familiar with malware, brute force, ransomware, remote code execution, and DDoS attacks by criminals. But a significant proportion of security incidents and data thefts are carried out by insiders, people who are trusted with privileged access to data and infrastructure.
Insider threats are particularly dangerous because they tend to be long-lasting, hard to find, and socially awkward — no one wants to accuse a trusted employee of selling customers’ credit card details to criminals.
Online retailers should be aware of the risks and take steps to protect their business and their customers from insider threats. A serious data leak caused by an insider may be more harmful than an attack from the outside because the perception is that you really should have known.
The most serious insider threats originate with individuals who have privileged access to data: employees, contractors, vendors, and ex-employees. But how can a retailer protect their business from insider threats?
The Principle Of Least Privilege
All insiders should be given the least access compatible with their role. An employee may need to be able to alter product details, but do they need access to customer data? They may need access to customer data, but not to the store’s server. By limiting access, you also limit the amount of mischief a person can do.
When considering if an employee needs access to data or infrastructure, ask yourself why. Can you justify giving them access? Is there a way for them to do their job without high-level access?
Sometimes, it is more convenient to give employees wide-ranging privileges, but you should think long and hard about the problems that might cause for your business.
Remove Access When It Is No Longer Needed
This seems like common sense, but once someone is granted access, they often keep it forever.
On one occasion, I asked a store owner about a large number of SSH accounts that had root access to his store’s dedicated server. He told me that every time a developer needed access, he created a new account. He never got around to removing them once the job was done. That’s many years of contractors who could have taken his business down at any time.
If an employee, ex-employee, or contractor no longer needs their administrator, user, or SSH accounts, delete them immediately.
Every Individual Should Have Their Own Account
It is not uncommon for an eCommerce retailer to have one admin account that is used by many different people. It is convenient because new accounts don’t have to be created for new employees, and if anyone forgets their password, everyone else in the company can remind them. But it’s terrible for security.
If one account is shared between employees, it is impossible to manage access on a per-individual basis. The account credentials are likely to be written down many times. Changing the password becomes such a hassle that it is never done. Everyone who has ever worked at the company probably still has access via the same account. And it is impossible to use logging and monitoring to discover who is responsible for a security blunder or malicious act.
Make sure that everyone who needs access is given their own account.
It is impossible to completely remove the risk of insider threats. A business can’t function without trust, and trust can be abused. But it is possible to limit the risk and increase the likelihood of identifying the culprit.