David Dixon

With e-commerce thriving as a cornerstone of retail, securing websites and applications has never been more critical. Cyber criminals target vulnerabilities in commercial platforms and websites to exploit sensitive customer data and disrupt operations.

This month, we explore the cyber threats and implications facing online retail and e-commerce, as well as delving into some best practices and frameworks like OWASP, and secure development methodologies, to help organisations stay secure online.

Threat Landscape

Cyber crime targeting e-commerce platforms remains a top concern, according to the NCSC, 50% of UK businesses experienced a cyber attack in 2023 alone. 18% of breaches that were reported in 2023 to the Information Commissioner’s Office (ICO) were in the retail sector.

Rising Threats

Cyber crime targeting online businesses in the UK is being driven by increasingly sophisticated attacks, with the number of affected businesses only set to increase year on year. Common threats include SQL injection, cross-site scripting (XSS), and API breaches.

Impact

A single breach can result in financial loss, reputational damage, and even regulatory penalties. For example, Magecart’s attacks on British Airways showcased the devastating impact of compromised third-party integrations, resulting in the flag carrier airline having to pay a £20m data protection fine. [source: The Register]

Trust and Loyalty

Ensuring robust security builds customer trust, enhances brand reputation, and protects critical data like payment information and personal details.

APIs (Application Programming Interfaces) are the backbone of modern web applications, enabling integration between systems, other applications, and services. According to Business Wire, a survey in 2022 found that 97% of enterprise business leaders agree that successfully executing an API strategy is essential to secure organisations’ future revenue and growth.

However, their rapid adoption has also made them a prime target for attackers. In 2021, Gartner predicted that APIs would become the top attack vector used to target applications.

Fast forward to 2024 and there have already been some notable breaches…

Peloton API Breach (2021)

Hackers exploited a vulnerability in Peloton’s API that enabled users to make an unauthenticated request for account data to the API without the API first verifying if that user has authorisation to access said data.

The API enables the end users’ bikes to capture and upload data back to Peloton’s servers. Sensitive user data for around 3 million individuals was exposed due to insecure API configurations.

This included personal details such as names, emails, and workout statistics. Peloton’s inadequate authentication and authorisation measures highlighted the critical need for robust API security protocols. [source: Threatpost]

Facebook Data Breach (2021)

An API misconfiguration in Facebook’s (Meta’s) contact importer feature was exploited by malicious actors, exposing the personal data of approximately 533 million users from 106 countries.

Personal data such as phone numbers, full names, and locations were leaked, with the issue originally stemming from scraping public profiles before the vulnerability was patched in 2019. [source: Twingate]

Penetration Testing

Penetration testing is a cornerstone of application security, especially for retail and e-commerce businesses handling vast amounts sensitive customer data and requiring 24/7 availability online.

While large enterprises like Amazon may have the capacity to conduct internal pen testing, most organisations in this space face cost and resource constraints that make outsourcing these services more practical and effective. Partnering with external cyber security experts provides access to specialised skills, tools, and up-to-date threat intelligence that many internal teams simply can’t maintain.

Moreover, hiring third-party testers eliminates the bias that might come with in-house testing and ensures that vulnerabilities are approached with a fresh perspective. The cost of penetration testing is often outweighed by the potential financial and reputational damage of a breach, particularly in high-stakes industries like retail.

Independent testing not only provides peace of mind but also aligns with compliance requirements and industry best practices, ensuring businesses are well-protected against the ever-evolving threat landscape.

Code Reviews

Code reviews are an essential part of any secure development process, ensuring that security vulnerabilities are caught early in the development lifecycle. This practice involves systematically examining source code to identify flaws, errors, or opportunities for improvement, with a strong focus on maintaining high security standards.

For retail and e-commerce businesses, where customer trust is paramount, code reviews play a vital role in protecting sensitive user data and ensuring seamless functionality. Conducting thorough code reviews:

• Identifies Common Vulnerabilities: Helps uncover issues such as injection flaws, insecure data handling, and authentication weaknesses, which align with risks highlighted in the OWASP Top 10.
• Enhances Collaboration: Encourages teamwork among developers, fostering a culture of accountability and shared responsibility for secure coding practices.
• Reduces Costs: Fixing security vulnerabilities during development is significantly less expensive than addressing them after deployment or following a breach.

Given the fast pace of the e-commerce sector, it may be tempting to bypass code reviews to save time. However, the long-term risks far outweigh the short-term gains. Engaging third-party experts or employing tools like static application security testing (SAST) solutions can streamline this process, providing an additional layer of confidence before your code goes live.

Ultimately, code reviews are more than just a quality check – they are a proactive defence against cyber threats, reinforcing the integrity of your applications from the very foundation.

Security is now a core business risk, not just an IT concern.

Cloud adoption, hybrid work and a fast‑moving threat landscape mean leaders need simple, practical answers to three recurring questions:

• Has security really changed that much in the past few years?
• Am I using the best‑in‑class security vendors today?
• Do I have the right skills and time in‑house to manage these solutions?

CyberLab addresses each question and outlines a pragmatic way forward.

Yes. The perimeter has shifted, and so have attacker methods and business expectations.

• Hybrid work and SaaS sprawl
  People, devices and data now operate beyond the office. Access happens from anywhere, often to third‑party applications. Security must follow identity and data, not only networks.
• Identity is the new control point
  Strong authentication, conditional access and least privilege are now essential. Compromised credentials remain one of the most common root causes of incidents.
• Cloud as default
  Security needs to be built for cloud platforms and APIs. Posture management, workload protection and secure configuration now sit alongside traditional controls.
• Detection, response and resilience
  Prevention is vital, but it is not enough on its own. Organisations need visibility, rapid response and tested recovery. Backups, restore testing and incident playbooks are part of core security.
• Supply chain and third parties
  Vendors, partners and integrators can introduce risk. Contracts, minimum controls and periodic assurance need to be part of the operating model.

The model to aim for is identity‑first, least privilege, assume breach, with layered controls that prevent, detect, respond and recover.

“Best” depends on outcomes, integration and operational fit, not just features. Many estates grew into a patchwork of point products. Consolidation around fewer, well‑integrated platforms often improves security and reduces effort.

What good looks like in a modern stack

• Identity and access
  Enterprise identity provider, phishing‑resistant MFA, conditional access, privileged access management, lifecycle governance.
• Endpoint and server security
  EDR or XDR with behaviour‑based detection, central policy, and response tooling. Coverage for Windows, macOS, Linux and mobile.
• Email, web and DNS security
  Advanced phishing protection, attachment sandboxing, impersonation and brand spoofing controls, safe link handling and DNS filtering.
• Cloud and SaaS posture
  Cloud security posture management for IaaS and PaaS, and configuration governance for SaaS. Guardrails and continuous checks.
• Network security
  Secure web gateway, ZTNA for private apps, and segmentation. Where appropriate, an SSE or SASE approach to apply consistent policy from anywhere.
• Data protection and backup
  Classification, DLP, encryption and secure, isolated backups with regular restore tests.
• Vulnerability and patch management
  Accurate asset inventory, regular scanning, prioritised remediation and clear service levels.
• Logging and monitoring
  Centralised log collection, correlation, detection content mapped to common frameworks, and alert triage.

Selection principles that help

• Prioritise integration and coverage over feature checklists.
• Favour open standards and proven interoperability.
• Demand outcome measures, not only demos.
• Consider operational cost. The best tool is one the team can run well.

Common anti‑patterns to avoid

• Buying duplicate tools that overlap.
• Deploying without hardening defaults.
• Ignoring decommissioning, leaving legacy exposure.
• Running security in silos that do not share telemetry or policy.

Many incidents are caused by misconfiguration rather than missing tools. Operating security well is a discipline that combines people, process and technology.

Operate to a plan, not heroics

• Define standards and baselines for identity, endpoint, cloud and data.
• Use automation for onboarding, patching, certificate and key management.
• Maintain runbooks and playbooks for detection and response.
• Track metrics such as mean time to detect and recover, patch compliance and simulation results.

When to consider managed services

• You need 24×7 detection and response but cannot staff it continuously.
• You want co‑managed operations, where a partner handles monitoring and escalation while your team owns design decisions.
• You have gaps in specialist skills such as cloud security engineering, incident response or penetration testing.

Roles and responsibilities that matter

• Risk owner to align controls with business priorities.
• Security engineering to design and harden platforms.
• Operations for monitoring, patching and access governance.
• Incident response with clear authority to act.

Data breaches remain one of the most expensive risks organisations face today. IBM’s latest Cost of a Data Breach Report reveals that the global average cost has reached $4.44 million. Though, for the first time in five years, that figure is trending downward thanks to faster containment driven by AI-powered defences.

Closer to home, the United Kingdom sits near the global average, with the typical breach costing £3.29 million (around $4.14 million).

These numbers are more than statistics. They highlight why robust security strategies, rapid response capabilities, and investment in advanced technologies are essential.

In this edition, we explore the trends shaping cyber security and what they mean for your organisation. One thing is clear: the cost of inaction is far greater than the cost of prevention.

Operational Downtime: For JLR, every day of halted production meant lost vehicle sales, supply chain disruption, and financial strain on thousands of partner businesses.

Supply Chain Ripple Effects: The JLR attack affected over 5,000 organisations, with some suppliers facing collapse due to delayed or cancelled orders.

Reputational Damage: Retailers like M&S faced public scrutiny, parliamentary investigations, and the need to sever long-standing IT partnerships in the wake of the breach.

Regulatory and Legal Costs: UK GDPR and Data Protection Act violations can result in fines up to £17.6 million or 4% of global turnover, not to mention the cost of remediation and customer notification.

Cyber Security is Economic Security

As highlighted by the National Cyber Security Centre (NCSC), the scale of these incidents means that cyber resilience is now a matter of national economic security, not just IT hygiene. With 4 major incidents being reported per day in the UK, and a 50% increase from last year in ‘nationally significant’ attacks, UK businesses that fail to prepare for such events risk putting serious strain on the nation’s economy and increase our collective exposure to such events. (source: NCSC)

Attackers Exploit the Basics

Many breaches still begin with social engineering, weak access controls, or poor digital hygiene. This serves as a reminder that foundational security practices remain critical.

Preparation and Response Matter

The ability to rapidly detect, contain, and recover from incidents can dramatically reduce costs. Incident response retainers and robust playbooks are essential investments.

No organisation is immune to cyber incidents or data breaches. Experiencing one is a matter of when, not if. While absolute, around-the-clock security appears unattainable in a constantly evolving threat landscape, adopting proven best practices can make a significant difference. By implementing these steps below businesses and organisations can greatly reduce the impact and financial burden of inevitable cyber events:

Invest in Resilience

Regularly review and test incident response plans. Ensure board-level oversight of cyber risk.

Implement Multi-Factor Authentication (MFA)

Require MFA or two-factor authentication (2FA) for all users, especially for accessing sensitive systems, to provide a crucial layer of security beyond the password.

Supply Chain Security

Assess and support the cyber resilience of key suppliers. Proactively manage your third-party risk, monitor vendor posture, and strengthen your supply chain security with HackRisk’s Supply Chain Security tools.

Cyber Insurance

While insurance can offset some costs, most policies only cover a portion of total losses. Understand your coverage and its limitations.

Continuous Dark Web Monitoring

Employ tools or services such as HackRisk AI to monitor for compromised credentials on the dark web, allowing for swift response if employee or organisational data is found in breach dumps.

Comprehensive Staff Training

Deliver regular cyber security awareness training for all employees, with a focus on recognising phishing attempts, the importance of password hygiene, and how to respond to suspicious activity.

Ongoing Policy Review and Enforcement

Routinely review and update password and authentication policies to adapt to emerging threats and ensure enforcement with automated checks wherever possible.

The financial consequences of a cyber incident can be devastating and, in some cases, fatal for organisations, as demonstrated by the experiences of companies such as JLR, M&S, and Co-op. These cases underscore how quickly costs can escalate, cascading far beyond initial estimates and affecting multiple facets of a business.

Given the severity of potential losses, it is essential for organisations to recognise cyber security as an integral business risk in order to preserve not just brand and reputation but ultimately business survival.

Treating cyber security with the same level of attention as other core business risks ensures that appropriate resources are allocated to mitigation and preparedness, potentially reducing the harm caused by cyber incidents and also the penalties or fines that may be imposed.