With the knowledge that the UK experiences 9% of the world’s online payment fraud and in light of recent events around data security and the numerous breaches of ecommerce sites that have been in the news, we undertook a short survey to establish how businesses try to prevent or respond to these threats. Following the survey, below are the results. The survey was completed by a broad section of companies trading across both retail and B2B, from small businesses to large enterprises, so the results truly represent a broad spectrum of businesses across the UK.
Many thanks to all of those that took time to complete the survey, we're really grateful for your time. If you have any questions regarding the survey please get in touch at firstname.lastname@example.org or on 01865 880800.
Ecommerce Security Survey 2018
1. On a scale of 0-10, how concerned are you about the security of your ecommerce site (0 being not concerned at all, 10 being extremely concerned)?
The obvious assumption was that almost everybody would be extremely concerned about the security of their ecommerce site, particularly given the damage, both financially and reputationally, that a potential breach could do. However, rather surprisingly, the results of the survey didn't necessarily bare this out with security concerns only averaging 6.2 out of 10 in terms of seriousness. This seems rather low and it would be dangerous to ever get complacent about security.
2. Has your ecommerce site ever been breached?
A very sensitive subject and understandably something not all respondents were open to reveal, despite the anonymity of this survey, with 14.3% of them not willing to disclose that information. Of those that did disclose it, 14.3% admitted a breach whilst 71.4% said there site had never been breached. However it seems that 100% of respondents were aware one way or the other, as none of them were unsure whether their site had been breached or not.
3. Is your site running on open source software (e.g. WooCommerce)?
Approximately two thirds of respondents were running on closed source software with about one third running on open source which is perhaps an accurate reflection of the way the market is moving. According to shopping-cart-migration.com there are 25% more migrations from open to closed source software than vice versa.
4. If so, do you believe your site is at greater risk of an attack than if you were using closed source software?
This was only applicable to approximately one third of respondents, with approximately the other two thirds of respondents running on closed source software, but the bulk of those felt that running on open source ecommerce software was definitely more of a risk than closed source software. Learn more about the security risks of open source ecommerce.
5. If not, how important was security in choosing to use closed source software?
Of those running on closed source software, whilst security was important, it was by no means definitively the reason for choosing closed source software over open source. It's likely that other factors such as flexibility, functionality, ROI etc... will have played an equally important part in the decision.
6. Do you, or any of your security suppliers, conform to any of the following security standards (check all those that apply)?
As expected nearly all sites conformed to PCI-DSS standards whilst 50% conformed to ISO27001, however conforming to other security standards was not very common at all. This may be for a number of reasons including merchants not being aware of them, not requiring them, ability to comply with them, cost etc...
7. Does your organisation have a formal cyber security policy in place?
It's encouraging to see that 76.9% of respondents have a formal cyber security policy in place whilst only 7.7% were unsure. This suggests that most organisations, regardless of size are taking their online security seriously.
8. Do you have specialist information security or governance staff within your organisation?
Given the broad spectrum of respondents it's no surprise to see that many of them do not have specialist information security or governance staff as the size of their company might make such a position unjustifiable.
9. Do you know who is responsible for a payment card breach on your website?
Nearly all respondents knew who was responsible for a payment card breach on their website, which is another positive sign that businesses are taking security seriously. Only 7.2% of respondents refused to disclose that information whilst there were no respondents unaware of who was responsible for a breach.
Security wasn't quite as pressing a concern as perhaps expected before conducting the survey, particularly in light of the number of breaches that have been reported. To be honest it was expected that it would be the main concern of most organisations trading online rather than more of a moderate concern. Whilst many seem to be treating it with the seriousness that it deserves, there are still a large percentage whose approach is perhaps more laissez faire. Whilst part of that may be reflected in the size of their business and how much money and resource they can realistically dedicate to it, there may also be an element of hoping for the best and remaining ignorant about the consequences of a breach, only dealing with it if and/or when it happens.
At Red Technology, we understand the importance of ecommerce security and provide premium PCI-compliant ecommerce specialist hosting services. Our solution combines all of the services necessary - e.g. log management, event management, change control processes - to not only ensure compliance, but provide genuine business advantage through increased efficiency and the economies of scale delivered by our highly secure and high availability cloud infrastructure.