If 2020 taught us anything, it’s that change can really happen overnight. Within days of the first coronavirus shutdowns, stay-at-home orders, and physical businesses closing their doors, Americans were forced to change how they purchased goods like toilet paper and groceries.

Those new habits stuck around. According to data from the U.S. Census Bureau, e-commerce sales in 2020 totaled a massive $791.7 billion, an increase of 32.4% from 2019. As COVID-19 vaccinations roll out across the country, many remain hesitant to return to the pre-pandemic normal. An estimated 40% of consumers say they plan to shop in-store either the same amount or less after being vaccinated, according to a study from First Insight.

With more people buying goods online, hackers are taking advantage of the sea of personal information shared in these transactions. Early on in the pandemic, the FBI reported receiving between 3,000 to 4,000 cybersecurity complaints per day, a 400% increase over pre-pandemic numbers. The 1,572 e-commerce merchants surveyed by Webscale for our 2021 Global E-commerce Security Report reported that cybersecurity threats were their number-one business challenge during peak sales events — including bad bots, SQL injections, cross-site scripting (XSS) attacks, distributed denial of service (DDoS) attacks, and Magecart attacks. For a vast majority of businesses, the financial impact of these security incidents is significant, ranging from $100,000 to $250,000 on average.

Last year taught us that cybersecurity should be top of mind for all e-commerce businesses. They are committing to a 15% to 20% increase in security spending over the next three years. In order to be prepared for the road ahead, it’s important to understand the trends that emerged in this watershed e-commerce year, and which technologies can help businesses tackle these threats now and in the years ahead.

Four types of cyberattacks stood out last year due to their frequency and dramatic economic impact: Magecart attacks, carding attacks, credit card fraud, and ransomware.

Magecart Attacks

Magecart-type attacks were the biggest threat to e-commerce in 2020 and beyond. It’s the umbrella term for 13 different cybercriminal groups who practice digital skimming or form jacking to hack their way into customers’ personally identifiable information, especially credit card details, and sell them on the dark web. One of the biggest Magecart-type attacks was on British Airways in September 2018, affecting up to 380,000 customers and costing the airline $230 million in fines. Retail websites use third-party vendors and open-source libraries of code to deliver a rich customer experience. Unfortunately, these scripts introduce risks to the brand and business.

There are a handful of ways that businesses can detect or prevent such attacks. Real-time content-security policies (CSP) protection enhances trust between the browser and application server, validating trusted domains and preventing blocked domains from executing scripts. Multi-factor authentication (MFA) is also helpful by locking down the admin to only authorized users. This is a critical first step in security. and prevents bad actors from getting access to the back end.

Carding Attacks

These are the silent killer. Once credit card information is stolen, cybercriminals have to validate the cards to either sell them on the dark web or use them for committing credit card fraud. E-commerce websites are used to validate cards by attempting low-value transactions. Numerous application programming interface (API) calls are made in the process. If the website has tight security in place, this type of nefarious traffic can be identified quickly, and rate limiting can be activated on the checkout process to defend against the attack.

Credit Card Fraud

Many e-commerce merchants haven’t subscribed to a credit card fraud-detection system. Without it, an e-commerce website becomes a prime target. An intelligent fraud-detection and mitigation solution can detect anomalies in contact and shipping addresses, country of origin and IP, to flag suspicious transactions.

Ransomware

In 2020, ransomware became one of the most common cyberattacks among organizations. Ransomware is a kind of malicious software that infects a computer system and demands a sum of money be paid in order to mitigate the issue. The most recent high-profile attack against PC manufacturer Acer in March, 2021 is the highest ransom demand ever — $50 million paid in the Monero cryptocurrency. Despite the high risk, there are actions that businesses can take to minimize damage from ransomware attacks, including:

• Maintain offline backups. The availability of backup files can help a business recover quickly from a ransomware attack.
• Implement a data theft-prevention strategy. This is critical, as businesses today upload large amounts of data to cloud storage platforms that bad actors can misuse.
• Monitor user account behavior. Monitor and analyze user behavior to identify potential security risks. If you suspect abuse, act quickly.
• Deploy multi-factor authentication on all remote access points into an enterprise network. Focus on securing or disabling remote desktop protocol (RDP) access, a vulnerable entry point into a network for attackers.
• Conduct penetration testing to identify weak points in enterprise networks and vulnerabilities such as CVE-2019-19781 that should be prioritized for patching.

The year 2020 was a challenging one for the world. It was also a year of tremendous growth and opportunity for the e-commerce segment — and sadly, one of the best for cybercrime. Today’s cybercriminal networks are well-funded, organized, and highly capable. While these groups are scaling their operations, the cybersecurity industry has gotten better at predicting attacks and developing solutions that can monitor, identify, and defend against a myriad of cyber threats. E-commerce businesses of all sizes should follow this four-step plan to get ahead of the cybercrime threats that arose in 2020 , and will continue into 2021 and beyond:

• Evaluate the security vulnerabilities of your business, and the possible economic impact of a data breach, such as compliance fines or expensive customer litigations.
• Create a cyber threat strategy that covers your complete ecosystem, including customers, partners, vendors, and employees.
• Invest in automated, comprehensive cybersecurity services that offer full visibility into infrastructure, traffic, and assets, along with an expert team (internal or external) that understands the cloud and e-commerce.
• Enforce a zero-trust strategy. Educate employees about cybersecurity best practices, the company’s data policy, and the cost of non-compliance.

With a clear plan in place, and lessons from the past year in mind, e-commerce businesses will be prepared for another successful year in 2021.

Sonal Puri is chief executive officer of Webscale.