Похожие презентации:
MARWAN PPT E COM
1.
E-Business Security and PrivacyCyber Threats, Data Protection, and Regulations (e.g., GDPR)
2.
Presentation Outline1. Beginning of E-Business Security
13. Cloud Security
2. Important Ideas and Words
14. Introduction to Privacy in E-Business
3. A look at cyber threats
4. Malware and Ransomware
15. Data Protection Principles
16. GDPR – Overview & Key Provisions
17. GDPR – Rights of Data Subjects
5. Phishing and social engineering
18. Other Regulations (CCPA, HIPAA, PDPA)
6. Denial of Service (DDoS) across many computers
19. Compliance Challenges for Organisations
7. Threats from within
20. Security Frameworks & Standards
8. Data Breaches
21. Emerging Threats: AI & IoT
9. Problems with e-commerce security
10. Cryptography and Encryption
11. Steps to protect the network
12. Access Control and Authentication
22. Best Practices for Businesses
23. Conclusions / Summary
24. Discussion Questions & Q&A
25. References
3.
INTRODUCTIONWhat Is E-Business Security?
E-business security is the set of rules, steps, and technical
measures that protect electronic business processes, transactions,
data, and systems from being accessed, misused, or interrupted by
people who shouldn't have access (Turban et al., 2018).
Why It Matters
Cybercriminals are most likely to target digital platforms because
global e-commerce sales topped USD 5.8 trillion in 2023 (Statista,
2024). IBM (2023) says that the average cost of a single data
breach is $4.45 million, which is the highest number ever
recorded. Security and privacy are no longer optional; they are
essential for business continuity and customer trust (Anderson,
2020).
4.
Key Definitions and ConceptsCybersecurity
The practice of protecting systems, networks, and programmes from digital
attacks (NIST, 2018).
Information Security
The protection of information from unauthorised access, use, disclosure,
disruption, modification, or destruction (ISO/IEC 27001, 2022).
Privacy
The right of individuals to control how their personal data is collected,
processed, and used (GDPR, 2018, Art. 4).
Cyber Threat
Any circumstance or event with the potential to adversely impact operations or
assets via unauthorised access or data destruction (Stallings, 2017).
Data Protection
A set of legal and technical safeguards ensuring personal data is handled
lawfully, fairly, and transparently (Voigt & von dem Bussche, 2017).
5.
Overview of Cyber Threats in E-BusinessThe Threat Landscape
Cyber threats that affect e-business operations have gotten much bigger, more complicated, and more damaging. The
World Economic Forum (2023) put cybercrime in eighth place on its list of the most serious global risks over the next
ten years. Threats can come from many places, such as technical, human, and organisational, and they can come from
outside sources, nation-states, or insiders (Stallings & Brown, 2018)
The main types of cyber threats are:
Malware and ransomware are types of malicious software that can damage or take over systems.
Phishing and social engineering are tricks that people use to steal credentials or data.
DDoS attacks are when servers are flooded with traffic to stop services and cause financial damage.
Insider threats happen when employees or partners misuse their access rights.
Data breaches happen when someone gets into a system without permission and sees private information (IBM,
2023).
6.
7.
Malware and RansomwareWhat it means:
Malware is any program that is made to mess up, damage, or get into a computer system without
permission. Ransomware is a type of malware that encrypts the victim's data and then asks for money to
decrypt it (Stallings, 2017).
How big is the problem?
In 2021, there were 93% more ransomware attacks than in the previous year (Checkpoint, 2022). The
WannaCry attack in 2017 hit more than 200,000 systems in 150 countries and caused damage worth
between $4 billion and $8 billion (Greenberg, 2018).
Effects on E-Business:
Online stores, banks, and health care providers are the best targets. Ransomware can stop order processing,
leak customer payment information, and permanently hurt a brand's reputation (Anderson, 2020).
What to do about it:
Regularly patching the system, making backups offline, using endpoint detection tools, and training
employees to be aware of security issues (NIST, 2018).
8.
Phishing and Social EngineeringWhat is phishing?
Phishing is a type of social engineering in which attackers pretend to be real people or businesses through
email, SMS, or fake websites to get victims to give up their passwords, financial information, or install
malware (Hadnagy, 2018). Spear phishing uses personal information to go after specific people, while
whaling
goes
after
high-level
executives.
Numbers: In 2022, phishing was responsible for 36% of all data breaches (Verizon DBIR, 2022). In 2022,
the Anti-Phishing Working Group (APWG) said there were a record 4.7 million phishing attacks, which is
150% more than in 2019.
9.
Phishing and Social EngineeringSocial Engineering Tactics:
Pretexting fabricating a scenario to gain trust.
Baiting leaving infected USB drives in public spaces.
Vishing voice phishing via phone calls (Hadnagy, 2018).
10.
Distributed Denial of Service (DDoS) AttacksDefinition:
A DDoS attack sends a lot of internet traffic to a target server or network, making it unavailable to real
users. Attackers often use a botnet, which is a network of hacked computers, to make the attack stronger
(Stallings & Brown, 2018).
Effect on business:
A DDoS attack on a business costs an average of $40,000 per hour of downtime (Kaspersky, 2022). The
Mirai botnet DDoS attack in 2016 took down major internet services like Twitter, Netflix, and PayPal for
several hours. This shows how this kind of attack can affect e-commerce (Krebs, 2016).
11.
Distributed Denial of Service (DDoS) AttacksTypes of DDoS:
Volume-based attacks (UDP floods), Protocol attacks (SYN floods), and Application layer attacks (HTTP
floods) (Cloudflare, 2023).
Mitigation:
Content delivery networks (CDNs), rate limiting, traffic scrubbing services, and web application firewalls
(WAFs) help absorb and deflect attack traffic (NIST, 2018).
12.
Insider ThreatsDefinition:
Insider threats arise from employees, contractors, or business partners who misuse their authorised access to
organisational systems to steal data, commit sabotage, or assist external attackers. Insider threats are
classified as malicious (intentional) or negligent (accidental) (CERT, 2019).
Prevalence and Cost:
According to the Ponemon Institute (2022), the average annual cost of insider threats rose to USD 15.4
million in 2022, a 34% increase over 2020. Negligent insiders accounted for 56% of incidents, while
malicious insiders accounted for 26%.
13.
Insider ThreatsWhy E-Business Is Especially Vulnerable:
E-business platforms require broad employee access to customer databases, payment systems, and
transaction logs. This creates wide attack surfaces for misuse. High staff turnover in retail and logistics
further increases risk (Anderson, 2020).
Mitigation: Least-privilege access, user behaviour analytics (UBA), regular access reviews, and zero-trust
architecture (NIST, 2020).
14.
E-Commerce Security ChallengesPayment Fraud
Card-not-present (CNP) fraud is the dominant e-commerce fraud type; losses
exceeded USD 32 billion globally in 2021 (Nilson Report, 2022).
Account Takeover
Attackers use credential stuffing (automated login using leaked passwords)
to take over customer accounts and make fraudulent purchases.
Man-in-the-Middle
Attackers intercept communications between buyers and sellers to steal
payment data or redirect transactions (Stallings, 2017).
Fake Websites
Cybercriminals create convincing clones of legitimate e-commerce sites to
harvest payment information from unsuspecting customers.
Supply Chain Attacks
Attackers compromise third-party software or vendors to gain access to the
primary organisation's systems (ENISA, 2021).
15.
Cryptography and EncryptionThe Basics of E-Business Security
Cryptography is the science of making information safe by changing it into a format that can't be read using
math algorithms. It is the most important part of e-commerce security because it lets you make private
transactions, verify your identity, and keep your data safe (Stallings, 2017).
Symmetric Encryption: Uses the same key to encrypt and decrypt. AES-256 is the standard for protecting
data that is not in use (NIST, 2018).
16.
Cryptography and EncryptionAsymmetric encryption uses two keys: a public key and a private key. Many people use RSA and ECC to
securely share keys and sign documents digitally (Stallings, 2017).
Transport Layer Security (TLS) encrypts data that is being sent between web servers and browsers. All ecommerce sites must use TLS 1.2 or higher; older protocols (SSL 3.0, TLS 1.0) are no longer safe because
of known security holes (IETF RFC 8446, 2018).
End-to-End Encryption (E2EE): Guarantees that only the people who are communicating can read
messages. This is becoming more common in payment systems and messaging apps (Anderson, 2020).
17.
Network Security MeasuresFirewalls: Keep an eye on and control network traffic coming in and going out based on security rules that
have already been set. Next-generation firewalls (NGFWs) have deep packet inspection, intrusion
prevention, and application-layer filtering (Stallings & Brown, 2018).
Intrusion Detection and Prevention Systems (IDS/IPS): IDS looks for strange patterns in traffic, while
IPS stops threats that have been found. For full coverage, both signature-based and anomaly-based
detection methods are used together (NIST, 2018).
Virtual Private Networks (VPNs): They encrypt network traffic and hide IP addresses, which lets
employees safely access the network from anywhere. Important for e-business teams that work from
different places (Stallings, 2017).
18.
Network Security MeasuresNetwork Segmentation: By splitting the network into separate parts, attackers can't move sideways after
they break in. PCI-DSS (PCI SSC, 2022) says that payment card data systems must be kept separate.
The idea behind Zero Trust Architecture is "never trust, always verify." This means that all users and
devices must be authenticated and authorised all the time, no matter where they are on the network (NIST
SP 800-207, 2020).
19.
Authentication and Access ControlWhy It's Important to Authenticate
Authentication checks the identity of a user or system before letting them in. Weak authentication is the
primary factor behind a considerable number of data breaches; compromised credentials accounted for 49%
of all breaches in 2022 (Verizon DBIR, 2022).
Factors for authentication:
Something you know, like passwords and PINs.
You have something: OTP tokens, smart cards, or authenticator apps.
You are something: fingerprints, face recognition, and voice biometrics.
20.
Authentication and Access ControlMulti-Factor Authentication (MFA): Using two or more factors makes it much less likely that someone
will hack into your account. Microsoft (2019) said that MFA stops 99.9% of automated account attacks.
Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Mandatory Access
Control (MAC) are types of access control models that tell authenticated users what they can do in a
system (Ferraiolo et al., 2011).
21.
Cloud Security in E-BusinessUsing the Cloud in E-Business
Cloud infrastructure is used by most modern e-business platforms to make them bigger, cheaper, and more
accessible around the world. Gartner (2023) says that in 2023, people all over the world will spend more
than $600 billion on cloud services. But using the cloud does bring up some security and privacy issues.
Shared Responsibility Model: The cloud provider is responsible for infrastructure security, while the
customer is responsible for data, application, and identity security. In 2022, 65–70% of cloud breaches were
caused by misconfigurations, not provider failures (CSA, 2022).
22.
Cloud Security in E-BusinessThreats that are unique to the cloud:
Data is exposed because S3 buckets or storage containers are set up wrong.
APIs that aren't secure let people who shouldn't have access to cloud resources.
Multi-tenancy risks when data isn't kept separate between customers (CSA, 2022).
Best practices include Cloud Security Posture Management (CSPM), encrypting data when it is at rest and
in transit, and making identity and access management (IAM) stronger (NIST, 2018).
23.
Introduction to Privacy in E-BusinessWhat Does Digital Privacy Mean?
Digital privacy means keeping personal information safe when it is created, stored, and sent online. In ebusiness, huge amounts of consumer data are collected every day. This includes information about where
they live, how they buy things, their health, and their finances. Using this information in the wrong way
hurts
consumer
trust
and
breaks
basic
rights
and
device
fingerprinting
(Acquisti
et
al.,
2016).
E-Business Privacy Issues:
Tracking
through
cookies
without
getting
permission
first.
Data profiling is the process of creating detailed profiles of consumers for targeted advertising.
Sharing data with third parties means selling customer information to advertisers and data brokers.
Cross-border data transfers are when personal data is moved to countries with weaker privacy laws (Voigt &
von dem Bussche, 2017).
24.
Data Protection PrinciplesSeven core principles underpin lawful data protection under modern regulatory frameworks (GDPR, 2018,
Art. 5):
Lawfulness, Fairness &
Data must be processed on a lawful basis with transparency to the
1
Transparency
data subject.
2
Purpose Limitation
Data collected for specified, explicit purposes — not used for
incompatible purposes.
3
Data Minimisation
Only data that is adequate, relevant, and necessary should be
collected.
4
Accuracy
Personal data must be kept accurate and up to date.
5
Storage Limitation
Data must not be retained longer than necessary for its purpose.
6
Integrity & Confidentiality
Data must be protected against unauthorised processing, loss, or
damage.
7
Accountability
The controller is responsible for and must demonstrate
compliance with all principles.
25.
GDPR: Overview and Key ProvisionsWhat is the GDPR?
On May 25, 2018, the General Data Protection Regulation (EU) 2016/679 went into effect. It is the most
complete data protection law in the world. It applies to all businesses that handle personal data of EU
residents, no matter where the business is located (Voigt & von dem Bussche, 2017).
Any organization worldwide that handles personal data of individuals in the EU, including e-commerce
platforms catering to European customers, must adhere.
26.
GDPR: Overview and Key ProvisionsImportant Parts:
Legal reasons for processing include consent, a contract, a legal obligation, vital interests, a public task,
or legitimate interests (Art. 6).
Privacy by Design: From the very beginning, systems must include data protection (Art. 25).
Data Breach Notification: Supervisory authorities must be told about breaches within 72 hours (Art. 33).
Data Protection Officer (DPO): Required for big data processors and public authorities (Art. 37).
Fines: Up to EUR 20 million or 4% of global annual turnover, whichever is more (Art. 83). In 2023, Meta
had to pay a fine of EUR 1.2 billion for sending data to the US without permission (DPC, 2023).
27.
GDPR: Rights of Data Subjects (Art. 12–22)The GDPR grants individuals eight enforceable rights over their personal data (GDPR, 2018):
Right to be Informed
Right of Access
Know what data is collected, why, and how long it
is kept.
Request a copy of all personal data held (Subject
Access Request).
Right to Rectification
Right to Erasure
Correct inaccurate or incomplete personal data.
'Right to be forgotten' — request deletion of
personal data.
Right to Restrict Processing
Right to Data Portability
Limit how data is processed in certain
circumstances.
Receive data in a machine-readable format for
transfer.
Right to Object
Rights re: Automated Decisions
Object to processing, especially for direct
marketing.
Not be subject to solely automated decisions with
significant effects.
28.
Compliance Challenges for OrganisationsGlobal e-businesses have to follow a lot of different rules at the same time, including GDPR (EU), CCPA
(California), PDPA (Singapore), and many more. These rules often disagree on their scope, what kind of
consent is needed, and how long it takes to notify someone of a breach (Greenleaf, 2019).
Cost of Compliance: In the first year, big companies spent an average of $3.5 million to follow the GDPR
rules. SMEs have to pay more for compliance, which often means hiring lawyers, upgrading technology,
and training staff (IAPP, 2020).
29.
Compliance Challenges for OrganisationsChallenges in Data Mapping: According to GDPR Article 30, businesses must keep detailed records of all
the ways they process personal data. Many companies don't know where their data is stored or how it moves
between systems that aren't their own (Deloitte, 2021).
Third-Party Vendor Risk: GDPR says that data controllers are in charge of making sure that their data
processors follow the rules. For e-businesses that rely on the cloud, checking out and managing third-party
vendors is still a big problem (ENISA, 2021).
Skills Gap: There aren't enough cybersecurity professionals around the world, with an estimated 3.4
million unfilled roles in 2022. This makes it harder to follow the rules (ISC², 2022).
30.
Emerging Threats: AI and the Internet of ThingsCyber Attacks with AI
Cybercriminals are using AI to make attacks faster and more powerful. Deepfakes made by AI are used to
steal people's identities, and AI-powered phishing tools can make attacks more personal. Generative AI (like
ChatGPT) makes it easier to write bad code (ENISA, 2023).
AI in Defence: On the other hand, security tools that use AI can find unusual activity, predict threats, and
respond to incidents faster than people can. More and more, Security Information and Event Management
(SIEM) systems use machine learning to find threats in real time (Gartner, 2023).
31.
Best Practices for E-Business Security & PrivacyOrganisations should adopt a layered, risk-based approach combining technical, organisational, and legal
measures:
Security by Design
Security Awareness Training
Embed security controls from the earliest stages of
system development, not as an afterthought (GDPR
Art. 25; NIST, 2018).
Regular, mandatory training for all employees on
phishing recognition, password hygiene, and
incident reporting (NCSC, 2021).
Strong Authentication
Data Governance
Enforce MFA for all internal and customer-facing
systems; adopt passwordless authentication where
feasible (FIDO Alliance, 2022).
Implement data classification, retention schedules,
and processing records (Art. 30 GDPR).
Continuous Monitoring
Incident Response Plan
Deploy SIEM, vulnerability scanning, and
penetration testing to maintain real-time visibility of
security posture (CIS, 2021).
Maintain a tested IRP that covers detection,
containment, eradication, recovery, and post-incident
review. GDPR mandates 72-hour breach notification
(Art. 33).
32.
Conclusions and SummaryE-business security is a strategic imperative, not an IT afterthought. As digital commerce expands globally,
the volume and sophistication of cyber threats including malware, phishing, DDoS, and insider threats
continue to escalate (IBM, 2023).
Cryptography, network security, authentication, and access control form the technical foundation of secure
e-business operations, and must be continuously updated to address emerging vulnerabilities (Stallings,
2017; NIST, 2020).
Privacy is a fundamental right, and organisations collecting personal data bear legal and ethical obligations.
The GDPR's seven principles and eight data subject rights define the global gold standard for data
protection (Voigt & von dem Bussche, 2017).
33.
Discussion Questions for the AudienceQuestion 1 (Speaker to Audience)
GDPR applies to any organisation processing data of EU residents, regardless of where the organisation
is located. Does this extraterritorial reach appropriately protect citizens' rights, or does it create an unfair
burden on non-EU e-businesses?
A
GDPR extraterritoriality reflects the EU's commitment to citizen protection regardless of data
location. Developing-country businesses serving EU customers should conduct data mapping,
appoint an EU representative (Art. 27), implement lawful processing bases, and leverage ISO 27001
certification as a cross-border compliance baseline.
Question 2 (Speaker to Audience)
Research shows human error accounts for ~95% of cybersecurity breaches (IBM, 2023). Does investment
in employee education deliver a higher return than investment in technical security tools? Justify your
answer with examples.
34.
ReferencesAcquisti, A., Brandimarte, L., & Loewenstein, G. (2015). Privacy and human behavior in the age of information.
Science, 347(6221), 509–514.
Anderson, R. (2020). Security Engineering: A Guide to Building Dependable Distributed Systems (3rd ed.). Wiley.
APWG. (2023). Phishing Activity Trends Report: 2022 Annual Report. Anti-Phishing Working Group.
https://apwg.org
California Department of Justice. (2020). California Consumer Privacy Act (CCPA).
https://oag.ca.gov/privacy/ccpa
CERT. (2019). Common Sense Guide to Mitigating Insider Threats (6th ed.). Carnegie Mellon University, Software
Engineering Institute.
Checkpoint Research. (2022). Cyber Security Report 2022. Check Point Software Technologies.
https://research.checkpoint.com
CIS. (2021). CIS Controls v8. Center for Internet Security. https://www.cisecurity.org/controls
Cloudflare. (2023). DDoS Threat Report Q4 2023. https://blog.cloudflare.com
CSA. (2022). Top Threats to Cloud Computing: Pandemic Eleven. Cloud Security Alliance.
https://cloudsecurityalliance.org