UK: NCSC publishes new cybersecurity guidance for online retailers

UK online retailers can now benefit from tailored cybersecurity guidance on improving customer authentication and removing malicious websites.

The UK National Cyber Security Centre (NCSC) has published two new pieces of guidance to support online retailers, hospitality providers and utility services in protecting themselves and their customers from cybercriminals. The advice encourages these organisations to add layers of security on top of passwords to authenticate customers and outlines how they can remove malicious websites and content spoofing their brand. The guidance is the latest addition to a suite of advice offered by the NCSC to help improve the cybersecurity of UK businesses.

UK retailers should move beyond password authentication

The first guidance piece, Authentication methods: choosing the right type, has been designed to help UK organisations select appropriate methods for authenticating their customers beyond reliance on passwords. “Passwords can be stolen in a number of ways, but the most common way is when an organisation holding account details suffers a data breach,” it read. “Regardless of how passwords are acquired, unless you implement an additional method of authentication, criminals can use stolen credentials to access users’ accounts fraudulently. This might give them access to sensitive personal data (including financial data such as credit card details) or allow them to impersonate a user to carry out harmful actions. Adding a second additional method of authentication for customer accounts makes it much more difficult for a criminal to do harm.”

The guidance focuses on four enhanced authentication models specifically, outlining the benefits and limitations of each method. These are:

• Multi-factor authentication (MFA)
• OAuth 2.0
• FIDO2
• Magic links and one-time passwords

For each authentication method, organisations should consider both security and usability, along with the profile of their customer base, the guidance added. “Whichever model of additional authentication you implement, you’ll need to provide additional support for your users, during account setup and beyond.”

UK NCSC outlines how online retailers can remove malicious websites

The second guidance piece, Takedown: removing malicious content to protect your brand, is aimed at helping businesses protect their brand from being exploited online, with specific focus on the removal of malicious content such as phishing sites. These can spoof well-known retailers to exploit brands and customers, leading to false representations of products or services, fake endorsements, and credible-looking malware campaigns.

“The better-known your brand is, the more likely someone will try to exploit it. This misuse can appear across many platforms including online adverts, social media accounts, email, SMS and phone calls,” the NCSC wrote. Its guidance sets out the steps online retailers can take to initiate the takedown of malicious content, which includes contacting abused hosting companies and domain registrars in addition to the mechanics of obtaining the services of a specialised takedown provider.

Guidance will help businesses protect customers, themselves from cyberthreats

Commenting on the UK NCSC’s latest cybersecurity guidance, NCSC Deputy Director for Economy and Society Sarah Lyons said, “Online shopping is bigger than ever and that’s something to be welcomed – but unfortunately it comes with the risk of shoppers’ accounts being exploited.” Businesses have a major role to play in protecting online shoppers, which is why the NCSC has produced the new guidance to help them do so, she added. “Following this guidance will allow businesses to help keep their customers safe online as well as protecting themselves from potentially crippling cyberattacks.”

Authentication methods: choosing the right type

Takedown: removing malicious content to protect your brand

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

• Globally, 30,000 websites are hacked daily.
• 64% of companies worldwide have experienced at least one form of a cyber attack.
• There were 20M breached records in March 2021.
• In 2020, ransomware cases grew by 150%.
• Email is responsible for around 94% of all malware.
• Every 39 seconds, there is a new attack somewhere on the web.
• An average of around 24,000 malicious mobile apps are blocked daily on the internet.