ENISA Tips for cybersecurity when buying and selling online

こんにちは、丸山満彦です。

ENISAがオンラインでの売買についてのセキュリティのティップスを公開していますね。。。個人向けと中小企業向けとなっています。ヨーロッパは中小企業が重要ということだからでしょうね。。。日本も似た構造だと思いますので、参考になるでしょうね。

ただ、セキュリティに関しては、中小企業が単独で対応するのは人的にも金銭的にも難しいと思うので、プラットフォーム事業者の上にシステムを作っていくことになるのだろうと思います。そうすると、プラットフォーム事業者は社会インフラとなっていきますので、電力事業者、水道事業者、鉄道事業者、通信事業者といったインフラ事業者となるわけですから、寡占問題等も鑑みて適切な規制が必要となってくるというセットと考えています。

● ENISA

・2020.03.31 Tips for cybersecurity when buying and selling online

For citizens: Cyber secure buying online

1. Secure connection
2. Look out for Covid-19 phishing emails and fake websites
3. Payment fraud
4. Updated systems
5. Protect your privacy

For SMEs: Cyber secure online selling

1. Secure your website for customers
2. Protect your assets
3. Store passwords securely
4. Ensure compliance with data protection requirements
5. Monitor and prevent incidents

 

-----

For citizens: Cyber secure buying online

1. Secure connection: Pay attention to the security seal of each website that you are browsing by looking for the presence of the little green padlock in the address bar. This means in general that your connection is established over a secure channel.  
2. Look out for Covid-19 phishing emails and fake websites: there has been an increase in the registration of domains, which contain the word ‘Corona’, which is used by cyber criminals to offer scams. Be suspicious of any e-mails asking to check or renew your credentials even if it seems to come from a trusted source. In all cases, try to verify the authenticity of the request through other means, do not click on suspicious links or open any suspicious attachments. Watch out for emails purporting to be an invoice for a purchase that was in fact not made.
3. Payment fraud: Check your online accounts and your bank statements regularly and report any suspicious activity to your bank. If you think you have been a victim of an attack, contact your bank. If possible, activate two-factor authentication for payments.
4. Updated systems - make sure your system (operating system and the applications used) is up to date as well as ensuring your antivirus and antimalware are installed and fully updated.
5. Protect your privacy - Think twice when asked for data and read privacy policies. If you need to set up an account with a supplier, use strong passwords that cannot easily be predicted and use a password manager. Avoid sharing personal information with persons you do not know on social media. Consider using privacy tools, such as anti-tracking and secure messaging tools, for your online and mobile protection.

 

For SMEs: Cyber secure online selling

1. Secure your website for customers: It’s vital you have the right security to protect both your enterprise but also your customers, for example use https connections and enable 2 factor authentication where possible. Additionally it’s important to test the security of the website and ensure adequate support for customers in case of problems.
2. Protect your assets: Much like any other business asset, information needs to be strategically managed and protected. Information security is the protection of information within a business, including the systems and hardware used to store, process and transmit this information. Make sure a security policy is in place, together with all necessary technical and organisation security measures.
3. Store passwords securely: If customers need to create accounts to buy from your website, then make sure all passwords are stored securely. Make sure your client data is protected according to the rules of the industry. Where possible, make sure sensitive data is not readable, solutions such as keyed or salted hashes could be applied.
4. Ensure compliance with data protection requirements: When processing personal data of customers, make sure that you comply with the legal framework on data protection. Visit your national Data Protection Authority’s website for further information.
5. Monitor and prevent incidents – Have a security incident response policy in place and make sure that measures are taken for the prevention, monitoring and response to security incidents, including personal data breaches.

-----