Growth Vs Vulnerability: Why Indian Ecommerce Players Need To Focus On Cybersecurity

Technology, today, enables individuals to order nearly every product/service from the comfort of their homes. This has been made possible because of the digital revolution across many industry segments, be it travel and hospitality, online shopping, financial services, data sharing or e-entertainment. And the sector that leads the growth of this digital economy is ecommerce.

Led by dot-com firms and driven primarily by the proliferation of internet and smartphones in the country, ecommerce/online shopping has existed for decades. However, the Covid-19 pandemic acted as a global catalyst for change, convenience and safety concerns. The pandemic drove businesses and consumers towards an unforeseen and unprecedented digital transformation and shopping behaviours changed seemingly overnight. 

With lockdowns becoming the new normal in 2020, the ecommece sector (and digital commerce as a whole) emerged as one of the few hyper growth areas amidst an otherwise slow global economy. The Indian ecommerce sector was no different – in fact in 2020, it saw a rapid surge in online activity, making it the ninth largest in terms of cross-border growth, globally. 

Before we take a deep dive into the long-term potential and risks of ecommerce as a business model, a look at the disruptive backstory will not be out of context.   

The Ecommerce Evolution: Disruptive To The Core

Online selling in India started after internet services were introduced in 1995. By then, the world had already witnessed the birth of Amazon (1994), and PayPal (1998). Interestingly, it wasn’t a  private organisation but the IRCTC, a subsidiary of the Indian Railways that brought to the forefront the benefits of the internet as it launched online ticketing services in 2002. 

However, Indians did not adopt e-shopping until domestic giants like Flipkart (2007) and Snapdeal (2010) came into play.

The early movers in India managed to build good brands, good scale and a loyal customer base within the existing internet ecosystem. But the floodgates opened in 2016 when Mukesh Ambani-led Reliance Jio introduced inexpensive data plans, free SIM cards and improved mobile internet speed.

Today, the online model is entering every nook and cranny as industry behemoths like JioMart and Tata CLiQ eye inclusive commerce and aim to bring in traditional mom-and-pop or neighbourhood kirana shops to reshape the future of ecommerce in India.  

Ecommerce Now: An Overview Of The Indian Market

2020 onwards physical retail saw a drastic drop in sales as the pandemic triggered long stretches of lockdowns across the country. Business process digitalisation and online commerce were the need of the hour, and very soon, the direct-to-consumer or D2C model gained prominence.

“This is not surprising as most shoppers want to buy directly from brands without the intervention of intermediaries due to manifold benefits like quality and engagement. Which has become further seamless for users, with tech such as AI-based user-level personalisation, improvements in payments, voice search and chatbots”, believes Ramneek Khurana, cofounder of ​​ecommerce portal for eyewear in India, Lenskart

The disruptive model further accelerated ecommerce growth in India as brands leveraged ease of operations and improved customer communications to tap into Tier 2 markets and beyond.

According to Venkkatesan R, COO & Cofounder of online meat delivery platform, TenderCuts, “Tier 2 and Tier 3 cities are increasingly becoming the key markets for ecommerce, complementing Tier 1 cities for any specific company. Many brands have begun to embrace omnichannel marketing across the board. Secondly, consumers’ attitude has shifted from discount-driven to value-based for each product that the brands offer in recent years. As a result, customer expectations have risen, which the brand must meet.”

“We have created a lot of possibilities, difficulties, and conventions that will determine how we buy and sell items for the time being by pressing the fast-forward button on ecommerce adoption,” added Khurana.

Milestones In Indian Ecommerce During The Pandemic 

In the first nine months of 2021 (January-September), the sector saw a 600% jump in funding compared to CY2020. Also, during the festive season last year, the gross merchandise value (GMV) rose by 23% compared to the previous year — from $7.4 Bn to $9.2 Bn. 

Roadblocks That Hinder India’s Ecommerce Opportunity

The knock-on effects of the pandemic have accelerated ecommerce growth, but the sector has faced many challenges over the past two years. With more brands opting to go digital and selling online, consumers have many options. Hence, It has thus become extremely crucial for brands to increase focus on their retention and engagement strategies, price points, purchasing process, and product and/or service differentiation.

To counter the challenge, Venkkatesan told Inc42 that TenderCuts pays special attention to consumption patterns, “People are always seeking to sample new cuisines and recipes, and the food sector is constantly evolving. As a result, TenderCuts puts in its best effort to adapt to its customers’ preferences.”

Having faced similar challenges with users wanting to “touch and feel” the product before purchasing online, Lenskart adopted the omnichannel approach. “We currently have 1000+ stores across the country and a strong online presence with our apps (Android and iOS) and website. At stores, it is very easy for our users to “touch and feel” the frames but online that is not possible, making it a tad difficult for the users to make buying decisions,” said Khurana.

These challenges have arisen majorly due to shifting consumer behaviours over the pandemic. But while it drove online traffic and led to the rise of omnichannel engagement, amongst others, it also attracted more cyber criminals intent on disrupting and exploiting the growth of the segment. 

In fact, hackers/cybercriminals tend to target retail ecommerce companies for two reasons. First, PoS (point of sale) attacks give them quick access to the most sensitive personal and financial data. Second, be it POS intrusion, website attack or database hacks, e-retail companies and their customers are more vulnerable to sophisticated attacks than other organised sectors. While customers carry out online transactions based on trust, not all e-retailers have the means or tech knowledge to make their businesses foolproof against cyberthreats. 

Sid Pisharoti, regional VP, Akamai, said, “The ecommerce industry in India has seen tremendous growth in funding and has now become the second largest global venture capital hub behind the US. With the increase in investment, this sector is all set to see an increase in scale and adoption and with that, organisations in the industry face the risk of cyber attacks.”

He further went on to add, “At Akamai, we help some of the largest commerce and retail organisations — in India and around the world — strike a balance between achieving scale and securing their businesses, and protecting the experience of their users. We are able to accomplish this by leveraging the most sophisticated tools and technology and the deep expertise of our teams.”

Cyberattacks Vs India’s Digital Economy: The Current State & The Counters

“If we quickly look at 2021 across all industries tracked by Akamai, we will see that the commerce vertical led the overall bot growth (up 41% since April 2021). It beat all other highly targeted verticals like video media and high technology,” said Pisharoti.

Commerce remains one of the most attacked industries worldwide today, susceptible to a range of attacks. These vary from credential stuffing and account takeover (ATO) attacks unleashed by malicious bot operators, to malware, DDoS (distributed denial of service) attacks and WAF (web application firewall) assaults.

In addition to the above are ransomware attacks. According to recent reports, ransomware groups are more likely to strike during holiday season and on weekends when there are less incident response resources available. Deepa Parikh, Akamai India’s Head of Solutions Engineering told Inc42 that Akamai is now seeing retailers from around the world actively prioritising their Zero Trust journey and implementing microsegmentation to reduce attack surfaces and thereby, ransomware risk.

Akamai’s analysis further revealed that while the retail vertical saw significant growth in bot traffic, it remained relatively flat in the hotel and travel industry. Most of these are malign bots programmed for spamming, hacking or data theft. “For India’s Diwali and China’s Singles Day, Akamai witnessed significant jumps in malicious bot activity — more than 55% during the Diwali celebration — and bots showing up in full force for China’s biggest shopping day of the year,” it reported.

Bots are used by the online retailers in the industry, to engage their customers throughout the customer journey. These bots can help brands ensure and improve customer engagement and experience on their platform. If turned malign, these bots can easily affect a brand’s business, sales and overall reputation.

For instance, D2C brands thrive on the fact that they are close to their customers and that they build relationships with them, that furthers their sales and thus scale. However, it’s very detrimental for them if these bots buy the products and they are not able to create  a relationship with the customer. Furthermore, considering the end-user experience delivered on any D2C website affects the brand’s Google SEO ranking, they may also lose out on visibility to and acquiring of new users.

Thus, these bots not only cost the company money, but they also prevent it from knowing and expanding its user base. They restrict companies from cross-selling products and communicating with customers in order to promote other items.

Hackers can also attack transactional websites through credential abuse/credential stuffing (cyberattacks where compromised credentials like hacked passwords are used for authentication to breach into systems). 

According to Akamai’s Loyalty For Sale report, between July 2018 and June 2020, the retail, travel and hotel industries saw more than 63 Bn credential stuffing assaults. More than 90% of these attacks targeted the retail industry — amongst the major factors behind this is the heaps of data collected and stored by these brands. This data, which can be exploited by bad actors, is leveraged to personalise experiences and enable faster and more relevant purchase cycles.

During the lockdowns in Q1 FY2020, fraudsters and cybercriminals shared password combination lists to target these sectors and recirculated old credential lists to find new susceptible accounts.

However, credential stuffing was not the only type of malicious attack that plagued the commerce sector. SQL injection (SQLi) and local file inclusion (LFI) accounted for 3.4 Bn and 610 Mn cases, respectively.

Between July 2018 and June 2020, more than 4 Bn web attacks targeted the commerce sectors, and 83% of those were directed solely towards retail, accounting for 41% of the total attack volume.

In that same period — July 2018 and June 2020 — India was in the third spot in terms of targeted web attacks and held the sixth place in terms of attack sources against the commerce segment, globally, revealed the Akamai report.

During a session at the second edition of The D2C Summit by Inc42, Rakesh Malhotra, founder, Livpure explained, “According to me, security and privacy, in the minds of the consumer, are being taken care of by the brand almost entirely. And any breach of that, is essentially the fundamental breach of the trust in the brand.”

He further went on to add, “The cost of such breaches are and should be the drivers of building the primary strategy on security and privacy while building the digital products … it’s not so much the cost of the investment in the product building, it is more the cost of not doing it which needs to be factored in while building the brand.”

Resonating with the same Lenskart’s Khurana, said “Customer trust  drives customer loyalty. Even a single breach in this has a direct impact on customers coming back and engaging with the brand again. So every interaction that our customer has on the platform, … they are doing so with the underlying belief that the brand will not handover this data to a third party or is ensuring that this data is 100% secure at their end.”

These attacks happen in varied forms and formats, however it is DDoS that brands need to be more wary of, revealed Akamai’s analysis.

Business competitors can also initiate these attacks to bring down the sales of any business. Simply put, hackers are hired from different countries — with lenient laws around such cyberattacks — so that such activities can never be traced back. These anonymous attacks can lead to significant losses unless they are identified and thwarted in time.

There are other pitfalls. Brands today try to communicate more with customers in an always-on digital-first economy, leading to a deluge of mobile applications and application programming interfaces (APIs) for ease of use and enhanced engagement. However, these apps and APIs have some innate vulnerabilities, and companies need to focus on securing them. Towards that goal, ecommerce brands are now trying to ensure that developers come up with secure codes.

Having monitored the industry closely and worked with leading players, Akamai also blames trends like audience hijacking and content targeting, where the target is the javascript of the third and fourth parties. In such cases, whenever a customer visits the website, the malicious JavaScript gets loaded onto the browser and can cause harm to both customers and companies via data leaks and sales dips.

To help protect against such attacks and more, the global giant offers a portfolio of solutions including Bot Manager, Account Protector and App & API Protector  to name a few.

“We have observed incidents where cybercriminals launch a DDoS attack to bring down the operations of a business. In fact, on September 12th 2022, Akamai mitigated the largest attack ever recorded against a customer in Europe on the Prolexic platform with the attack traffic spiking to 704.8 Mbps,” said Parikh.

Cyberattacks And The Future Of Online Retail

According to a recent analysis by Inc42, the ecommerce market is set to cross the $400 Bn mark by 2030 — growing at a compound annual growth rate (CAGR) of 18.9% between 2022 to 2030 — while D2C, the most prominent sub-segment in this market, will have an estimated value of $302 Bn.

These are ambitious estimates, but they also underline how tempted cybercriminals will be to take control of such a massive market. Brands, too, must understand the extent of the risk and the need for implementing a robust system to reduce customer churn triggered by data breaches.

“With the increase in digital & internet penetration globally, there has been a rise in data within organisations without any platforms to meaningfully derive customer insights. It is imperative for brands to have a data strategy in place to bring all these data points together and drive decision-making within the organisation,” explained Lenskart’s Khurana.

This becomes all the more crucial when the brand opts for an omnichannel presence. Having a data strategy in place aids the mapping of customer journeys — of the customers browsing online and shopping offline and vice-versa — to deliver a superior experience.

Advising the brands on the first-level checks they can put in place, Tony Lauro, director, security technology & strategy, at Akamai said, “Make sure that you are keeping an eye on how your apps are being used. Attackers don’t always blast down the front door. A lot of times, they abuse the business logic of the application. If someone has jumped a few steps of the process or there are only half-step patterns, businesses need to ensure that they can identify it.

“But to understand from a security perspective, you have to understand what the developers were thinking when they built the application because they were building it for proper use cases,” he added.

Adding to that, Mitesh Jain, regional sales director, India, at Akamai, said, “As online shoppers from emerging cities and towns grow, commerce companies need the support of a reliable network infrastructure to cater to these users. With the proliferation of smart devices, they would also need to provide seamless experiences regardless of the location and device of the consumer. They would also need a comprehensive set of security solutions that can protect businesses from cyberattacks prevalent in the industry. Akamai works with many of the top Indian Commerce brands today and supports them in providing this secure last-mile connectivity and experience.” 

As ecommerce takes over Tier 2 and Tier 3 cities, there should be a robust and comprehensive set of solutions that can help businesses counter the threats of cyberattacks prevalent in specific sectors and the overall market. In a scenario where brands need to keep their APIs and processes extremely simple for users to feel comfortable, Akamai boasts a tech solution stack that can help companies protect and defend their digital-first business model.