Securing an online marketplace through the COVID-19-fueled boom
When COVID-19 began to spread around the globe, citizens of many countries were instructed to stay at and work from home. Most non-essential brick-and-mortar shops were closed for weeks and months, and that sudden development forced many customers to do their shopping online.
Online shops and marketplaces were faced with an onslaught of new customers and the challenge to make it all work seamlessly so they could reap the benefits of this monumental shift. They were also faced with the challenge of keeping their online assets, business operations, relationships with partners, and customers’ data secure.
Fabien Lemarchand became the CISO of ManoMano, a European (French) company running an online marketplace for DIY, gardening and home improvement, in June 2019 – half a year before the pandemic kicked off the e-commerce boom.
He joined the company when it was already starting to grow at a very rapid pace and a security overhaul was sorely needed.
Starting from scratch
“Before my arrival at ManoMano, security was managed individually by each team at the company. There was no security team per se, no unique strategy and no clear security framework. Everyone’s approach was very operational, which worked but kept the security stature at a level that was acceptable and functional,” he told Help Net Security.
“I’ve been very lucky to get the opportunity to build the cybersecurity strategy from scratch and think differently – a dream for any CISO. Every morning I ask myself how I can rethink and advance the strategy to contribute to the success of what continues to be a hyper-growth company.”
His approach to cybersecurity boils down to a combination of strategy, diplomacy and being customer-centric. When he started at the company, he set up three main objectives for his first 100 days.
“First of all, there had to be a focus on communication and open collaboration – I needed to listen and watch, understand the business challenges and security risks that were present at that time. Secondly, I focused on presenting a clear vision of the strategy across the business, laying out a concrete action plan with desired results. Finally, I immediately started thinking about the recruitment of new talent so we could build a smashing security team.”
That last effort was made easier by his previous experience as CISO of another marketplace (French e-commerce website Cdiscount).
“While many will think of CISOs as only leading the groundwork of protecting critical IT infrastructure, I see a huge part of the role being about engaging in strong partnerships with schools, providing training and also going beyond your current company to help advance awareness of good cybersecurity practices more widely. For example, I previously launched an initiative to help charities protect themselves,” he explained.
As part of his strategy, he set to build a strong and effective “human-first” security culture across the organization and train the team to apply an offensive approach to protecting the company. He also deployed a bug bounty program that quickly brought about benefits for the security team and boosted motivation, visibility and transparency.
Managing all of this while onboarding 200 newcomers onto the platform per year has required a lot of effort and problem-solving, he says, but the obstacle turned out to be surmountable.
COVID-19- and Brexit-related security and compliance challenges
When a business is experiencing rapid growth requiring an upscaling of security infrastructure, it really cannot afford any security nightmares, says Lemarchand – they can stall the company’s growth at a critical time, damage its brand and put immense strain on the internal team and resources.
When he started working for ManoMano, the company was facing the kinds of threats any e-commerce business has to deal with: social engineering (phishing), web exploits, DDoS, ransomware/malware, misconfiguration and security flaws/attacks on their partners.
“However, as our public visibility and market share started growing, there was a clear evolution in the type of attacks we saw, which would have been hard to deal with had we not made strategic changes beforehand,” he noted.
COVID-19 has led to even more changes in tactics used against marketplaces. For example, there were malware propagation efforts using references to the pandemic through various attack vectors (COVID-19-themed lures in phishing emails and SMS messages, malicious mobile applications, etc.).The shift to remote work spurred threat actors to exploit VPN access, remote access tools and video conferencing tools.
Brexit, on the other hand, ended up not being a big problem for the company.
“While we have had to adjust our GDPR approach and update the compliance requirements with our UK partners, I’m happy to say that, so far, it has not forced us to deal with any additional security problems. In the end, cybercriminals pay little attention to national borders – they go where the biggest bounty is and adapt their strategies to be able to exploit vulnerabilities associated with wider business and technological trends that occur simultaneously across much of the world.”
Lessons learned
Lemarchand coming onboard at ManoMano turned out to be very timely – he was able to start building this new system and culture just in time to meet security needs that arose with 2020’s unprecedented traffic and threat levels.
He was was effectively given free rein to build the system up again, and in the process he also learned a lot: the importance of sharing knowledge, fostering a culture of transparency and encouraging creativity when approaching cybersecurity.
“As threats and cybercrime tactics evolve even faster, security professionals have to deploy innovative solutions and apply the appropriate security measures that brings added value to the organization,” he said.
“To win the fight against cybercriminals, it is essential to build up cyber-confidence across the board by sharing knowledge and tactics both within security teams and across organizations. This needs to involve every actor in our society – employees, companies, customers, citizens, charities and more. In the end, the aim should be to develop strategies and tactics that benefit not just your own team and business but society as a whole, which is why I encourage my team, and continuously motivate myself, to organize meet-ups, conferences, CTFs, and school partnerships.”