Why, When, and How to Establish a Security Department in Your eCommerce Business

Online security is a bit like a fire extinguisher - you don’t really pay attention to it until your life depends on it. Unfortunately, many eCommerce merchants don’t place enough emphasis on their “fire extinguisher” until a desperate situation calls for it. While it’s true that installing security protocols and tools may be a costly endeavor and certainly doesn’t generate profit in and of itself, the true value of time, energy, and money saved from dodging potential attacks may be astounding. Online crime is estimated to cost a staggering $10.5 trillion yearly by 2025, with bad actors growing more brazen by the day. More than 50% of all online attacks fall on small to mid-sized businesses, and a reported 60% of the targeted businesses close their doors within 6 months of the attack. Mastercard reports that 66% of small to mid-sized businesses experienced at least one online attack within the last two years.

In our first Q&A session, we answer some of your questions regarding why, how, and when to establish your very own dedicated security department, regardless of the size of your eCommerce business. Remember, the automated tools that bad actors use to target potential victims do not discriminate based on size, profit, market share, or brand awareness.

When should I have at least one person dedicated to information security at my company?

We strongly recommend any size business to focus on security from the very beginning, if possible. It’s much easier establishing security protocols, and a strong security culture in your business from the start, instead of attempting to instill it at a later date. Read our blog post about security education within your eCommerce business here.

With that said, ideally, at least one individual within your organization should be responsible for security. This employee should act as a point of contact in your company; they don’t necessarily need to be an expert, they can simply manage relations with an outsourced security agency.

Can I utilize a platform with built-in security measures?

It’s important to understand the life stage of your company. Starting out, a viable option for you may be a platform with built-in security measures, and this may work well until the day your business outgrows it. Your platform may very well meet your current requirements and include appropriate protection against web attacks and data leaks.

At what point do I need a team versus one person managing security?

Consider the balance between the cost and benefits of housing a security team within your eCommerce business. You certainly need to be at a certain size before needing a larger team. Review your current revenue, the load of work required, and the specific tasks for security personnel when making the decision. It’s also possible to hire an external security agency to take care of your security needs instead of building your own team.

Can I outsource my security needs to an external security agency?

It’s common practice to outsource security needs to an external security company, regardless of the size of your business. Ensure that the security agency you choose understands the needs of your business, and determine whether they are experts in their field. If the agency you choose to work with also offers other services, make sure you verify their security expertise above all else. Just because an eCommerce service provider offers innovative web design, does not mean they are information security specialists.

If you don’t prioritize security when choosing tech or external specialists, you should still be able to pinpoint where and how your security needs are being met. In the end, you alone are liable for the security and safety of your eCommerce business.

What are the challenges to establishing your own security department?

The challenging aspect of creating your own internal security department is hiring skilled and quality talent in the field; you may not want to allocate the necessary funds to hire leading security experts. Consider that many high level security professionals already work at security companies, where they can grow their knowledge and careers. Your company may not offer a challenging enough environment for such individuals. Also, after you’ve built your own security department, you need to manage that team, which presents its own set of requirements.

Still, if your firm is large enough, it may make sense to build your own team. That’s why outsourcing security is a great option, because companies that specialize in security often come loaded with the best minds in the security arena. You may also choose to outsource bits and pieces of your security measures.

To conclude

Based on our experience, we recommend hiring one internal employee who can “own” security in your company, whether that’s managing third party tools and the platform you use, or simply liaising with an external security agency. Moving forward and based on the size of your organization and the needs of your business, you have different options available to you; even with your own team, you most likely will still utilize 3rd party tools and services. And even if you outsource your security needs to a security agency, you should still put that company to the test with an external pen test. That’s why Lokte’s tools and services will come in handy, whatever your situation may be.

There’s no “one size fits all” solution; rather, the solution for you depends largely on the life cycle of your organization and the requirements of your specific eCommerce project.

Which approach do you use for managing security in your online business?