Roberto Popolizio
Updated on: December 18, 2024
Business owners frequently ask about the importance of cybersecurity, cost-effective solutions, specific services they need, and how to handle compliance requirements like GDPR, SOC 2 etc. They are also concerned about employee training and protection against common threats like phishing and ransomware.
In this interview series by Safety Detectives, I speak with business owners who have successfully faced these same challenges head-on. If you’re looking for actionable tips to safeguard your company—and avoid costly mistakes— from those who have been in your shoes, keep reading.
My guest today is Eliott, the CEO at Stockly, a technology company in the retail space, enabling e-merchants to exchange inventory.
What event(s) made you realize the real importance of online safety and privacy? What happened and what lessons did you learn from that episode(s)?
Working in the e-commerce sector has made me acutely aware of the critical nature of data security. The increasing frequency of high-profile data breaches in the retail industry has demonstrated that even a single security incident can severely impact both business operations and customer trust.
Just by mid-2024, nearly 2 billion data records have been compromised across various sectors, for a total of $4,88 million of average cost—a 10% increase over 2023 and the highest ever.
Some recent data breaches in eCommerce and retail in 2024:
- In December, Neiman Marcus confirmed a data breach affecting over 64,000 customers. Hackers accessed sensitive information such as names, contact details, and gift card numbers.
- In July, a cyber attack on Retail World, a major global retail chain, impacted 5 million customers, exposing personal data (including credit card details) due to an unpatched vulnerability in their e-commerce platform.
- A breach at PandaBuy compromised the personal data of over 1.3 million users, including names and email addresses. The lack of an official statement from the company has also raised concerns about their willingness to be open about the real severity of this breach.
This data and personal experience has taught me that security isn’t just an IT concern—it’s a fundamental business imperative.
How do you handle sensitive information online—whether personal or work-related? Are there tools, apps, settings, or habits that you consider essential, and why?
For sensitive information management, I follow a multi-layered approach:
- Using password managers for generating and storing strong, unique passwords
- Implementing two-factor (2FA) authentication across all critical accounts
- Maintaining strict access controls and regular permission audits
- Using encrypted communication channels for sensitive business discussions
How a multi-layered approach compares to traditional approaches
Traditional Perimeter Security focuses instead on creating a defensive perimeter around sensitive data, often relying on firewalls and intrusion detection systems. It primarily protects against external threats and may not effectively mitigate internal risks or sophisticated attacks that bypass perimeter defenses. Plus, it is often designed to respond after an attack occurs rather than proactively preventing breaches.
Defense in depth is similar to a multi-layered approach, as it involves multiple layers of security. However, it often focuses on specific layers within the infrastructure (e.g., network or device level) rather than the entire technology stack. Hence, it’s an approach often unable to integrate overlapping security measures at different levels as comprehensively as a multi-layered strategy. It also relies on predefined layers rather than continuously adapting to emerging threats.
What measures, tools, and services are you using to protect your company and customers’ data, and train your employees? What was the process like for you when deciding where to allocate your budget?
At Stockly, we’ve implemented several key security measures:
- Regular security training for all team members
- Robust data encryption protocols for customer information
- Comprehensive access control systems
- Regular security audits and vulnerability assessments
What’s your experience with outsourcing cybersecurity to a Managed Service Provider (MSP) versus handling things in-house? What would you suggest to other companies of your size?
We’ve adopted a hybrid approach to security, maintaining core security functions in-house while partnering with specialized providers for specific needs.
For companies of our size, I recommend starting with strong in-house fundamentals and gradually incorporating external expertise for specialized security functions as the business scales.
Many cybersecurity experts suggest companies consider outsourcing specialized functions, such as advanced threat detection or incident response, once they have established a solid internal foundation. This is the best way to leverage external expertise without compromising on your core security posture, and be prepared to handle emerging threats as your business grows.
What regulatory requirements around data protection and privacy have impacted your business, and how? What helped you ease the adaptation process?
Our business operates under various data protection regulations, including GDPR. We’ve found success in treating compliance not as a burden but as an opportunity to strengthen our security infrastructure.
Key to our adaptation has been:
– Regular policy reviews and updates
– Maintaining detailed documentation
– Implementing automated compliance monitoring tools
Are there any emerging technologies or trends you personally find either exciting or concerning when it comes to online privacy and security?
I’m particularly excited about the potential of AI in predictive security measures, and Zero-trust architecture implementation. However, I’m concerned about the increasing sophistication of social engineering attacks, and the security implications of rapid cloud service adoption.
How can people connect with you?
LinkedIn: https://www.linkedin.com/in/ejabes/