09.12.2021 Are retailers ready for the most vulnerable time of the year?

by Ben Filipkowski

‘Tis the season for online shopping — and defending against cyber threats

The Christmas holidays are almost here, bringing good cheer, gift-giving, a spirit of kindness — and more cyber attackers targeting businesses of all sizes.

The lead-up to Christmas is a major event for retailers and consumers everywhere — and with the holiday shopping season in full swing in the midst of a global pandemic, many consumers are turning to online shopping to make sure they’ve got gifts under the tree in time for December 25.

But like anything else online, all these financial transactions draw the attention of cyber attackers.

Here are five major reasons why the holidays are the most vulnerable time of year for retailers — and how a bit of holiday cyber security knowledge can help you protect your business and customers.

1. Greater demand for ecommerce

Online shopping has very much remained the “in thing” this holiday season. Since the pandemic started in 2020, many consumers still rely on contactless purchasing options.

Between February 2020 and October 2021, online shopping increased 39% in the United Kingdom, and retailers are shipping in record numbers to get parcels to customers in time for the holidays. US couriers delivered a ground-breaking number of packages during the 2020 holiday season and expect to surpass that record by another 10% this year.

While online shopping is nothing new, it seems probable that 2021 will set another all-time high — accounting for 19.5% of total sales in 2021. According to Shopify, that’s a 46% increase in ecommerce market share in only two years.

With more people shopping online and more businesses employing ecommerce platforms to make sure they meet that demand, there’s a greater need for secure digital storefronts and websites, especially following the rush to bring a business fully online.

This need for speed that dominated the initial wave of business shutdowns early in 2020 resulted in a dramatic rise in cyber attacks on businesses of all sizes, with retailers facing a greater risk of skimming attacks, malware, credit card fraud, and even denial of service.

It’s important to regularly assess your security efforts — patching software and systems, addressing gaps in defences, and getting staff up to speed on best practices — in order to improve your security posture with minimal investment.

2. Cyber security is time-consuming, no matter your business

Many businesses, regardless of size or sector, see cyber security as challenging, time-consuming, and resource intensive.

Some retailers simply won’t have the means to monitor their digital presence during the holiday rush, let alone the rest of the year.

It also doesn’t help that some businesses still don’t believe that they’re a target in the eyes of attackers. Businesses that handle personally identifiable information, conduct financial transactions, and rely on the Internet and a digital storefront to sell products are at risk, no matter their size.

It’s not just what you do or the amount of money you make that draws attention, but rather who you work with, the nature of that relationship, and the ways a criminal could exploit it for their own ends.

During the holiday shopping rush, an attacker may simply be looking to stage a business email compromise (BEC) attack to quickly make off with the day’s profits, though skimming attacks that steal credit card information may also target consumers.

Knowledge of the threats you face, no matter your company’s size, is a foundational step towards improving your cyber security, but it takes time to build this knowledge and more time to put it into action.

Accelerate your cyber security mastery.

Download our handpicked collection of cyber security resources and start strengthening your company’s cyber defence.

Get the Cyber Security Starter Kit

Working with an MDR solution provider that will help you detect and respond to threats proactively can give your business more time to focus on customers.

3. Third-party risks

Think for a moment about the third parties your business works with. If the ecommerce platform your business uses were to suffer a data breach, for example, how would it impact your operations?

These platforms or software tools are provided as a service to companies around the world, and the providers face a wide range of cyber security challenges of their own.

Unfortunately, a single breach or security issue with these vendors or providers could have a big impact on your business; according to IBM, third-party software vulnerabilities accounted for 16% of all malicious data breaches in 2020.

As with the other vendors you work with, taking the time to assess your ecommerce provider’s security posture and how it protects your business’ data is vital for every business selling products online.

During any assessment, keep these four questions in mind:

  1. What data can the third parties you work with access and monitor?
  2. What policies and procedures are in place for handling this data?
  3. Are there controls in place to ensure data is handled appropriately and securely?
  4. How are these controls enforced?

If you are a third-party software vendor or otherwise handle sensitive data, ensuring your business is fully compliant with existing data protection regulations and standards like the General Data Privacy Regulation (GDPR) and Payment Card Information Data Security Standard (PCI DSS) are absolutely vital, this time of year especially.

4. Growing ransomware threats

Once upon a time, ransomware attacks were opportunistic, using phishing attempts to cast a wide net across as many potential victims as possible.

But ransomware has changed. Back in 2019, there were predictions that an attack would hit a business every 11 seconds, with a projected global cost of nearly $20 billion by the end of 2021. However, the advent of ransomware-as-a-service (RaaS) has allowed a greater number of attackers to employ sophisticated malware to target their victims.

What’s more, the urgency and pressure of Christmas and Black Friday give criminals even greater leverage to extort their victims and demand payment.

And that’s not all — nearly one-third of all victims of ransomware attacks are small to mid-size businesses (SMBs). Even a small, local retailer just now getting into ecommerce is as much a target as an established business, and may even be more appealing due to their relative inexperience in cyber security.

Regular data backups can help, as can ensuring your software and technology are fully patched and up-to-date, but one of the easiest ways to defend against ransomware is to keep your team aware of the threats. Ongoing training, insightful employee guides, and the adoption of cyber security best practices can help build a security-first culture that actively works to protect your business.

5. Social engineering and the human element

As Field Effect’s founder, CEO, and CTO Matt Holland said recently, “Social engineering is the art of convincing somebody you are someone they trust.”

Social engineering is a set of techniques that attempt to manipulate users to take an action and is most commonly seen in online fraud or phishing attacks. Attackers try to convince users to click a link or provide credentials using a message or website that looks legitimate at first glance.

Once a user has taken that action and provided their credentials to an account, they can use that access to gather information for further attacks. For example, suspicious emails apparently from business owners or urgent vendor payment requests could indicate a BEC attack. Consumers, meanwhile, should watch for fraudulent websites posing as legitimate businesses.

Attacks that rely on social engineering exploit the human element to great effect. People make mistakes — but by educating your team, you can ensure those mistakes won’t happen again.

In the spirit of the season, check out our free eBook, Cyber Security 101: Your Guide to Getting the Basics Right to learn more about the threats facing businesses like yours and how you can defend against them.

And one more thing:

It’s the most vulnerable time of the year!
With alerts alarm belling
And every tool telling you, ‘Look over here,’
It’s the most vulnerable time of the year!

There’ll be attackers assessing
And ransomware dressing
Up as something legit!
There’ll be phishing attempts
And tests of your defenses
Until you’re fed up with it!

It’s the most vulnerable time of the year!


Ben Filipkowski


Request Demo

Fill out the form and we will send you details about our demo.