‘Tis the season for online shopping — and defending against cyber threats
The Christmas holidays are almost here, bringing good cheer, gift-giving, a spirit of kindness — and more cyber attackers targeting businesses of all sizes.
The lead-up to Christmas is a major event for retailers and consumers everywhere — and with the holiday shopping season in full swing in the midst of a global pandemic, many consumers are turning to online shopping to make sure they’ve got gifts under the tree in time for December 25.
But like anything else online, all these financial transactions draw the attention of cyber attackers.
Here are five major reasons why the holidays are the most vulnerable time of year for retailers — and how a bit of holiday cyber security knowledge can help you protect your business and customers.
1. Greater demand for ecommerce
Online shopping is very much the “in thing” this holiday season. In light of the pandemic, more consumers are turning to contactless options when making a purchase decision.
Since February 2020, online shopping has increased by 46% in the United Kingdom, and retailers are shipping in record numbers to get parcels to customers in time for the holidays; in the lead-up to Christmas, nearly 600 million packages have been recorded in tracking software, up from 462 million in 2019.
While online shopping is nothing new, it seems likely that 2020 will set records for the number of transactions occurring over the Internet — professional services firm Deloitte projected that ecommerce sales would grow by as much 35% this year.
With more people shopping online and more businesses employing ecommerce platforms to make sure they meet that demand, there’s a greater need for secure digital storefronts and websites, especially following the rush to bring a business fully online.
This need for speed that dominated the initial wave of business shutdowns early in 2020 resulted in a dramatic rise in cyber attacks on businesses of all sizes, with retailers facing a greater risk of skimming attacks, malware, credit card fraud, and even denial of service.
As time has passed, though, taking the time to assess and improve your security posture — patching software and systems, addressing gaps in defences, and getting staff up to speed on best practices — can help you improve your security posture with minimal investment.
2. Cyber security is time-consuming, no matter your business
Businesses of all sizes and all sectors share something in common: cyber security is perceived as challenging, time-consuming, and resource intensive.
Some retailers simply won’t have the means to monitor their digital presence during the holiday rush, let alone the rest of the year.
It also doesn’t help that some businesses still don’t believe that they’re a target in the eyes of attackers. Businesses that handle personally identifiable information, conduct financial transactions, and rely on the Internet and a digital storefront to sell products are at risk, no matter their size.
It’s not just what you do or the amount of money you make that draws attention, but rather who you work with, the nature of that relationship, and the ways a criminal could exploit it for their own ends.
During the holiday shopping rush, an attacker may simply be looking to stage a business email compromise (BEC) attack to quickly make off with the day’s profits, though skimming attacks that steal credit card information may also target consumers.
Knowledge of the threats you face, no matter your company’s size, is a foundational step towards improving your cyber security, but it takes time to build this knowledge and more time to put it into action.
Working with a solution provider that will help you detect and respond to threats proactively can give your business more time to focus on customers.
“It’s not just what you do or the amount of money you make that draws attention, but who you work with, the nature of the relationship, and how a criminal could exploit it.”
3. Third-party risks
Think for a moment about the third parties your business works with. If the ecommerce platform your business uses were to suffer a data breach, for example, how would it impact your operations?
These platforms or software tools are provided as a service to companies around the world, and the providers face a wide range of cyber security challenges of their own.
Unfortunately, a single breach or security issue with these vendors or providers could have a big impact on your business; according to IBM, third-party software vulnerabilities accounted for 16% of all malicious data breaches in 2020.
As with the other vendors you work with, taking the time to assess your ecommerce provider’s security posture and how it protects your business’ data is vital for every business selling products online.
During any assessment, keep these 4 questions in mind:
- What data can the third parties you work with access and monitor?
- What policies and procedures are in place for handling this data?
- Are there controls in place to ensure data is handled appropriately and securely?
- How are these controls enforced?
If you are a third-party software vendor or otherwise handle sensitive data, ensuring your business is fully compliant with existing data protection regulations and standards like the General Data Privacy Regulation (GDPR) and Payment Card Information Data Security Standard (PCI DSS) are absolutely vital, this time of year especially.
4. Growing ransomware threats
Once upon a time, ransomware attacks were opportunistic, using phishing attempts to cast a wide net across as many potential victims as possible.
But ransomware has changed — back in 2019, there were predictions that an attack would hit a business every 11 seconds, with a projected global cost of nearly $20 billion by the end of 2021; the advent of ransomware-as-a-service (RaaS), meanwhile, has allowed a greater number of attackers to employ sophisticated malware to target their victims.
What’s more, the urgency and pressure of Christmas and Black Friday give criminals even greater leverage to extort their victims and demand payment.
And that’s not all — nearly a third of all victims of ransomware attacks are small to mid-size businesses (SMBs). Even a smaller local retailer just now getting into ecommerce is as much a target as an established business, and in many cases may be more appealing due to their relative inexperience in cyber security.
“Even a smaller local retailer is as much a target as an established business — and may be more appealing due to their limited cyber security experience.”
Regular data backups can help, as can ensuring your software and technology are fully patched and up-to-date, but one of the easiest ways to defend against ransomware is to keep your team aware of the threats. Ongoing training and the adoption of cyber security best practices can help build a security-first culture that actively works to protect your business.
5. Social engineering and the human element
As Field Effect’s founder, CEO, and CTO Matt Holland said recently, “Social engineering is the art of convincing somebody you are someone they trust.”
Social engineering is a set of techniques that attempt to manipulate users to take an action and is most commonly seen in online fraud or phishing attacks. Attackers try to convince users to click a link or provide credentials using a message or website that looks legitimate at first glance.
Once a user has taken that action and provided their credentials to an account, they can use that access to gather information for further attacks. For example, suspicious emails that appear to be from business owners or urgent vendor payment requests could be indicators that you’ve been targeted by a BEC attack; consumers, meanwhile, should be on the lookout for fraudulent websites posing as legitimate businesses.
Attacks that rely on social engineering exploit the human element to great effect. People make mistakes — but by educating your team, you can ensure those mistakes won’t happen again.
In the spirit of the season, and with an eye to help you stay informed about steps you can take to secure your business, check out our free eBook, Cyber security 101: your guide to getting the basics right to learn more about the threats facing businesses like yours and how you can defend against them.
And one more thing:
It’s the most vulnerable time of the year!
With alerts alarm belling
And every tool telling you, ‘Look over here,’
It’s the most vulnerable time of the year!
There’ll be attackers assessing
And ransomware dressing
Up as something legit!
There’ll be phishing attempts
And tests of your defenses
Until you’re fed up with it!
It’s the most vulnerable time of the year!