As retailers in many countries plan for this year’s Black Friday and Cyber Weekend under the shadow of various levels of lockdown and COVID-19 restrictions, Continuity Central asked six cyber security experts for their tips for how retailers can continue to safeguard their operations in these unusual times.
Change freeze season
In the build up to Black Friday, it’s tempting to make technology upgrades to help performance on the day, but Stephen Roostan, VP EMEA at Kenna Security, warns that this could backfire and weaken an organization’s security:
“For the IT and security teams, this make or break period is definitely not the time to be making significant upgrades or proactively deploying major patching initiatives. All the must-do IT projects will either have been completed, or put on the back-burner for now.
“The challenge is that tackling security vulnerabilities is a noisy old business and it doesn’t take a break. Day in, day out, IT and security teams are drowning in data about vulnerabilities generated by multiple sources. To compound the problem, all this data comes in too fast and in a format that’s simply too difficult to understand. According to the Cyentia Institute, a typical organisation has the capacity to fix about one out of 10 vulnerabilities in their environment.
“For the next few weeks at least, let’s hope the majority of retailers will be able to capitalise on this peak spending time, confident in the knowledge that the work delivered by their IT and security teams these past few months will ensure maximum uptime, in as secure a way as possible.”
Cut out the middleman
The unfortunate truth for retailers is that e-commerce sites and applications present a rich array of illicit opportunities for cyber criminals. Jan van Vliet, VP EMEA at Digital Guardian, explains, “With many of the physical stores closed for at least the initial Black Friday and Christmas trading period, retailers’ online businesses are likely to be at increased risk of being targeted for data leakage or theft.
“For example, an attacker could attempt to intercept communications between the customer and the application. This is commonly referred to as a man-in-the-middle attack and means that anything the customer sends to the retail website can be viewed, intercepted, and changed by the attacker. In response to this, retailers must ensure that their online presence, website or portal has been suitably secured.”
This is a sentiment Andy Collins, Head of Security at Node4, echoes:
“From a security perspective, the biggest threat retailers will likely see is credit card skimmers, such as Magecart, being injected into e-commerce sites. With this in mind, it’s important for retailers to ensure all e-commerce software and content management systems are updated to the latest versions, prior to the big weekend.”
The ball’s in whose court?
Although it is initially down to customers where and how they share their own data, Anurag Kahol, CTO at Bitglass, highlights the shift in responsibility that takes place when companies harness customer data:
“Black Friday and Cyber Monday present a great opportunity for retailers to collect customer data that can be analysed to provide insight into buyer behaviour. However, while ramping up efforts to collect this data, it is even more important to store it safely in order to meet data privacy regulations like GDPR. Companies of all sizes must take full responsibility for securing their customer data. There is no excuse for negligent security practices such as leaving databases of customer information exposed. The consequence of failing to protect sensitive data can result in massive fines, not to mention the resulting damage to brand reputation.
“Obtaining full visibility and control over corporate data starts with a multi-faceted approach to security. Specifically, solutions that enforce real-time access control, encrypt sensitive data at rest, and manage the sharing of data with external parties, can help proactively prevent data leakage.”
Keeping savvy to the traps
Many retailers will be concerned with ransomware attacks during this period; Gijsbert Janssen van Doorn, Director Technical Marketing at Zerto, delves into how retailers can avoid falling victim:
“Usually delivered through phishing emails, retailers know that just one staff member clicking the wrong link could compromise the entire organization.
“Indeed, some retailers may have already been exploited – ransomware is often left untriggered until a specific time. In this instance, hackers might hold off until they can do maximum damage – for example early morning on Black Friday. By holding off, the impact of the attack doubles: a retailer’s entire operation has been shut down on the most profitable day of the year, all while being held to ransom.
“To avoid this, retailers need to ensure cyber resilience – with technology solutions in place that can quickly and effectively provide recovery after an attack. Once you’ve been compromised, prevention is no longer a viable protection strategy. The best way to respond is to be able to quickly recover your data, without paying a ransom, and get your organization up and running as swiftly and painlessly as possible.”
Keeping an eye out
Rishi Lodhia, Managing Director EMEA at Eagle Eye Networks, points out that, despite store closures up and down the country, retailers must sill protect themselves against theft:
“This year’s Black Friday event will be a very different affair. Research has shown that over 11,000 chain store outlets shut between January and June. For those that remain, the six week period that runs up to Christmas will be make or break as a significant part of their revenue will come during this period.
“As part of the preparation for the busiest trading season of the year, retailers should ensure they have the right security measures in place to minimise the risk of falling foul not only of dishonest shoppers but staff members too. After all, although shoplifting from customers makes the headlines most often, employee theft accounts for nearly half of all retail loss.”
Keep on keepin’ on
Although Black Friday may not have quite the usual excitement for shoppers this year, it is vital that retailers don’t let this curbed enthusiasm detract from the importance of maintaining watertight cyber security. Now is the time to prepare and make this festive period exactly that: festive.