WE ARE ABOUT to head into the online traffic peaks of the year as Black Friday and Cyber Monday attract shoppers looking for offers in the lead up to Christmas.
While online retailers focus on driving sales and customer service and the volume of data transactions heighten, many cyber-attackers are monitoring for opportunities.
Attackers can go unseen during this time and if an attack takes place it can have a direct impact on finances and a company’s reputation.
While many e-commerce sites focus on protecting their brand and customers from risks, those with minimal cybersecurity can see the risks increase.
Current cybersecurity risks to be aware of include VEC, or vendor email compromise, attacks where fraudsters use hacked business accounts from reputable vendors to either place large orders of products with their suppliers or request payments that can result in financial losses.
Other risks include data breaches; the duplication of retailer websites or social media platforms using similarly worded domain names; not updating critical software; not setting complex passwords; or not employing additional authentication factors, which can result in attacks having an increased chance of success.
There is plenty that businesses can do to strengthen their cybersecurity posture this holiday season.
One thing businesses can do is secure online connections for customers. Personal data shared by customers needs to be secure and needs to guarantee security. Symbols such as the Secure Digital Transactions Kitemark or the closed padlock symbol can assist shoppers to confirm that a website has security in place for online purchases.
Companies should also verify emails from vendors and monitor for suspicious purchasing. VEC attacks are prominent at this time of year and can result in significant loss to businesses if detected too late.
Any emails with significant purchase quantities, repeat purchase requests, immediate time frames or those with a high purchase value should be monitored closely and verified for buyers’ details and authentication.
Businesses should also be compliant with personal data transparency and third-party use rules. With current legislation and compliance, it is vital that websites are transparent about the personal data collected and why it’s being collected.
This builds trust, demonstrates compliance and shows that data protection is taken seriously. It is important that customers can actively ‘opt-in’ to receive any information and that they are given a clear, distinct choice about how they are contacted.
Cheap isn’t necessarily the most secure
Retailers also need to be mindful of cloud security. The cheapest cloud storage services aren’t necessarily the most secure.
Check that a service provider has the appropriate security measures in place through your supply chain onboarding process to minimise potential breaches.
Businesses should also use the latest software and update their hardware. Don’t ignore notifications advising of software updates on infrastructure devices. IT, mobile equipment, applications and systems should be patched and updated using automation techniques were possible.
The implementation of an internal security policy is also an important step. Provide appropriate staff training to ensure everyone is aware of the steps required, including new staff who have been recruited to cover the business Christmas period.
Business should also limit team access to customers’ data records and keep up to date records of users’ access to applications, computers and networks.
It may sound simple, but businesses should set complex passwords. When setting user, system or API passwords or ‘passphrases’, include a mix of uppercase and lowercase letters, numbers and symbols combined with a relatively long minimum length and do not reuse them on other platforms.
Additionally, the use of an identity provider to provide advanced features such as password managers, single sign-on and multi-factor authentication should be considered.
Businesses should also look to select an e-commerce hosting service with good resilience, this will ensure that in the event of an attack the service can be restored quickly reducing the impact on the business. Check that your service provider also has the scalability to manage peak traffic to the website.
Businesses should also be proactive to monitor for any duplicate websites and social media accounts. Ensure that online checks are carried out regularly for any fraudulent websites or social media accounts pertaining to be your businesses.
If you find any, gather information, contact them, alert customers, and contact that service provider if there is no response.
It is also important that your online payment systems are secure. Choose the right payment processor to fit the website business and one that prioritises security.
Make sure the website is PCI compliant and carry out regular vulnerability checks. Add additional support for users such as verification systems like CVV2 or AVS to prevent fraud.
By following these steps, a retailer’s online security posture will be strengthened, and the risk of a threat will be reduced.
Being proactive not only ensures a positive customer experience but will also improve information resilience and allow organisations to anticipate potential threats during a time of year when we need to be extra vigilant.
Stephen Bowes is head of technology (cybersecurity and information resilience services) at BSI.