This is the time of year where savvy cyber criminals see an opportunity. Last year, the Carbon Black Threat Analysis Unit reported that organisations saw a 20.5 percent increase in attempted cyber attacks between November and December 2016. This seasonal period is a goldmine for the latest generation of hackers to steal customer credentials as well as being the cause of damage to a retailer’s reputation.
With Cyber Monday taking place today, Black Friday last week and festive shopping throughout the coming weeks, this is the first year the National Cyber Security Centre, part of the GCHQ intelligence service, has formally warned consumers about the threat which comes with these discount days – reflecting a significant uptick in the threat to consumers and businesses alike.
So, how can retailers safeguard from cyber-attack this Cyber Monday and beyond?
Privileged access management must take centre stage
In order to beat the competition and incentivise consumers to come in store, many bricks and mortar retailers will increasingly be offering a digitised ‘retail theatre’ experience. Moreover, online retailers will expand their offerings. Privileged access security has to protect both the front-end devices - such as tills – as well as the back-end IT infrastructure. The Internet of Things (IoT) and rapid adoption of cloud services are bringing a whole new threat landscape to the shopping and sales experience. In-store retailers are increasingly looking to mirror the ‘Amazon effect’ in their shops, where customers can use phones as coupons to pay or whereby sensors and smart beacon technologies can predict whether a shopper is going to make a certain purchase or not. With a greater proliferation of devices and indeed data now stored in a physical shop, there are more ‘ways in’ for hackers to infiltrate the network.
For online retailers, the challenge remains to stay one step ahead when it comes to protecting customer data and keeping web properties up and running. To stay secure this festive season, retailers need to invest in privileged access security. What this allows is something that goes a step above typical perimeter defences; the ability to monitor, recognise and lock down activity that can potentially affect site uptime or data exfiltration.
This doesn’t need to be a burdensome challenge and can be broken down into simple stages. Firstly, retailers must look to eliminate irreversible network takeover attacks as best as they can. Secondly, it is essential that on-premise cloud infrastructure accounts are controlled and secured. To do this, retailers must vault all critical infrastructure accounts and automatically rotate passwords periodically after every use.
Undertaking all of the above is of escalating importance, especially in the online retail sector where brands are entrusted to store more data such as credit card details and addresses. Finally, retailers should look to learn from other sectors. Many businesses across a range of industries from banking to manufacturing are hiring a team of ethical hackers or red teams to regularly test critical systems. To protect from hackers, you have to think like one.
These tactics have to be top of mind if retailers want to stay one step ahead and keep critical customer data safe this Cyber Monday, and beyond.
It’s all about education
Before new privileged access security measures are implemented however, education has to take place – for both retailers and also consumers looking for the best deals.
Our own findings from CyberArk’s annual Threat Landscape report revealed that only 39% of IT decision makers working in retail would reward employees who helped to prevent a security breach in 2018. This lags behind IT & telecoms at 62% and healthcare at 42%. Clearly, this sector has to innovate and learn how to incentivise a culture of cyber security best practice. Brand reputation and retaining a solid customer base depends on it.
How can this be changed? Typically, the retail sector has lagged behind other sectors, as it often employs IT contractors rather than in-house staff to be upskilled and trained in cyber security best practice. The fight against cyber-attacks has to involve all employees, right from the staff on the shop floor (who are now interacting with more analytics-based technology more than ever before) through to the chief technology officers behind major online brands. Basic training in ‘cyber hygiene’ principles is a must to ensure that all employees are equipped to deal with cyber-attacks before they happen and not let malicious hackers into the network.
A greater understanding in ‘cyber hygiene’ can also be applied to shoppers this Cyber Monday. Many fall victim to phishing scams. Emails or ads that look like they are from their favourite retailers may actually lead through to malicious websites or fake domains. If a deal looks too good to be true, the chance are it is. Consumers should think twice about saving their credit card details on a site. As criminals look to hack many retailers this Cyber Monday and throughout the festive period, it is safer in many instances to not save sensitive details.
Feeling the benefit of festive cheer
Unfortunately, hacks on retailers are commonplace. It is not a question of ‘if’ but ‘when’. In the run up to Christmas, retailers have a huge opportunity to engage with customers and boost profits – but they must ensure that they have taken every measure possible to safeguard against cyber-attacks in the process. Quick and convenient deals to bring in the customers should not be at the expense of security or good cyber hygiene and a failure to protect customers from the cyber threat has the potential to cause reputational damage far beyond the festive period.
With the threat of fines for those that get successfully targeted, it makes sense to get ahead of the threat rather than see profits from discount days wiped out by an opportunist hacker. Let’s not forget, the festive period is one spike for retailers, but good cyber hygiene is a year-round commitment. This year, it’s up to businesses and consumers alike to stay smart when shopping to maintain festive cheer into December and beyond.
David Higgins, director of customer development, CyberArk