Retailers' new holiday jingle must hit cybersecurity high points to help survive the season. Forget Dasher and Dancer — add SAST and DAST to app testing; manage third-party risks; and use MFA along with training and proper authentication to secure credentials.

Jordan Mauriello, Chief Security Officer, Critical Start

November 1, 2022

4 Min Read
Wrapped gift on keyboard key
Source: LightField Studios Inc. via Alamy Stock Photo

As the holidays creep around the corner, consumers and retailers aren't the only ones gearing up for the season. Cybercriminals are right on their tail. It's no secret that major consumer holidays — from Amazon Prime Day to the end-of-year holiday sprint — carry big targets for threat actors. Projections for this year's Black Friday shows online spending reaching $13 billion.

That's a lucrative opportunity for bad actors.

This year, retailers are already facing inflation, an impending recession, and looming data privacy legislation. They simply cannot afford a $4.35 million breach.

Limited Security Ho-Ho-Ho This Year?

Retailers must keep their security posture top of mind. That means implementing effective detection and response; finding vulnerabilities before the retail change freezes occur that mark this time of year; managing third-party risks; and making sure employees get the training they need.

It's common for retailers to implement hard change freezes one to two months before the holiday rush through the second or third week of January. This prevents any major system changes (which affect consumer experiences) from being implemented during the busiest and most-important sales days of the year.

In the weeks leading up to the hard change freeze, developers are often trying to squeeze in one last change of code or infrastructure. This rush before the deadline can sometimes include errors, leaving unpatched and untested systems vulnerable to attacks. Cybercriminals are all too familiar with these hard change freeze seasons, and often time their attacks during this window.

Running static and dynamic application security tests (SAST and DAST) as part of regular app-testing programs are the best ways to identify vulnerabilities before annual code freezes. These two tests examine applications from different sides. SAST focuses on software flaws such as SQL injection, while DAST finds weaknesses that bad actors can exploit.

Retailers should focus testing on critical and high-traffic applications such as payment gateways, input fields, and even core Web codes.

Keeping an Eye on Third-Party Vendors

Earlier this year, auto manufacturer Toyota halted its production after a plastic and electronics supplier was hit with a cyberattack. The suspended production cost the company roughly 13,000 cars. While the loss of production might seem costly, it's a small price to pay compared with an actual breach.

This shows that third-party risk management (TPRM) remains an underserved area in security for many organizations and retailers must still prioritize TPRM and learn from the case study.

TPRM and vendor risk management questionnaires help assess the security posture of partnered organizations. Many enterprise-level surveys have up to 1,000 questions, but the primary areas that should be addressed are: information security, data center security, Web application security, infrastructure protection, and security controls and technology.

While retailers regularly run tests on their own code, which includes third-party integrations, it doesn't extend beyond the boundaries of their own networks. Retailers should require their vendors to run full code-penetration testing on a biannual basis and nightly testing when their partners update or change codes.

Maintaining Security Trainings Despite the Revolving door of Talent

Training is undoubtedly the hardest part for retailers. The Great Resignation has forced companies to re-evaluate their training and onboarding processes, with cybersecurity being a small component of it. However, 82% of breaches analyzed by Verizon's "Data Breach Investigations Report" involved a human element. This makes employee training more important than ever.

Established retailers likely have some sort of cybersecurity awareness program in place. But they can (and should) expand upon that. When cybersecurity teams identify gaps from penetration testing, they can share those findings with employees and explain how those vulnerabilities can be manipulated. This level of transparency helps employees understand their role in protecting the enterprise and consumers' data.

Password Security Paramount

And last, but definitely not least, in the employee program: passwords. Password security is still a core problem leading to or playing a key factor in a staggering amount of data breaches that occur today. Stolen credentials are one of the easiest ways for threat actors to gain access to information. Compromised credentials are the cause of 19% of data breaches (PDF). The sad part is 45% of consumers don't view password sharing as a serious issue. Retailers should reinforce the priority of good password hygiene, but just as important, they should be implementing multifactor authentication (MFA) everywhere and anywhere that it is possible.

Many retailers have already started holiday sales to get ahead of inflation and staffing concerns. But they mustn't forget about their security posture in this rush to the year's end. Organizations must make cybersecurity a priority as important as driving sales by incorporating SAST and DAST in their app testing; monitoring and managing third-party risks; and securing credentials through training and proper authentication using MFA.

About the Author(s)

Jordan Mauriello

Chief Security Officer, Critical Start

Jordan Mauriello is chief security officer at Critical Start. With a diverse background ranging from penetration testing and malware reverse engineering to physical security, executive protection and training, Jordan possesses a unique understanding of the impact of information security. His technical expertise includes security event monitoring and correlation, content and rule development for SIEM tools, vulnerability research, and penetration testing.

Jordan spent four years in the US Navy, including deployments in support of Operation Iraqi Freedom and Enduring Freedom. He also worked at the Department of Defense, again deploying in support of our current operations in the Middle East. Following his military and government positions, Jordan moved to the private sector and spent eight years at Experian Information Solutions helping to build and lead the Global Security Operations Organization.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights