7 Holiday Security Tips for Retailers
It's the most wonderful time of the year – and hackers are ready to pounce. Here's how to prevent them from wreaking holiday havoc.
Black Friday and Cyber Monday are at hand, which means retailers have been working extra hard behind the scenes to ensure their websites and security-savvy customers are well-protected from the cyber Grinches.
Indeed, 50% of 2,011 US consumers recently surveyed by Sophos said they are very concerned about getting hacked and would not buy from a retailer that has been in the news for not protecting personal information either online or in-store. Another 32% said they are somewhat concerned and would consider an alternative company to buy from instead.
"First and foremost, retailers have to help their customers not become victims," says Chet Wisnieswki, principal research scientist at Sophos. "They have to understand that there are criminals out there trying to impersonate their company."
What can retailers do to keep their customers and themselves safe this holiday season? For the answers, we turned to Wisniewski, along with Russell Schrader, executive director of the National Cyber Security Alliance, and Adam Isles, a principal at The Chertoff Group.
Sophos' Wisniewski says retailers should not send promotions via email with links. Instead, they should invite customers to log onto retailer.com/blackfridaydeal and give them a numerical customer code to enter on their websites. With the code, customers can be assured it's a safe website and the promotion really is from the store they hope to purchase the item.
Retailers should learn from the 2011 attack on Sony, when its PlayStation network was hit with a distributed denial-of-service (DDoS) attack, Sophos' Wisniewski advises. In response, Sony focused the bulk of its resources on the DDoS attack while the hackers gained access to the personal details of millions of customers. Also, keep in mind that hackers will prey on retailers during the holidays, knowing they could be working with skeletal staffs. Retailers shouldn't scrimp on tech staff during this period: They might need one part of their team to focus on a DDoS while the other looks into whether a broader breach has occurred.
Hackers would much rather disrupt or take down a retailer via a DDoS than a more sophisticated cyberattack, Sophos' Wisniewski says. At least for the holiday season, he says, retailers should purchase a tier 2 or tier 3 service from their providers. Having only tier 1 may mean a retailer does not receive the level of service it needs in the event of a DDoS attack. Retailers also need to ask their third-party suppliers and business partners whether they have ample coverage for a DDoS attack, adds Adam Isles, a principal at The Chertoff Group. A retailer can have the best DDoS coverage, but it will all break down if important members of the supply chain don't have the same level of service.
Major US retailers have come a long way in the past few years by locking down their point-of-sale (PoS) systems with chip and PIN. However, Sophos' Wisniewski says retailers still have to physically secure all of their terminals so criminals don't slip skimmers onto the PoS displays. He says he has seen situations where criminals put the skimmers on the drive-through payment terminals at fast-food restaurants. So retailers have to be vigilant at every corner of the store, especially in areas where cash registers are not located in the front.
Seasonal workers should only have access to what they need to do their jobs, as well as only limited access to any databases, says the National Cyber Security Alliance's Schrader. Retailers also should pay attention to offboarding seasonal workers after the holidays, he says. Most focus on onboarding, but hackers prey on those that don't end their employment properly. The Chertoff Group's Isles adds that seasonal workers really shouldn't have access to email or Web browsing: Email opens the company up to phishing attacks, and Web browsing is an obvious Pandora's box.
Magecart has become an umbrella term for a group of seven cybercriminal gangs that install digital credit card skims onto e-commerce sites, They have been active for several years, but more so of late, with noted incidents reported at British Airways, Ticketmaster, and Newegg. They attack by installing a malicious JavaScript on the checkout page and skim a consumer's credit card information. Sophos' Wisniewski says retailers should make daily checks for signs that someone has tampered with their sites. For example, retailers should check at the end of the day to see whether the site is still the same since the last time anything was published. It something has changed and nobody from the company published anything, there could be cause for concern.
This should be standard practice by now, but retailers need to do continuous testing and have backups ready and waiting in an emergency. For example, if a retailer gets breached and loses significant amounts of data, it will need to produce paper copies of the company's contacts lists and asset inventory, The Chertoff Group's Isles points out. A solid backup and disaster recovery plan should be a part of the retailer's overall incident response plan.
This should be standard practice by now, but retailers need to do continuous testing and have backups ready and waiting in an emergency. For example, if a retailer gets breached and loses significant amounts of data, it will need to produce paper copies of the company's contacts lists and asset inventory, The Chertoff Group's Isles points out. A solid backup and disaster recovery plan should be a part of the retailer's overall incident response plan.
Black Friday and Cyber Monday are at hand, which means retailers have been working extra hard behind the scenes to ensure their websites and security-savvy customers are well-protected from the cyber Grinches.
Indeed, 50% of 2,011 US consumers recently surveyed by Sophos said they are very concerned about getting hacked and would not buy from a retailer that has been in the news for not protecting personal information either online or in-store. Another 32% said they are somewhat concerned and would consider an alternative company to buy from instead.
"First and foremost, retailers have to help their customers not become victims," says Chet Wisnieswki, principal research scientist at Sophos. "They have to understand that there are criminals out there trying to impersonate their company."
What can retailers do to keep their customers and themselves safe this holiday season? For the answers, we turned to Wisniewski, along with Russell Schrader, executive director of the National Cyber Security Alliance, and Adam Isles, a principal at The Chertoff Group.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024