[BreachExchange] Both Consumers And Retailers Need To Up Their Cybersecurity To Make Holidays Happy

[Destry Winant]

https://www.forbes.com/sites/taylorarmerding/2018/11/13/both-consumers-and-retailers-need-to-up-their-cybersecurity-to-make-holidays-happy/#14b8863b7a44

Most of the cybersecurity advice leading into the post-Thanksgiving
orgy of shopping known as Black Friday and Cyber Monday has been aimed
at consumers.

Which is fine – all of us can use the reminders, since criminals are
primed to profit from our carelessness or cluelessness about
increasingly sophisticated threats in the online shopping world.

But, obviously, there are two sides to every transaction. If there is
a buyer, there is a seller. And sellers – retailers – could also use
some advice.

The stakes are high for them too. Every recent year has set a new
spending record, and 2018 is expected to do the same. Adobe Analytics
predicts that Cyber Monday will again be the largest- and
fastest-growing online shopping day of the year with a record $7.7
billion in sales – a 17.6 percent increase from $6.6 billion in 2017.

Indeed, that weekend is at the center of the few weeks in the entire
year that many businesses depend on to put them into the black.

But if that’s where the profits are, that’s where the criminals are.
They follow the money. And if an organization is breached and/or its
customers’ data are compromised, the potential damages are by now well
known but worth repeating: Erosion of brand and reputation, lost
sales, decline in market value, possible lawsuits and possible
sanctions for compliance violations.

Not to mention the raw cost of responding to the breach, eradicating
malware, rebuilding files from a ransomware attack (or paying the
ransom) and restoring normal operations can easily run into the
millions.

Not the kind of thing any business wants to be coping with during a
make-or-break time of year.

So, if you’re a retailer, what should you be doing?

Actually, Steve Giguere, sales engineer with the Synopsys Software
Integrity Group says it’s what you should already have been doing.

“If you’re looking for last-minute suggestions on building secure
software and haven’t yet got early-stage threat modeling and
architectural risk analysis followed by some automation to check code
as developers created, you may be in trouble this late in the game,”
he said. “But those are great suggestions for next year.”

Still, better to start than to rely on hope that you’re not a target.
You are – just like everybody else.

And there are things you should be doing, both so your infrastructure
doesn’t get overwhelmed by the shopping onslaught, and so you secure
both your organization and your customers.

They include:

- Be ready to ramp up. It’s obvious that if you’re not ready to sell
more, customers can’t buy more. So, you need “highly available and
rock-solid systems to deal with what has become a predictable yet
simultaneously overwhelming demand,” said Nick Murison, managing
consultant at Synopsys. And not just with underlying IT
infrastructure. “Retailers also need to ensure their applications can
handle the onslaught, be it their website, their mobile apps or their
in-store payment terminals,” he said.

- Know where you do business and what compliance requirements are. The
EU’s General Data Protection Regulation (GDPR)is the most famous, but
other countries, and some states, have requirements about the use of
data and how it is collected, stored and protected. The penalties for
violations could wipe out your profits and more.

- Encrypt, encrypt, encrypt. Make sure all customer data, both in
storage and in transit, are protected with robust encryption and a key
management solution. If you do get breached, those data would be
useless to an attacker.

- Secure your corner of the cloud. If you’re in the cloud, you – not
your provider or whatever data security solution you may be using –
are responsible for securing customer data. Review your cloud security
policies and make sure your data security solution can expand to meet
increased demand and gives you sole control of your encryption keys.

-  Find vulnerabilities and fix them. Run vulnerability assessments –
manual penetration testing – on your devices, systems and platforms.
Set priorities and close the most important gaps first. Remember, you
can’t be bulletproof, but you can make yourself a more difficult
target. Hackers go for the easiest targets.

If there isn’t time to do all that this year, then launch a software
security initiative (SSI) to protect both your own systems and your
customer data well before the next holiday season.

“Poor software security leading to information disclosure of customer
data can now lead to business-altering fines in Europe,” Murison said.
Indeed, fines for failure to comply with GDOR customer privacy
regulations can be as much as 4 percent of annual revenue.

- Hire an expert data security provider. For companies that don’t have
in-house security experts, “services from Cloudlfare and Akamai are
available to mitigate the risks of a DDoS,” Giguere said, adding that
application security tools like WAFs (web application firewalls) and
RASP (runtime application self-protection) also help. “These are no
substitute for security development practices, however,” he said.

- Don’t create “specialist” domains for the holidays. Stick with
"yourcompany.com" rather than creating something like
"yourcompanyBlackFriday.com."

“It’s worth understanding the value of your domain because it will
likely already be whitelisted by newsletter subscribers and previous
shoppers,” Giguere said.

A specialist domain “may not only be for nothing, as many endpoint
security systems will block your marketing efforts, but it also sets a
dangerous precedent for hackers and malicious phishing enthusiasts to
follow,” he said.

- Get past passwords. Move to a system like FIDO (Fast IDentity
Online), which stores PII (personally identifiable information) on a
user’s device and sets up a multifactor authentication system that is
simple and seamless. You can learn about it from the nonprofit FIDO
Alliance.

- Separate your infrastructures. Make sure your POS (point of sale)
infrastructure is not connected to your corporate infrastructure.
Unless, of course, you want to be the next Target.

Finally, what is the best way for consumers to participate in a
security partnership to keep online transactions legitimate?

Probably the most important is, don’t be in a rush.

Indeed, the advice about how to stay safe online during the mega
shopping season remains pretty much the same from year to year: Don’t
click on unsolicited links. Go to a retailer’s website yourself. Use
two-factor authentication. Don’t re-use passwords.

And most people are, by now, at least generally aware of sketchy
emails or pop-up ads on websites, promising that the best deals ever
on the things you want most are just a click away.

It’s when they’re in a hurry that they click without thinking – and
then fall victim to a list of potential horrors: credit card fraud,
identity theft, ransomware and more.

And the pressure to get the right gift at the “This-day-only!”
discount before it sells out is more than enough to motivate millions
of people to click before they think.

Don’t. You’re likely to find out that there is no great deal for that
great gift, and that the money you had to buy it is gone.