[BreachExchange] Taking a Neighborhood Watch Approach to Retail Cybersecurity

Tue Jan 5 10:43:41 EST 2021

https://threatpost.com/neighborhood-watch-retail-cybersecurity/162653/

Bugcrowd CTO Casey Ellis covers new cybersecurity challenges for
online retailers.

Every year retailers face a heightened level of risk during the online
holiday shopping season. COVID-19 drastically shifted consumer buying
behaviors, forcing retailers to accelerate digital transformation
efforts to support an exponentially higher number of online
transactions. Projected U.S. e-commerce sales will hit close to $710
billion in 2020, the largest jump in a single year. To adapt to the
online shopping increase, many retailers have had to take new systems
online faster than planned— and therefore not necessarily with enough
time to test— to accommodate an all-time high in online transactions.

Speed is the natural enemy of security. When vendors rush things to
production without proper testing, security blind spots are more
likely to occur, creating the perfect opportunity for cyberattacks.

Adopting a “neighborhood watch” approach to security by inviting the
global network of security researchers to proactively hunt for and
disclose vulnerabilities before cybercriminals can exploit them
improves retailer security and consumer confidence.

What’s in Store this Online Holiday Shopping Season

Over time, consumers have been evolving to shop predominantly online
around the holiday season more often than in stores. Black Friday 2019
saw nearly 20 million more online shoppers than in-person in the U.S.
However, retailers are emphasizing online sales more than ever before
amid the pandemic. This year’s holiday-buying season kicked off
earlier than usual, with Black Friday sales in advance of the
traditional start of the day after Thanksgiving. The 2020 Amazon Prime
Day sales, which was declared the ‘unofficial’ start to holiday
shopping, surpassed last year’s numbers by 45.2 percent.

 Retailers Must Account for Heightened Levels of Risk

Even before this year’s holiday shopping season, retailers have seen a
massive increase in online shopper numbers throughout 2020.

A full 62 percent of U.S. shoppers say they shopped more online this
year than before the pandemic. And 36 percent of U.S. consumers now
shop online weekly, up from 28 percent before the pandemic. To account
for this increased number of online interactions, many retailers
innovated in near real-time to meet customer demand and build new
systems in a hurry that can manage more transactions than before.

Systems built in a hurry are much more likely to have unintended
consequences. As retailer developers work to innovate, they often
unknowingly leave development systems and data exposed on the internet
that should otherwise be behind closed doors. If attackers can view
source code, they can then analyze it at a granular level. Alongside
this, the sudden transition to “work from home” earlier this year
forced similar changes to development practices, allowing attackers to
siphon off API keys, corporate credentials and large databases of
customers’ information.

Additionally, thanks to COVID-19, retailers now must worry about their
own employees’ homes as an extension of their enterprise attack
surface. Attackers can have a field day compromising remote workers
through their insecure home automation technology, smart appliances,
and more. They can then move laterally to the corporate network if the
proper protections are not in place.

 Enter Neighborhood Watch Security

Even though unprecedented risks await retailers this holiday shopping
season, they can still take steps to level the security playing field
against adversaries by engaging the assistance of a global network of
talented security researchers and employing a neighborhood watch
security approach as part of their security program. To engage
security researchers, retailers should start by creating a
vulnerability disclosure program (VDP) and then progress towards a
public bug-bounty program. These programs invite researchers to test
retailers’ infrastructure and share security feedback, giving
retailers a continuous “attackers-eye view” of their attack surface.

By establishing VDPs and considering progressing to a bug-bounty
program, retailers can ensure and transparently assert that they are
doing everything possible to safeguard their consumers’ security. In
turn, consumers can have the confidence that their data is out of
harm’s way and respond by choosing to shop at stores they feel are the
safest.