Black Friday (25th Nov) and Cyber Monday (28th Nov) are two of the biggest shopping days of the year which means fraudsters will be hard at work. Cybercrime prevention company ThreatMetrix is predicting 6.5 million cyber attacks on UK retailers this week.
So how retailers prepare for the likely surge in cyber attacks this Black Friday? IT security experts from Redscan, AlienVault and Lieberman Software commented below.
Leon Pinkney, SOC Services Director at Redscan:
“Preparation for the busiest trading time of the year requires planning all year round. Retailers that fail to prioritise network management and regularly assess cyber defences leave themselves overly exposed to outside risks.
To avoid any unpleasant surprises, planning for key events like Black Monday should form part of a comprehensive risk strategy. By reviewing fundamental cyber security controls recommend as part of schemes like PCI DSS and Cyber Essentials, plus conducting regular network and penetration testing, retailers can help to ensure that critical business periods do not end in financial and reputational disaster.”
Javvad Malik, Security Advocate at AlienVault:
“It is often said, that a DDoS attack is indistinguishable from a very effective and successful marketing campaign. What I mean by that is that having 10,000 legitimate customers hitting a website will have a similar impact as a DDoS attack, except the customers are genuine. Therefore, similar measures can help prepare for the onslaught of traffic. These can include spinning up extra cloud instances or temporarily upgrading the infrastructure to deal with the larger volumes.”
It’s difficult to prepare on short notice against potential hacks and attacks during busy periods. These measures should be factored into the architecture in advance. However, it’s worthwhile keeping a finger on the pulse of the latest attack vectors via threat intelligence updates. These can indicate what kind of attack techniques are being favoured so preventative and detective controls can be put in place. For example, if passwords from previous hacks are being reused against other sites, controls should be setup to monitor and flag such activity that looks like it is doing this.”
Having an incident response and crisis management plan is crucial for all companies to have, this is even more important during high traffic periods. Things to consider, but not an exhaustive list include, having backups, regularly checking the integrity of hardware such as point of sale terminals, having fallback processes such as telephone support, or offline transactions in the event that online systems are unavailable.”
Security doesn’t exist in isolation for businesses. While it is there to prevent successful cyber-attacks, detect intrusions, and respond to attacks, there is a whole ecosystem of partners, suppliers, manufacturers, financial institutes, and customers that all come together to enhance security. So beyond their own systems, enterprises should be evaluating all avenues and ensuring there aren’t any glaring weak links in the chain.”
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“Cybercrime is a business. While early cybercrime pros went after the big targets in finance and other G2K firms, the new players are choosing the next level down and that certainly includes bigger retail outfits. If we all want to be protected, then we all need to participate in protecting ourselves. So much of it comes down to protecting the log in process.
Neither the user nor the retailers can overcome zero day attacks that may steal data in a big breach – that’s down to technology suppliers. But, like in the recent Deliveroo attack, when an attacker shows up with a password from a totally separate breach that works on your site, then you’re defenceless because they’re coming in with what appears to be a legitimate path. The user can prevent this by using unique passwords for different services – or at least doing so for any service that may financially impact them.
The retailer could also increase the security by adding things like multi-factor or two-step authentication, which would render this sort of stolen password attack meaningless. And the user would have to start thinking in terms where that sort of extra step isn’t a burden but a pleasure since they should know it’s for their own good.”