Cyber Grinch Plans for the Holiday Season
Retailers and consumers alike are preparing for yet another Black Friday and Cyber Monday. The shelves are stocked and the credit cards are in hand.
According to an article written by Shira Sagiv of Radware, “E-Commerce sales are expected to reach nearly 80 billion U.S. dollars this holiday season, accounting for 9% ($7.2B) of total U.S. retail sales, according to projections from eMarketer.”
Other than long lines, that perfect gift being sold out and slow page load times, what could possibly go wrong? The truth is cybercrime exposure for both companies and consumers is significant especially at this time of year, and you can bet the cyber Grinches will be out in force during this busy retail time.
In a Sitelock blog post, they indicate that two weeks before Black Friday last year, attackers switched attack vectors from SQL injection to password guessing (stealing?), which ended up accounting for half of all attacks. What will they try this year? Based on cybercriminals’ successes throughout 2015, I’m going to bet they stick with acquiring credentials.
What steps can you take, as either the vendor or the consumer to frustrate the would-be Grinch who would like to steal your holiday joy?
First, you, the consumer:
- Consumers should be on the lookout for improper charges on their credit cards. The increase in spending volume may mask illegitimate charges to your account. Check your statements early and often.
- Beware of phishing messages that propose special offers. According to the Infosecurity Institute, as usual, “cyber criminals attack customers of banks and other financial institutions by asking victims to confirm information related to their account for security purposes. SMiShing, a variant of phishing that exploits Short Message Service (SMS) systems instead of email to send malicious messages, is a growing threat as well.”
- Here’s a creative spin on phishing: beware of invitations to private or company parties that request that you complete a form. Those free hors d’oeuvres may cost you! The Infosecurity Institute advises “E-cards that look legitimate could be used by attackers to serve malware or malicious links to compromised websites.”
- Also according to the Infosecurity Institute, “fake charities are another weapon in the arsenal of cybercriminals. During the holidays, people are willing to donate more than at any other time of year, and cybercriminals take advantage of victims’ generosity.”
As a retailer, your vigilance around the holidays is increasingly important. Here are some twists to think about:
- While your focus may be on outsider threats, you should also be aware of the potential for increased threat from insiders. Employees may be under additional financial strain and turn to monetizing company resources, including data, to make ends meet.
- In addition, because more employees take time off around the holidays, there are fewer IT security staff and managers around to maintain security.
- Another issue around the holidays that businesses will want to consider is that more kids are home from school during the holiday season. This usually means the script kiddies have more time on their hands for hacking. Network defenders should ensure their coverage is adequate. Sure, these kids might think they’re just having fun!
The central message for consumers and business alike is this: guard your credentials! Additionally, for businesses there’s no doubt that cyber Grinches will be more adventurous than ever to gain access to your customer lists and intellectual property. And, as mentioned, don’t overlook insider threats. Access control to on-premises, public or private cloud-based resources should be dynamic and centrally managed, taking user attributes, on a real-time basis into consideration before access is allowed. And once access is authorized, ideally users should only be able to see and access those applications and resources necessary to do their jobs. You should also look to control and track what authorized users can do with sensitive customer data such as payment card details.