Key points in a nutshell
- The biggest shopping days of the year are just a week away. According to an Insider Intelligence report, the total retail spending during the last Black Friday event was $1.22 trillion. This includes brick-and-mortar sales accumulating $1.02 trillion and eCommerce stores that gathered $204.20 billion.
- Each year the sales numbers are huge. Consumers in the UK alone have spent a total of 9.42 billion pounds throughout the Black Friday weekend in 2021, of which online sales accounted for 61.49%.
- The number of SMBs experiencing data breaches in 2023 rose to a staggering 46%.
- This is great for consumers and retailers. But keep in mind that Cyber Monday also comes with Cyber Monday Scams. Cybercriminals are also looking to take advantage of massive transactions taking place this shopping season.
- What are the biggest threats for eCommerce companies and retailers? What actions can they take to protect themselves and their reputation? Let’s find out.
Black Friday: A fantastic time for consumers and retailers
Black Friday and Cyber Monday are fantastic times for consumers and retailers near the start of the festive period. However, with elevated levels of website traffic into a platform that may not be used to it. It can open more doors to malicious actors trying to find a way to compromise such platforms.
Smaller retailers often believe they are exempt as they believe hackers want to go after companies with much larger revenue. However, this is not always the case.
Cyber-attacks are expensive
According to the Cybersecurity breaches survey 2023, the number of small and medium businesses experiencing breaches reached a staggering 46%. Numbers from 2019 reveal that the attacks, on average, cost companies approximately $200,000 per company to get over. It was likely a combination of fines, internal structure damage, loss of data and public relations damage. Would you want to shop at an eCommerce retailer who had recently come out to the public as compromised?
In addition, eCommerce companies who do PCI (Payment Card Industry) self-assessments may contractually have to undergo a forensic investigation to go into detail about how you were compromised and what data was put at risk. This process can cost multiple thousands of pounds and may result in you having to recertify credentials such as PCI DSS, which is often more expensive than the forensic investigation. In fact, it was stated in 2019 that 60% of small companies that undergo a successful cyber attack go out of business and must fold.
Cyber Monday and Black Friday: 5 threats to look out for
1. Phishing attacks
Beware of this threat: 79% of all cybersecurity breaches last years involved phishing.
Phishing is an attack that attempts to either steal your money or your identity by having you reveal your personal information. These attacks can be done through many mediums but is mostly done through emails. These emails pretend to be someone you may know, a reputable company or an acquaintance that needs urgent attention.
Basically, they send a fake message. Upon clicking a link (a phishing website), they can ask you to confirm some details that may capture login credentials which may cause a compromise of such an account. Be suspicious of the emails that suggest you must click, call or open an attachment and never click on any links in the email.
If you are unaware of who the person is or the individual inside the organisation is asking for something out of the procedure, then talk to them to confirm the email was intentional and not from a malicious actor.
- Be cautious of unsolicited emails, messages, or links
- Always verify the sender’s identity before clicking on anything
- Alert your employees about phishing, since it usually increases during holiday season
Social engineering attacks are basically about convincing someone to perform a particular action. Astonishingly, cybercriminals use social engineering in 98% of attacks.
It is less risky for eCommerce companies but causes more issues for brick-and-mortar retail stores with a physical location. Malicious actors will try to compromise a network by pretending to be someone they are not. They aim to obtain access to a part of a building they should not have access to. Once inside this location, the individual will try to connect to systems and compromise them.
What makes social engineering especially dangerous is that it relies on human error. And it is more of a risk during Black Friday due to the substantial number of customers inside the building that could result in someone who would usually be picked up as not an employee being let into restricted areas.
- Inform your team about potential threats
- Regularly check or monitor restricted areas and buildings
3. Malware attacks
Malware is an ever-growing threat and must not be ignored during such busy periods.
In fact, during the first half of 2022, the number of malware attacks worldwide reached 2.8 billion. In 2021, there were 5.4 billion malware attacks detected.
A malware attack is a broad term that encompasses attack vectors, including Viruses, Trojans, Spyware, Rootkits and Keyloggers. The list goes on and on. You can help prevent such attacks by ensuring that reputable anti-virus is installed on all user endpoints with patches applied as soon as they become available. Use strong passwords and secure authentication and maintain up-to-date software.
- Ensure all your devices and software are up-to-date
- Check your anti-virus software
4. eCommerce platform compromise: card skimming malware
Card skimming malware often results from a vulnerability being exploited due to a lack of up-to-date patching. It is when someone is scraping credit card data from the checkout pages of the businesses' websites.
Many eCommerce platforms require regular critical patching that if not applied ASAP, could cause a compromise. A compromise from this could mean you end up with card-skimming malware being applied to your website actively capturing and transferring card numbers onto another server. They can then be distributed and sold on platforms like the Dark Web for cryptocurrency.
- Regularly patch your software and fix vulnerabilities
5. Human error
Most of the reported breaches involve human error and are due to a lack of knowledge - time to educate your team. Cybersecurity and hygiene require an informed team with a high commitment to cybersecurity policies. Enhance your employees' awareness of data protection and security by regularly providing training sessions. Make cybersecurity an integral part of their policy.
- Educate your employees
- Offer regular training sessions
What can we take away from this?
I and many others in the industry know that hackers will try anything to get into a system. If a site is publicly showing vulnerabilities through techniques such as Google Dorking, then it is very likely that hundreds of hackers at any point in time are trying to find ways to exploit such vulnerabilities.
Hackers have been able to compromise FTSE 500 companies successfully. It would be naive to think that they could not do the same to a small ‘mom-and-pop’ company with a small budget for cyber security. In addition, playing the victim when a lack of due diligence is at play will not save you from hefty fines which could put you out of business.
5 Black Friday and Cyber Monday Tips for SMBs
Install the latest patches and updates
Install the latest patches and updates for all devices and remove any devices that no longer receive vendor patching.
Enable multi-factor authentication
Enable multi-factor authentication of all devices, accounts and software that can have it enabled. That can be achieved through authentication apps or tokenisation.
Enforce an information security policy
Enforce an information security policy from a recognised framework such as ISO 27001, which all employees have access to, explaining their responsibilities to adhere to company procedures.
Backup Your Data
Regularly back up your important data to a secure and separate location. In the event of a breach, having a recent backup can mitigate data loss.
Beware of Phishing Attacks:
Be cautious of unsolicited emails, messages, or links. Verify the sender's identity before clicking on anything. Alert your employees about this threat that usually increases during holiday season.
How can DataGuard help?
DataGuard is here to help strengthen your cyber security posture by aiding with the implementation of an ISO 27001 ISMS (Information Security Management System). This system will help you define your assets and risks to your company.
With this system in place, you will have more control in managing and mitigating such risks with industry-recognised controls from the ISO 27002 framework. How can you prevent risks from being exploited unless you identify such risks first anyway?