No Black (Eye) Friday (or Monday) for retailers

Black Friday and Cyber Monday play critical roles in the sales and viability of both online and brick-and-mortar retailers. 

According to Adobe Analytics, in 2018, Black Friday recorded over $6 billion in online sales, and Cyber Monday nearly $8 billion. The National Retail Federation (NRF) estimates that 30% of annual retail sales occur between Black Friday and Christmas, making the holiday shopping season a critical time for retailers.  

Cybercriminals are well aware of this annual global shopping spree and, by their nature, will follow the money. They have been planning what they can skim, steal, and gain control of for a timely ransomware payout. Organized retail crime is a significant problem, and is reported to cost retailers $30 billion each year through stolen credit card data and other assets.

Here are some steps that retailers can take to protect themselves this season:

1.    Practice digital hygiene. With so many attacks facilitated by human error or misconfigurations, keep systems up to date and train employees on how to keep things that way. 

2.    Improve employee preparedness. In addition to awareness training, make sure employees have a safe way to test links and attachments before opening them. Also, require multiple levels of authentication before approving money, payments, or transfer requests.

3.    Segment your networks. Make sure that only the right devices are on the right network segments. Continuous visibility to new devices being added to the network or into exposed credentials that create attack paths will be invaluable for preventing easy network access.

4.    Don’t store more data than you need to. In the unfortunate event attackers access and steal databases, they should not have access to extra data like three- or four-digit card verification values (CVVs) or PINs. 

5.    If free WiFi access is provided, take precautions to detect man-in-the-middle attacks or users attempting to download malware onto devices.

6.    Update and test out incident response playbooks. A dry run can be invaluable.

7.    Have policies on ransomware and whether you will pay. Testing how quickly one can restore operations can be useful for setting employee and customer expectations. Ransomware attacks on retailers doubled from 2017 to 2018, and per SonicWall, on Cyber Monday 2018, the US experienced a 432% year-on-year increase in ransomware attacks 

8.    Prepare for digital skimmers. Implement end-to-end encryption to mitigate risk and review mobile apps and take steps to harden them.  

9.    Do not ignore the physical aspects of a breach. The quickest way to access a network is by visiting the premises and connecting directly. This applies to kiosks and self-checkout terminals, too.

10.    Have reliable detection mechanisms for all attack methods and environments. Solutions that require logs or behavioral trending may not prove effective for quick detection. Deception technology, however, will play a powerful role in quickly alerting based on attacker engagement, policy violations, or unauthorized Active Directory (AD) queries.

11.    Be proactive. Rather than waiting for an attack to commence, deception technology creates traps to lure intruders into revealing themselves. Deception technology has demonstrated it can reduce the amount of time an attacker remains undetected by as much as 91%.

12.    Understand how intruders operate. Intruders will attempt to steal credentials or access secure drives, so using deception to plant fake ones can misdirect their attacks. And since intruders will typically attempt to query the AD, defenders can detect these queries and feed them fake data that will redirect the attacks into decoys. Additionally, by observing attack paths, organizations can gain information on how to shut them down in the future.

13.    Work with information sharing and analysis centers such as the RH-ISAC to fortify defenses based on information gathered and shared by industry peers.

14.    Make sure the company hasn’t fallen below the standards defined by PCI DSS. And although not required yet, organizations should be prepared for compliance with the California Consumer Protection Act (CCPA) to help avoid the fines and losses associated with a breach.     

15. Ensure solutions are comprehensive. Any solution should be effective against insiders, suppliers, and malicious threat actors and deliver the adversary intelligence necessary to substantiate the attack, quickly complete triage, contain the attacker, and restore operations.

As retailers prepare for this holiday season and as part of their ongoing operations, this list can go a long way in reducing risk and making it exponentially harder to breach their networks. 

Consumers want to do business with companies that treat security seriously, and customers will reward those that do with loyalty. Those that do suffer a breach risk losing their customer base. This is a matter to be taken seriously.

Carolyn Crandall is chief deception officer, Attivo Networks