With Christmas Day being mere weeks away, jingle bells and debit cards will be tapping and tinkling for this year’s Black Friday sales. While online shopping offers customers access to the best deals, they must be wary of the potential risks involved. This year, government bodies have warned bargain hunters of the enhanced online scams and cyber risks now in play, after shoppers lost over £10 million to cyber criminals during 2022’s festive shopping period.
With this in mind, industry leaders in the cybersecurity sector have weighed in on the current risks, offering advice to support organisations and customers alike in navigating the frenzy that Black Friday creates.
“Phishing” for bargains
With the best deals filling up customers’ email inboxes, it can be hard to know what lines of communication to trust in an age of sophisticated social engineering attacks. According to PlainID’s VP EMEA, Stuart Hodkinson, phishing attacks are one of the most popular attacks used by cybercriminals, with shopping platforms being targeted in 43% of all phishing attempts.
With this in mind, Randeep Gill, Principal Security Strategist at Exabeam, believes organisations need to be alert and ready. “The demand to enhance capabilities for e-commerce to cater for the increase in sales has inadvertently expanded the vector through which adversaries can operate. This busy time of year means that cybercriminals are not continuing to exploit vulnerabilities in online retail presences, but are also pursuing sophisticated methods of social engineering to gain access to credit card information.”
“A multi-layered strategy should be employed throughout the year – using behavioural analytics to establish normal behaviour for all users and assets in an organisation. This will help businesses better understand anomalies in their diverse environments that could indicate a breach”, he says.
“If you do receive an email with news of a fantastic offer, rather than click on links in the email, go straight to the retailer – if it’s legitimate, the same deal will be there”, adds Six Degree’s Cybersecurity Product Director, Robert Sugrue.
“Don’t trust emails that say using this link only, or only available if you click here – they are most likely going to take you away to a cybercriminal’s site where they will look to steal as much from you as they can: your identity, your email address, and even your money. Be aware of these scams, don’t panic, and take your time. Check the website addresses and senders of these emails.”
Hope for the best, prepare for the worst
Prevention is always preferable to a cure, and safeguarding data in the first instance is key to ensuring Black Friday sales go ahead without a hitch.
“As we head into ‘peak’ shopping season in the UK, retailers witness an immense volume of sensitive information coming through their networks. Last year alone, sales during the Black Friday period in the UK reached £8.71billion, with online sales reaching £5billion”, shares Chris Denbigh-White, Chief Security Officer at Next DLP.
“With all these transactions, consumers include payment details, names, addresses and more. With so much at stake for many businesses during the Black Friday period, protecting sensitive information could be the difference between staying in black or going into the red.
“Ensuring that sensitive customer data is safeguarded is not just a matter of regulatory compliance, but a critical aspect of maintaining consumer trust and preserving the integrity of the business. Implementing advanced security protocols and continuous monitoring systems is not just advisable; it’s imperative in today’s digital age.”
While it is important to have strategies in place to prevent harmful cyberattacks, a disaster recovery plan is just as important in preventing financial ruin on one of the biggest days on any retailer’s calendar, and Zerto’s Technology Evangelist, Chris Rogers, warns of the havoc that a cybercriminal lying in the shadows can cause.
“Cyber Monday is well known for being one of the last chances for retailers to hit profits before the end of the year. Given the importance of this event, some retailers may have already been exploited, with ransomware lying dormant until it can do maximum damage – for example, early morning on Cyber Monday. By holding off, the impact of the hacker’s attack doubles: a retailer’s entire operation has been shut down on the most profitable day of the year, all while being held to ransom.
“To avoid this, retailers need to ensure the organisation can recover fast from a cybersecurity event and get back to business as usual – shifting to a more pragmatic and strategic security approach. Once you’ve been compromised, prevention is no longer a viable protection strategy. By implementing tools that deliver disaster recovery and continuous data protection (CDP), retailers will be able to get things up and running quickly when something goes wrong, limiting downtime and restoring operations in a matter of seconds or minutes, rather than days or weeks – something that is especially vital on the biggest E-commerce day of the year!”
Balancing trust and collaboration
While new threats are on the horizon, so are new cyber defenses, both internally and externally. Knowledge is power, and ensuring that the right people have it, and the wrong people don’t, will give the power back to retailers this Black Friday.
PlainID’s Stuart Hodkinson advocates for a zero-trust approach to cybersecurity, ensuring that the right actors are the only ones with access to a retailer’s network.
“Retailers must adopt a “Zero Trust” approach, which means trusting no one – not even known users or devices – until they have been verified and validated. Zero Trust provides that layer of defence that is unrivalled when it comes to defending internal systems.
“However, additional steps can still be taken to improve security. POS cards can easily fall into the wrong hands, and once passwords are exposed to criminals, they often have unrestricted access to the company’s entire network. Therefore, identity and authorisation solutions, especially those that allow for 2-factor verification through personal devices or biometrics will ensure that criminals are stopped in their tracks, even if they do have a working password.”
On another note, Brett Candon, VP of International at Cyware, advocates for threat intelligence sharing, with new technology heading the charge to strengthen cybersecurity strategies all around.
“This next-generation approach to cybersecurity – often referred to as cyber fusion – unifies all security functions such as threat intelligence, security automation, threat response, security orchestration, incident response, and others into a single connected platform which detects, manages, and responds to threats in an integrated and collaborative manner.
“The importance of collaboration – inside and outside the organisation – cannot be overstated. Collective defence focuses on an open, trusted ecosystem where security teams are empowered to work much more closely with trusted community peers as they manage intelligence, develop detections and response plans, and respond to threats. At the end of the day, threat intelligence only works when it can communicate the relevant data to the right people, at the right time, so they can quickly take meaningful action.”
Black Friday marks the beginning of the holiday shopping season, but excitement must be balanced with caution and care. In merriment, Six Degrees’ Robert Sugrue proclaims, “Be cautious, keep your wits about you, and enjoy the shopping experience!” – happy bargain hunting!
In summary, to be able to go about delivering the best possible customer experience without worrying about cybersecurity, retailers should follow the rules below:
• Be phishing aware – with cybercriminals taking advantage of the busy period to target retailers and their customers, retailers need to be alert and ready. A multi-layered security strategy that includes education on avoiding falling for phishing can help keep customers safe
• Take a Zero Trust approach – In order to protect internal systems, adopt a Zero Trust approach and require verification for all users and devices. Additionally, require multi-factor authentication for all purchases so that deception doesn’t slip through the cracks
• Prepare for the worst – develop a disaster response plan that includes backup and recovery, so that you can back up and running quickly and not miss out on valuable sales