The holiday shopping season presents a target-rich environment for cybercriminals. In fact, as per the 2020 Trustwave Global Security Report, the retail industry is the most targeted sector for cyber attacks for the third year running.
An increasing shift to a digital environment—a change due in no small part to the COVID-19 pandemic—isn’t making data protection easier for retailers either.
Consumers continue to set online sales records, a trend that’s expected to continue through the end of 2020. However, hackers are cashing in on this surge too, with over £16 million lost to U.K.-based online shopping fraudsters alone during the three months of the pandemic.
Database security is also a concern for even the biggest eCommerce behemoths. Earlier in 2020, eight million customer records belonging to the likes Amazon, eBay, Shopify, and PayPal were exposed because of database vulnerability.
With Black Friday, Cyber Monday, and other holiday-related shopping event approaching, here’s a short checklist of cyber security tips to help ensure all retailers are ready for the end-of-season rush.
1. Comply with data privacy laws and regulations
For online retailers serving a global customer base, this likely starts with EU-based General Data Protection Regulation (GDPR) compliance, which first began in mid-2018.
These regulations focus on how personal data is collected, protected and retained. It applies to any organization operating within the EU and organizations outside the EU doing business with individuals or organizations within the EU.
Sparked by the GDPR, 42 U.S. states and other countries worldwide have initiated data privacy legislation. The most notable of this group is the California Consumer Privacy Act, which has been enforced as of July 1, 2020. This new legislation alone has resulted in over 50 lawsuits spurring from violations.
The bottom line for retailers is simple: It’s crucial to comply with privacy regulations that encompass your operational scope.
Implementing a GDPR awareness solution designed for retailers can help educate staff directly with the customers, whether online or face-to-face, to better protect personal information.
2. Ensure employees understand your cyber security best practices
Employees can either be the weakest link or the first line of defense in an organization’s cyber security posture.
On the one hand, untrained, unprepared employees are unable to consistently detect and avoid cyber threats and, as a result, are more likely to fall victim to phishing schemes. They may also be more susceptible to having equipment stolen or compromised due to preventable behavior.
Retail organizations that implement risk-based security awareness training programs can motivate employees to adopt a cyber secure mindset and enhance information security initiatives instead of inhibiting them.
The human factor, regardless of how secure a retailer’s technical infrastructure is or how recently they’ve upgraded their antivirus software, is an essential step in safeguarding against cyber attacks.
3. Implement multi-factor authentication for transactions
In the wake of the 2013 Target breach—one that cost the U.S. retail giant $18.5 million in a multistate court settlement—U.S. retailers aggressively moved to implement the EMV® payment system that uses credit and debit cards with embedded chips requiring a PIN or signature to complete the transaction.
However, online retailers can’t utilize the added layers of security that come with those types of cards. Instead, it’s essential that they take advantage of multi-factor authentication (MFA) options at their disposal to prevent fraudulent activity.
Whether it’s a unique numeric code or completing a reCaptcha request, these distinct authentication methods help retailers provide consumers with a smooth, secure checkout process, leaving both parties with peace of mind.
4. Check your site for malicious codes
With chip cards and MFA considerations helping to curb data compromise at a point of sale, fraudsters are turning to new ways to capture your personal information during online, card-not-present transactions.
For example, Brian Krebs wrote about how bad actors are compromising e-commerce sites with malicious code. Krebs cites a security vendor that suggests how British Airways was breached and another vendor that said it saw 250,000 of these incidents in September 2018.
Krebs recommends that retailers who want to make sure their site is free of malicious code can use an online source code viewer to safely view the HTML code on any webpage without having to render it in an internet browser.
5. Check your POS terminals and network
If you’re a retailer who’s going ahead with a physical shopping location this holiday season, cyber security best practices like routinely auditing loosely staffed payment terminals at self-checkouts, is key.
This practice helps ensure skimmers haven’t been attached to capture sensitive consumer information like PIN numbers or account details. It’s also a good idea to regularly check your in-store Wi-Fi access point and network for rogue devices that a bad actor may have installed.
6. Encrypt the data and network
Even if you’ve done everything possible to prevent customer data from compromise, bad actors are always evolving their strategy and tactics. An easy way to keep your data secure is to enable file and network encryption wherever possible.
If you encrypt the data, it will stay protected no matter where it resides, even if cyber criminals gain access to it. This extends to VPN protection for your work-related Wi-Fi network, a crucial security layer for anyone accessing or sending sensitive information over that connection.
Have a well-defined recovery plan
Even if you take all these precautions, it's possible that a cyber attack can slip through the cracks. To avoid chaos and permanent data loss, ensure that your organization has a well-defined, ready to execute recovery plan in place. This type of strategy includes data backup and system reset details, as well as alignment with internet or hosting service providers.
Cyber Security Hub : Access Exclusive Cyber Security Content
Sign up now to access engaging, shareable cyber security awareness content that’s available in multiple formats.