Christmas clash: The retailer vs the cybercriminal

What are the six key things retailers need to do to protect their systems and their customers during this year’s Christmas shopping bonanza?

The past week has seen consumers introduced to characters such as Buster the Boxer and Kevin the Carrot as UK retailers start to reveal the creative outcome of months of planning and eye-wateringly expensive advertising campaigns, all designed to help us get in the spirit of spending this festive season.

But putting the warm, fuzzy festivity aside for a minute, it is worth remembering that they aren’t the only ones looking to capture as great a share of your spending as possible. The run up to Christmas not only means competition for retail revenues, it also presents rich pickings for the Grinch-like hackers targeting retailers’ online ordering and payment systems, and potentially consumers’ credit card data.

The reality is, today’s cybercriminals are no longer geeky twenty-somethings looking to test the system, they are most likely to be serious criminals who are part of a well-organised and well-funded machine, with plenty of resource to put behind what is turning into a very lucrative operation. Credit card data continues to attract a buoyant market value on the dark web, particularly for cards issued by triple-A credit referenced Western banks, which makes it easy to see why online retailers during the peak period represent a very attractive target market.

In addition, the frenzy of sales and marketing tools used to fight for our attention at this time of year, from personalised emails or text messages, to digital adverts and loyalty schemes holding your personal data, provide myriad ways for cybercriminals to try to impersonate our favourite retailers with the aim of compromising their personal information. It can often be difficult to tell the difference. Many of the techniques used by retailers to build customer loyalty are being subverted by cybercriminals looking to trick you into revealing your details. For example, a retailer might be investing heavily in digital advertising across online and social media, inviting you to click through to their festive promotions. On the flipside, cybercriminals are increasingly using the technique known as malvertising, where malicious advertisements are injected into legitimate online advertising networks and webpages to infect devices, which can then be controlled remotely to harvest personal data.

Cybercriminals are convincingly duplicating the tailored communications used by well- known online vendors to promote special offers, and use it in a much more sinister way. Alarming statistics from Ponemon Institute study report that 44 per cent of retail firms experience more than 50 incidents per month, with it taking retailers up to 197 days to identify they have had a breach. With the number of online threats growing at an unprecedented rate, the average time to detect an advanced threat is far too long and way too risky for vendors and their customers. Attackers are taking control over payment systems for long enough to cause severe damage that is often irreversible.

So what are the six key things retailers need to do to protect their systems and – importantly – their customers during this year’s Christmas shopping bonanza?

  1. Use predictive analytics to structure data to enable informed, strategic decision-making.
  2. Protect any and all data around processing of cards - comply fully with PCI DSS.
  3. Build in security by using your network infrastructure as a security sensor, leveraging critical data a bolt-on managed service will almost certainly miss.
  4. Identify internal indicators of compromise by analysing outbound traffic.
  5. Don’t forget about the old favourites - DDoS attacks are still important to the retail industry, particularly at predictable peaks such as Black Friday/Cyber Monday.

While it is all too easy to get caught-up in how many likes the latest advert featuring a bouncing boxer or tipsy carrot get on Facebook, it is essential that the retail sector recognises the importance of IT security, particularly at this time of year. Online sellers must take the responsibility to ensure that payment systems and the sensitive information they hold on their customers is protected and handled responsibly.

To ensure that this years’ festive period is not marred by cyber threats, retail firms must understand the huge financial and reputational impact that cyber-attacks can have on a businesses and implement appropriate solutions to safeguard against risk. Today it is essential that retailers have a holistic approach to security that delivers end-to-end protection, and that is in place to support the business before, during and after an attack.

After all, few consumers would forgive a retailer if they were the cause of their personal information getting into the hands of cybercriminals, particularly at this time of year, however cute, funny or emotionally charged their festive advertising campaign may be.

Terry Greer-King, Director of Cyber Security, Cisco UK, Ireland & Africa

Image source: Shutterstock/Sergey Nivens