As anyone who has worked in retail can attest, everything around the holidays is magnified. More sales, more traffic, bigger crowds, more support calls, longer hours, increased foot traffic, bigger promotions, extra communications. And more cybercrime.
The unfortunate truth is that the holidays have always been big for cybercrime, and this year is most definitely not an exception. In fact, the situation is likely to be worse due to the impact supply chain issues are having on retailers and their customers. The fear of not being able to get what they want may lead to emotionally driven “too good to be true” purchases on scam websites and impulsive clicking (or tapping) of links in emails and texts.
Cybercriminals may also benefit from the fact that many retailers have continued to rapidly expand their digital presence to meet market demand. Some of these new solutions, which often reside in multi-cloud environments, haven't been tested under heavy holiday loads or properly secured against advanced threats. Likewise, as retailers have pivoted their organizations to meet customer demand, security gaps may also affect newly deployed technology supporting warehousing, distribution, and fulfillment centers.
According to Adobe Analytics, with online spending remaining elevated and demand levels poised to surge, the online retail holiday season is expected to top $200 billion for the first time. All this activity is also good news for cybercriminals who understand the market dynamics and have upped their game in-kind.
Retailers understand that convenience and consistency are top-of-mind for consumers. Therefore, expanding direct-to-consumer options will be a key strategy for retailers looking to get goods into the hands of the consumer as quickly as possible no matter where and how consumers choose to shop. Doing so through both digital and physical channels will be important as the environment normalizes and retailers look to win the battle on multiple fronts.
During the holiday season, retailers regularly use flash sales, microsites, and limited time offers to attract shoppers looking for the best deal. These emotional appeals are nothing new, but now attackers are capitalizing on these tactics to lure in click-happy customers.
If we focus in on email attacks, they are common and becoming much harder to spot, particularly when they come from legitimate email domains that can slip by traditional security filters. Fake emails entice consumers with deals, discounts, and available products that are almost impossible to discern from the real thing.
These issues are compounded by the fact that more consumers are working from anywhere. This increase has blurred the lines of what is a company-protected asset and what is not. Now employees may be using business assets for personal activities, such as shopping online, and they may be doing so from the office, home office, a coffee shop or anywhere else. More advanced email security services, including sandboxing, should be evaluated to combat the ever-increasing email-based risks while endpoint detection and response technology (EDR) is crucial for protecting company devices and those that blur the line. Incorporating zero-trust concepts, including identity verification and authorization can also help reduce risks.
Retailers themselves face the ugly specter of ransomware as well. In a new global ransomware survey conducted by Fortinet, 67% of organizations report having been a ransomware target. And nearly half said they had been targeted more than once and almost one in six said they had been attacked three or more times.
Ransomware continues to become more financially damaging with a drastic increase in payments. The US Treasury’s Financial Crimes Enforcement Network (FinCEN) reported nearly $600 million in ransomware payouts in in the first half of 2021, which puts victims on track to top the combined payouts of the previous decade. (Ouch)
Clearly, any retailer heading into the 2021 holiday season without adequate security is putting their business in harm’s way. While making sweeping changes to correct long periods of security posture neglect may not be possible at this stage, businesses can be extra vigilant during the busy holiday season and use existing tools to their best advantage. Looking for native and 3rd party integrations to bolster security effectiveness may be worth investigating.
It's equally important to ensure that proper processes are in place to scale securely during the busy holiday season with have visibility and posture checks across multi-cloud environments. Take advantage of automation and artificial intelligence where it's feasible and educate your employees to report suspicious activities.
Bottom line, steps need to be taken by retailers to protect their consumers and their brand from harm. Security needs to span the entire digital attack surface and all edges and data must be protected during this season, as retailers face an increasing number of challenges from the traditional to the more advanced. So, while the holidays are a busy and exhausting time in retail, by working smart and maximizing the technology and partnerships you have in place, the season can be safe and successful for everyone.