For the past several years, most of the cyber-security advice leading into Black Friday and Cyber Monday has been aimed at consumers. With an estimated $7.7 billion in sales, according to Adobe Analytics data, this really isn’t surprising. As one would expect, where you can find the profits, you will undoubtedly find the criminals.
Along with consumers, retailers could also use some cyber-security advice this holiday season. After all, there are two sides to every transaction, and hackers, for the most part, are opportunistic in their approach and breaching an organization geared to profit from the madness that is Black Friday and Cyber Monday has the potential to mean big payouts for attackers.
Retailer’s Black Friday Cyber-security Challenges
If an organization is breached and customer data is compromised, the potential damages include a tainted reputation and brand, reduced sales, potential lawsuits, decline in market value and as of November 1, 2018, possible legal ramifications for compliance violations of breach reporting laws.
In addition to the above, there is also crippling costs of responding to a breach and restoring to normal operations. These costs, as seen in previous posts, can land well into the seven-figure range.
Unfortunately, at this stage of the game, if your organization is not yet prepared, you may be in trouble. But as they say, better late than never.
There are some key tasks that organizations should be doing to ensure your infrastructure and applications do not become overwhelmed by the volume of orders expected, and to ensure your organization, and its valuable consumers are not at risk.
Know your Obligations
First, with the passing of the EU’s General Data Protection Regulation (GDPR) and Canada’s Personal Information protection and Electronic Documents Act (PIPEDA), it is now more important than ever for organizations to know their vulnerabilities, and how to secure them. Regardless of the sales made, a data breach has the potential to obliterate profit margins and inflict considerable damage to consumer confidence and company reputation.
Encrypt your Data
In the unfortunate circumstance that your organization is breached, it would be vital that all customer data, in storage and transit, is protected with encryption. This way, even if your organization is breached, the data collected would be essentially useless to a cybercriminal.
Identify Vulnerabilities and Fix Them
Conduct vulnerability assessments, including both automated and manual penetration testing methodologies, on your infrastructure, web applications and mobile web applications. From the results identified in the report, prioritize high risk vulnerabilities first and manage them accordingly. Remember, despite the fact that you cannot always be immune to an attack, you can at the very least make your organization a difficult target. Traditionally, hackers will take aim at the path of least resistance.
For information on Choosing a Penetration Testing Company, or to learn more about the services that would best suit your organization, please review our website and contact us for in-depth information on how to prepare your organization.
Consumer’s Black Friday Cyber-security Challenges
As the old adage goes, if it seems too good to be true, it probably is.
Phishing Campaigns & Click Baiting
Where most people are aware of the dangers of malware, suspicious emails and click bait offers promising gifts and door crasher deals. During this period, eager consumers are especially vulnerable to phishing campaigns and click-baiting schemes, for ONE reason; a strong, compelling and sometimes irresistible sense of urgency or fear of missing out.
In recent years, phishing campaigns have come a long way. They are no longer as easily identifiable to users as they once may have been. To be frank, designing an email campaign to look like your favorite retailer, promising gifts and deals of grandeur is a task of juvenile difficulty for a skilled attacker.
To add insult to injury, with Christmas and the holiday season just a month away, pressured sales tactics are often much more effective now than any other time of the year. For this reason, the consumer is advised to be very weary of suspicious emails. If it seems too good to be true, it probably is. If you receive an email from a favorite retailer, it is always advisable NOT to open the email, and if you do, do NOT to click on any embedded links.
Solution: Visit the actual site of the retailer, independently of the email or link, to determine the integrity of the claims. Better yet, you may consider calling them to validate anything you are unsure of, before making a purchase or arbitrarily entering your personal information into suspicious websites or spam emails.
HTTPS vs HTTP: Beware of the Difference
For online consumers, it is also important to beware of shopping sites that are not using HTTPS in their website addresses or do not display the symbol of a lock next to the web address, in the address field. Secure sites use HTTPS almost exclusively, without that, you run the risk of dealing with unsecured connections and/or weak encryption of your personal data. This is incredibly important while on public internet.
Solution: Always look for the “S” in HTTPs on your favorite shopping websites.
According to RiskIQ’s 2018 Black Friday E-commerce Blacklist Report, 40% of online Black Friday transactions, in 2017, took place on a mobile device. This type of shopping puts consumers at an increased risk of encountering phishing pages, malicious software and viruses that may infect their phones and tablets to mine sensitive data. A significant degree of this potential comes from mobile apps built specifically to fool users into entering their credit card information, opening them up to financial fraud, malware designed to steal their personal information or ransomware designed to lock the device until the user pays a ransom.
Solution: Consumers are encouraged to only download apps from official app stores such as Apple of Google, and be wary of any application that request unusual permissions such as access to contacts, text messages or other administrative features.
We hope this article serves to create awareness to both consumers and retailers alike during this time. From Packetlabs to you, we wish you a happy, stress free shopping experience.
For more information, please review our website and contact us for in-depth information on any of the items discussed here.
At Packetlabs, our mission to continually stay on top of current threats and vulnerabilities has helped distinguish our testing from our competitors. Often times, firms will try to commoditize security testing by performing automated testing (VA scans) with little benefit to the client. Our methodology only begins with automated testing. Thereafter, our extensive experience allows us to manually uncover high-risk vulnerabilities which are often missed by conventional testing methodologies.
At Packetlabs, we mandate training and continually learn and adopt new attack techniques for our clients. We are always digging deeper to uncover vulnerabilities that may have been overlooked. Our mission is to maintain the fact that not one of our clients have been breached by a vulnerability we’ve missed; we take this very seriously.