In the U.S., the post-Thanksgiving shopping blitz of Black Friday often serves as a make-or-break event for many retailers. Indeed, Black Friday is the day when retailers start to make a profit for the year.
No further explanation is needed to understand why retail cyber security is so important. Since the arrival of the browser, online shopping has evolved. In 2005, the National Retail Foundation (NRF) coined the term Cyber Monday to describe the Monday after Thanksgiving and Black Friday, and over the years it has evolved into a major concern for security-conscious businesses.
According to Practical Ecommerce, the 2015 shopping weekend saw billions of dollars of sales, of which more than $10.4 billion was attributed to in-store sales and $5.77 billion to online sales. Meanwhile, comScore reported nearly $70 billion in desktop and mobile online sales between Nov. 1 and Dec. 31, 2015.
Everyone knows that criminals follow the money. Before the internet, we read about robberies of brick-and-mortar establishments. Now, with an anticipated $70-plus billion in online sales in just a 60-day period, we find that criminals have adjusted and moved online. In 2014, the number of daily attacks decreased during the timeframe surrounding Black Friday and Cyber Monday. Similarly, 2015 saw no major upticks in cybercrime, though small and medium-sized businesses found themselves in the bull’s-eye.
Verizon’s “2016 Data Breach Investigations Report” noted that “around 90 percent of all security incidents in the retail sector involved denial-of-service (DoS), point-of-sale (POS) or web app attacks.” The report explained that it took 79 percent of the organizations weeks or more to recognize that a crime occurred. In contrast, the holiday shopping period lasts for only eight weeks.
Retailers should update their technologies. Security experts have been imploring retailers to move away from password-only environments. A 2012 Institute of Electrical and Electronics Engineers (IEEE) paper titled “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes” describes the ongoing, decades-old struggle to replace passwords with other authentication tools.
We asked John Haggard, chief executive officer (CEO) of Nymi and a global authority on authentication, for his thoughts on how retailers might protect themselves and, by extension, their customers. Here’s what he had to say:
“The single biggest corrective step an organization can make to secure its environment is to ensure all identities, including employees, partners, customers and especially machines, are correctly authenticated. This sounds simple, but it is incredibly difficult to break the addiction to passwords that is the current champion of authentication.
“What’s worse, the industry is getting organizations hooked on the multifactor alternative, which is arguably worse in today’s environment. With passwords, everyone knows the problem. With one-time codes, organizations believe they have plugged the hole when in fact they haven’t. Despite this warning, organizations should set a key objective that simply states, ‘Authenticate correctly and effortlessly.’
“This likely will never be solved 100 percent for any given period of time, therefore a constant evaluation of the authentication position can be captured by reviewing the data on incorrect authentications. A full 63 percent of breaches can be traced back to this issue, according to the Verizon study. The name of the game is to reduce the attack profile while preserving productivity.
“Passwords are in the red (as in your blood red), one-time passwords (OTPs) are yellow/red and Fast ID Online (FIDO) authenticators are green. Start by setting the objective and developing the discipline to understand issues and then support vendors that are trying to help you get there. You get to give feedback and request/demand improvements — staying stuck isn’t a good strategy.”
POS systems are a primary area of concern. Every retailer should separate its POS infrastructure from its corporate infrastructure. Tripwire recommended including monitoring and two-factor authentication for all users accessing the POS environment in addition to segregating the infrastructure.
This begs the question, would retailers know if their POS infrastructure was compromised? Do they have a plan to respond to indicators of compromise? Does your response plan affect your ability to conduct commerce?
The NRF created a comprehensive playbook for its members that highlighted three key areas in which retailers need to focus: trust, community, and anticipation. Customers will quickly lose trust in retailers that don’t focus on securing their environments and technologies.
How retailers engage their customer will speak volumes to how seriously they take security. Are you asking the customer to provide data that you are not able to protect? Do you send emails containing hotlinks to get your customer to click and buy? Do your privacy and terms of service statements clearly articulate how you protect customers’ data? Can customers quickly engage with your support teams if they report cyber crime? Are your support teams trained to handle social engineering attempts to access customer accounts?
First and foremost, only deal with retail organizations you trust. Understand how they operate. More importantly, understand that every entity can be spoofed in email or online.
Practice good online hygiene as part of the overall retail cybersecurity solution. Resist the urge to click on Cyber Monday coupons in emails — type the URLs into your browser window instead. Ensure your devices are up to date with both your security suite and your operating system. Download apps only from trusted environments.
We asked Rebecca Herold, The Privacy Professor and industry thought leader on privacy, what consumers can do to protect their online engagements. Not surprisingly, her advice addressed the need for authenticating yourself with the vendor.
“Use two-factor authentication wherever it is offered,” Herold advised. “This way, if a password is one of the factors and the password file gets hacked, that second factor will help to prevent unauthorized access into your accounts.”
Speaking of passwords, remember to use a unique password for every online account. It sounds cumbersome, but give it some thought. If you reuse passwords and the password file of the company with the least secure infrastructure is compromised, then your user ID and password combination are the keys to all your other accounts, especially for those that lack two-factor authentication.
The holiday season is upon us. Make it a joyous occasion by keeping your company, customers and yourself safe online.