As we enter the busiest shopping period of the year, online and offline retailers are facing unprecedented cyber risks, leading cyber security firm Symantec warns.
But there are some key ways that retailers can protect themselves against these risks.
Christmas is a particularly vulnerable time for retailers as hackers “exploit” the peak in shopping that comes with the Christmas period, according to Nick Savvides, CTO APJ at Symantec.
“What happens before any major shopping event whether it’s Cyber Monday, Black Friday or Christmas is that much in the same way retailers prepare for more buyers, so do the cyber criminals, they are targeting people with phishing campaigns focused around big brands and deals,” he says.
Formjacking and point of sale (POS) attacks are a particular risk for retailers as we enter the Christmas period, Mr Savvides says.
Formjacking, where a customer submits details in an online purchase which are sent to attackers, has surged in 2018, with Symantec blocking nearly 700,000 attempts in the past three months alone.
These formjacking attacks put customers credit card details at a real risk of being extorted, according to Mr Savvides.
But attacks to in-store point of sale (POS) systems also present a growing threat, Mr Savvides says.
“There’s a big focus on criminals getting into people’s POS environments and the reason for that is there’s a lot more card transactions, people are in stores, being able to access these POS environment this time of year is when we see spike in that sort of activity.”
Tips for retailers
But there are thankfully some safeguards retailers can put in place to protect themselves and their consumers against formjacking and POS attacks.
Formjacking in particular can be prevented by testing new updates to detect suspicious behaviour, monitoring behaviour on systems and using content security policies to screen third-party content for malware, according to Mr Savvides.
“It’s important retailers look to do things like validate the modules and plugins being used from sites and integrate in their development cycle security review practices because it is difficult to protect against formjacking in that complicated supply chain where including lots of software,” he says.
POS system attacks can also be addressed by changing default passwords, using security software, using two-factor authentication, implementing chip-and-PIN technology and maintaining security policies for all personnel, Mr Savvides says.
“My recommendation is to maintain network segmentation and make sure that your POS environment uses unique passwords.”
Locking down the supply chain from attacks is also important, Mr Savvides says.
“It’s important retailers work to secure not just their software supply chain but all of their contractors who have access to their systems enforce things like multifactual authentication for contractors and network segmentation.”
Maintaining these sound cyber security practices is absolutely essential ahead of Christmas, Mr Savvides says.
“It’s important to remember to practice good cyber security hygiene. Retailers are custodians of user’s data and information and if they lose it there can be financial penalties and reputational damage.”
But preparing for the worst case scenario through incident response plans is also essential.
“It’s also important to be prepared if your network is compromised, so ensuring your executives, media people and operational teams have good incident response plans and know what to say to users,” Mr Savvides says.