How to Tighten Your Cybersecurity for Online Shopping
David Gochenaur Senior Manager, Information Security
Increased in-store transactions called for more robust loss prevention, and in today’s connected world, it involves much more than collaring artful dodgers. Every business engaged in holiday e-commerce is a target for cyberattacks against their defenses and data, with potential for damage, both financial and reputational.
Can you change your customers?
Some of the biggest threats to a company’s cybersecurity systems are those that exploit customer online behavior, such as
Poor password management
Susceptibility to phishing
Clicking links that install malware
Failure to install adequate protection (antivirus, security patches, firewall)
Sharing credit card information with questionable websites
Using multi-network connections
These habits aren’t under your full control, but following are some key things to do before the holiday spikes to mitigate their risks.
Establish and review your cybersecurity program. Make sure you have established a cybersecurity program based on a framework that is aligned with your business, includes a clear set of industry best practice security policies, has a clearly defined owner and is structured such that it can take a risk-based approach in strategy execution. Perform continuous assessments of your vulnerabilities, threats (both ongoing and seasonal), and the business risks a breach of any would pose. Prioritize closing security gaps with the greatest potential for damage to the business. Some of the more commonly used industry frameworks are ISO 27001/2, NIST Framework for CIS, PCI-DSS, COBIT and CIS Critical Security Controls.
Identify your organization’s risks. Determine your organization’s overall risk tolerance and specifically the risk tolerance related to the customer data you hold. Identify your organization’s most important data, where it’s located, the associated applications, and who has access to the data. Perform a periodic analysis as to their need to access the data. Incorporate the nature of the customer data you hold and, if needed, adjust the impact threats to that data will have on your organization’s risk posture.
Develop a security strategy. Identify your organization’s business drivers, the data and threat analysis results and your organization’s risk tolerance, with the goal being to protect your highest value data. Ensure the strategy considers performance of the security fundamentals patching, malware protection, vulnerability management, monitoring as well as the ability to incorporate emerging threat management tools and processes. Incorporating an Incident Response capability gives you the the ability to quickly and rationally respond, which is key to protecting both the customer and the business.
Have a Disaster Recovery Plan. Along with the Incident Response Plan which guides you through the incident, prepare a well-developed and tested Disaster Recovery Plan (DRP) with the objective of minimizing downtime and data loss. Organizations cannot always avoid disasters or large incidents, but careful planning can minimize the impact.
Backup. Having duplicate copies of your data saved in a location other than the one shared with your systems will keep it safe in case of a cybersecurity incident or a disaster. Some of the new cyber threats focus on encrypting your data in such a way that it is unusable unless a ransom is paid to the Threat Actor. Other malware is intended to simply destroy the data. In either case, having backup copies of the data can allow for a quick recovery with minimal impact to your customers and business processes.
Bug bounty program. While not right for all organizations, a bug bounty program could be used to detect vulnerabilities in your more important customer facing websites. A bug bounty program is a deal offered by an organization which allows individuals to receive recognition and compensation for reporting bugs (or program flaws), especially those pertaining to exploits and vulnerabilities. These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse.
Same scams, just more of them
The goals of Threat Actors remain the same throughout the year, of course: many seek personal information to use in financial fraud, larceny, or identity theft, or to sell on the dark Web to other criminal enterprises.