By now, most retail cybercrooks have made their holiday hit lists and have checked them twice. The question is, have retailers taken the necessary steps to safeguard against the seasonal spike in cyberthreats? If not, they certainly should. Over the past two years, some of the biggest retail cyberattacks in history have occurred during this period. And cyberheists are increasing in frequency as well as scope: Our recent Global State of Information Security® Survey found that attacks on retail and consumer companies skyrocketed 154% in 2015 over the year before, and compromise of customer records soared 27%.
Protecting against constantly evolving cyber-risks is always a challenge, but it’s particularly daunting during the holiday shopping season when the spotlight turns to profitability pressures, surging sales volume and staff shortages. Further compounding the situation this year is migration to the EMV (Europay, MasterCard and Visa) payment system in the US. The chip-based payment technology is more secure than magnetic-stripe cards, but certain processes may expose retailers to new vulnerabilities. And, as has happened in other countries that introduced EMV, card-not-present (CNP) fraud is likely to increase as EMV is implemented.
With the holiday shopping crush fast approaching, there’s little time to roll out new cybersecurity technologies and processes to address these rising risks. But businesses can conduct a quick review of their cyber-readiness that will help them prepare for potential incidents, as well as get a head start on implementing critical solutions in the new year. We’ll talk more about the latter in a subsequent blog post.
It’s not too late to prepare for the holidays
Over the next few weeks, retailers should perform a quick check of their cyber-readiness. Following is a checklist highlighting six steps to consider:
- Identify and understand threats that are most likely to impact your business this holiday season. Review your organization’s most recent vulnerability assessments to understand what systems and data were examined, the risks identified and how those vulnerabilities were mitigated. A smart tactical move is to determine what system patches have been deployed
- Take a look at your company’s capabilities to continuously monitor for and detect compromises of its high-value assets. Are your teams scanning for and reporting anomalous network and user activity, as well as investigating high-volume activities or suspicious data transfers?
- Human intelligence is equally critical to effective monitoring, so review your security operations center (SOC) to ensure that it is properly staffed to meet seasonal surges (and that end-of-year PTO doesn’t cripple its capabilities). Also review the SOC’s most recent simulation exercises to better understand the company’s cybersecurity preparedness.
- During this busy period, make sure that security personnel keep an eye on external intelligence sources for the latest cyberthreat intelligence. Reinforce the importance of quickly communicating all identified risks across the organization.
- Employees remain the most frequent culprits of compromise, intentional or otherwise. Now is a good time to launch a holiday refresher campaign to promote good cybersecurity practices; don’t forget to include seasonal workers. Doing so can help you avoid risks like phishing scams and unintentional leakage of customer information.
- Assess whether your company’s breach-response processes are up to date and tested, and that appropriate personnel are trained. This could save you time and money in the event of a security incident.
Watch out for CNP fraud
In addition to the six issues listed above, retailers have another cyber-readiness consideration this holiday season: Now that EMV payment is live in many physical retail locations, it is very likely that cybercrooks will shift their attention to online CNP fraud. Watch out for an increase in tactics such as triangulation, chargeback and reshipping fraud.
First, touch base with existing vendors to discuss staffing and their ability to identify CNP incidents. Internally, perform a quick review of key performance indicator (KPI) thresholds that measure potential CNP incidents. It’s a good idea to prioritize mobile payment channels due to ongoing increases in transaction volume and CNP incidents.
Also look over security controls and processes that can help identify and mitigate CNP incidents. These can include network monitoring, behavioral analytics, point-to-point encryption and tokenization.
Finally, be prepared to respond to fraudulent activity by reviewing your fraud crisis-management plan. It should include processes for root cause analysis, mitigation, internal and external communications, and customer compensation.
If you haven’t done so already, conduct a quick review of these cybersecurity and CNP fraud practices before you tuck into your Thanksgiving turkey. After Black Friday, we’ll be back with tips on how to effectively implement core cybersecurity technologies and processes in the new year.