The original version of this post was published in Forbes.
Most of the cyber security advice leading into the post-Thanksgiving orgy of shopping known as Black Friday and Cyber Monday has been aimed at consumers.
Which is fine—all of us can use the reminders, since criminals are primed to profit from our carelessness or cluelessness about increasingly sophisticated threats in the online shopping world.
But, obviously, there are two sides to every transaction. If there is a buyer, there is a seller. And sellers—retailers—could also use some advice.
The stakes are high for them too. Every recent year has set a new spending record, and 2018 is expected to do the same. Adobe Analytics predicts that Cyber Monday will again be the largest- and fastest-growing online shopping day of the year, with a record $7.7 billion in sales—a 17.6% increase from $6.6 billion in 2017.
Indeed, that weekend is at the center of the few weeks in the entire year that many businesses depend on to put them into the black.
But if that’s where the profits are, that’s where the criminals are. They follow the money. And if an organization is breached and its customers’ data are compromised, the potential damages are by now well-known but worth repeating: erosion of brand and reputation, lost sales, decline in market value, possible lawsuits, and possible sanctions for compliance violations.
Not to mention that the raw cost of responding to the breach, eradicating malware, rebuilding files from a ransomware attack (or paying the ransom), and restoring normal operations can easily run into the millions.
Not the kind of thing any business wants to be coping with during a make-or-break time of year.
So if you’re a retailer, what should you be doing?
Actually, Steve Giguere, sales engineer with Synopsys Software Integrity Group, says it’s what you should already have been doing.
“If you’re looking for last-minute suggestions on building secure software and haven’t yet got early-stage threat modeling and architectural risk analysis followed by some automation to check code as developers create it, you may be in trouble this late in the game,” he said. “But those are great suggestions for next year.”
Still, better to start than to rely on hope that you’re not a target. You are—just like everybody else.
And there are things you should be doing, both so your infrastructure doesn’t get overwhelmed by the shopping onslaught and so you secure both your organization and your customers. They include:
Be ready to ramp up. It’s obvious that if you’re not ready to sell more, customers can’t buy more. So you need “highly available and rock-solid systems to deal with what has become a predictable yet simultaneously overwhelming demand,” said Nick Murison, managing consultant at Synopsys. And not just with underlying IT infrastructure. “Retailers also need to ensure their applications can handle the onslaught, be it their website, their mobile apps, or their in-store payment terminals,” he said.
Know where you do business and what compliance requirements are. The EU’s General Data Protection Regulation (GDPR) is the most famous, but other countries, and some states, have requirements about the use of data and how it is collected, stored, and protected. The penalties for violations could wipe out your profits and more.
Encrypt, encrypt, encrypt. Make sure all customer data, both in storage and in transit, are protected with robust encryption and a key management solution. If you do get breached, those data will be useless to an attacker.
Secure your corner of the cloud. If you’re in the cloud, you—not your provider or whatever data security solution you may be using—are responsible for securing customer data. Review your cloud security policies. Make sure your data security solution can expand to meet increased demand and gives you sole control of your encryption keys.
Find vulnerabilities and fix them. Run vulnerability assessments—manual penetration testing—on your devices, systems, and platforms. Set priorities and close the most important gaps first. Remember, you can’t be bulletproof, but you can make yourself a more difficult target. Hackers go for the easiest targets.
If there isn’t time to do all that this year, then launch a software security initiative (SSI) to protect both your own systems and your customer data well before the next holiday season. “Poor software security leading to information disclosure of customer data can now lead to business-altering fines in Europe,” Murison said. Indeed, fines for failure to comply with GDPR customer privacy regulations can be as much as 4% of annual revenue.
Hire an expert data security provider. For companies that don’t have in-house security experts, “services from Cloudflare and Akamai are available to mitigate the risks of a DDoS,” Giguere said, adding that application security tools like WAFs (web application firewalls) and RASP (runtime application self-protection) also help. “These are no substitute for security development practices, however,” he said.
Don’t create “specialist” domains for the holidays. Stick with “yourcompany.com” rather than creating something like “yourcompanyBlackFriday.com.”
“It’s worth understanding the value of your domain because it will likely already be whitelisted by newsletter subscribers and previous shoppers,” Giguere said. A specialist domain “may not only be for nothing, as many endpoint security systems will block your marketing efforts, but it also sets a dangerous precedent for hackers and malicious phishing enthusiasts to follow,” he said.
Get past passwords. Move to a system like FIDO (Fast Identity Online), which stores PII (personally identifiable information) on a user’s device and sets up a multifactor authentication system that is simple and seamless. You can learn about it from the nonprofit FIDO Alliance.
Separate your infrastructures. Make sure your POS (point-of-sale) infrastructure is not connected to your corporate infrastructure. Unless, of course, you want to be the next Target.
Probably the most important is, don’t be in a rush.
Indeed, the advice about how to stay safe online during the mega shopping season remains pretty much the same from year to year: Don’t click on unsolicited links. Go to a retailer’s website yourself. Use two-factor authentication. Don’t re-use passwords.
And most people are, by now, at least generally aware of sketchy emails or pop-up ads on websites, promising that the best deals ever on the things you want most are just a click away.
It’s when they’re in a hurry that they click without thinking—and then fall victim to a list of potential horrors: credit card fraud, identity theft, ransomware, and more.
And the pressure to get the right gift at the “This day only!” discount before it sells out is more than enough to motivate millions of people to click before they think.
Don’t. You’re likely to find out that there is no great deal for that great gift, and that the money you had to buy it is gone.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.