BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Data: The Cornerstone Of Smart Cities
Three Keys For Effectively Leveraging GenAI To Optimize Knowledge Bases
Five Steps To Take When Evaluating AI-Powered Solutions
The Future Of EV Infrastructure Is All About Convenience
The Promises And Risks Of 5G Enterprise Transformation
Unlocking Innovation: The Power Of Pausing
Edit Story
ForbesInnovation

Holiday Season Increases Cybersecurity Risks

Forbes Technology Council
Chris Novak
Forbes Councils Member
Forbes Technology Council
COUNCIL POST
Expertise from Forbes Councils members, operated under license. Opinions expressed are those of the author.
| Membership (fee-based)

Managing Director of Cyber Security Consulting at Verizon.

The holiday season has long been a bonanza for retailers, but the increase in sales can also attract threat actors looking to capitalize on the spike in transactions. Retailers needing to meet customer demand are forced to tap additional resources, but those seasonal resources—temporary workers and equipment that may not have been used since last holiday season or, in some cases, the onset of the pandemic—may introduce additional vulnerabilities.

Here’s a look at some of the most pervasive cyberattacks during the holiday season, as well as some tips for retailers looking to protect themselves during a period of elevated risk.

The Threats

Let's start with some of the biggest threats facing retailers this year.

Payment Card Data

Stolen payment card data remains one of the most common cyberattacks in retail, accounting for 37% of breaches this year, according to our 2023 Data Breach Investigations Report (DBIR). One of the most insidious methods cybercriminals use to obtain payment card data is embedding malicious code within a retailer’s credit card processing page, allowing threat actors to steal customers’ payment data without impacting website functionality, oftentimes avoiding detection. According to the 2023 DBIR, 70% of payment card breaches originated from web applications, with another 8% coming from PoS servers.

MORE FROMFORBES ADVISOR

Best High-Yield Savings Accounts Of September 2023

By
Kevin Payne
Contributor

Best 5% Interest Savings Accounts of September 2023

By
Cassidy Horton
Contributor

Typosquatting

Typosquatting refers to the use of commonly mistyped domains to impersonate retailers in order to dupe unsuspecting customers. This is a year-round method, but it’s especially effective this time of year, as consumers are often in a rush to complete their shopping checklist. In their haste, customers are less likely to verify information and more likely to enter payment card information impulsively. Threat actors take advantage of the lure of time-sensitive offers during Black Friday and Cyber Monday to acquire valuable personal information.

Ransomware

According to the 2023 DBIR, ransomware continues to be a major threat across industries, accounting for almost a quarter of breaches (24%) and doubling in median cost over the last two years. Ransomware can pose an even greater risk to retailers during the holiday season. Retailers can’t afford any of their systems or data to be held hostage during their busiest season, which makes them more likely to give in to especially extortionate demands.

The Solutions

Next, let's look at a few solutions for these risks.

Threat Mitigation

Mitigation services and threat intelligence can help retailers identify vulnerabilities and defend against cyberattacks, such as the aforementioned typosquatting and compromised credit card processing pages. These solutions can establish a defense in a number of ways, including taking a proactive approach, rooting out instances of typosquatting, and, in some cases, tracing them back to threat actors.

Compliance

PCI 4.0 is the global standard for technical and operational requirements to protect account data. Compliance is among the most important pillars of accomplishment for retailers, especially given the threat presented by payment card data breaches. Though it’s a months-long process, compliance isn’t binary. Every step you take toward PCI 4.0 compliance makes your retail operation more secure. Now is as good a time as any to start that journey.

Staff Training

Social engineering is often used to install ransomware in a network. Social engineering preys on human error, which, according to the 2023 DBIR, plays a role in 74% of breaches. Therefore, staff training can help defend against these kinds of attacks. Teaching employees how to spot and avoid common phishing, smishing and other social engineering attacks can greatly reduce breaches caused by the human element. Staff training is especially important when retailers’ ranks swell with seasonal staff who can cause inadvertent damage if not properly trained.

Plan For The Long Term But Start Now

If cybersecurity hasn’t been top of mind for your organization, try to do what you can as the holiday shopping season ramps up. PCI 4.0 compliance can take months to complete, with a global target date of March 2024, but every step on the path toward compliance should make your retail operation safer. Train your full-time staff as well as your seasonal staff. Button up your operation as best you can for the holiday season with an eye toward enhanced security and standards in the new year.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

Follow me on Twitter or LinkedInCheck out my website
Chris Novak
Chris Novak