Bah humbug, bugs, bots and what you didn’t bargain for. By Martin Walshaw, senior systems engineer at F5 Networks.
For online consumers, ’tis the season to be jolly. For businesses, it’s a time where the retail chain may be forged in life. For hackers, it’s a poor excuse for picking a man’s pocket.
To avoid data becoming dead as a doornail, retailers must deliver a better intuitive, connected experience for the consumer to shop online. With the likes of easy access sign-in through devices designed for functionality over security, retailers increase their digital exposure without necessarily thinking about the impact it has on their own defences.
Seasonal retail sales can provide significant openings for hackers, as spikes in traffic put pressure on bandwidth and network capacity. So, what the Dickens is going on?
The ghost of an idea
In South Africa, online spending is forecast to grow to over R53-billion by 2018, from around R37 billion in 2016. Black Friday, Cyber Monday and Christmas will all make a sizable contribution to this upward trajectory.
Unfortunately, the race for seasonal profit often sees retailers take their eye off the cybersecurity ball in a bid to drive business, including scaling back security measures to capture a bigger slice of the digital retail pie.
The ramifications of a security breach for retailers cover both loss of trust and loss of revenue — the former if the breach includes customer data; the latter if the attack brings down the site (or in-store technology). To protect against this, retailers need to adopt a multi-layered approach of on-premises solutions and the cloud to keep their online services safe. Volumetric, DDoS attacks will require a flexible mitigation solution to protect the network, the session and the user.
Against the recent threatening backdrop of WannaCry and Petya, the cybersecurity stakes are higher and more far-reaching than ever before. Research company Cybersecurity Ventures predicts that, by 2021, the annual cost of global cyberattacks could hit an eye-watering $6 trillion.
So, do retailers have a ghost of a chance to protect themselves? Our online shopping behaviours, which invariably reach fever pitch during the holiday season, are certainly creating a goldmine for unscrupulous cybercriminals.
Humbug, I hear you say? Well, the sheer scale of retail-based attack vectors can be difficult to fathom, particularly as our spending habits spread worldwide in the hunt for the best bargain.
In a recent PayPal survey, 43% of surveyed South Africans made a cross-border purchase last year. While the overall shopping experience is increasingly interconnected and accessible to the masses, it is also more user-friendly and profitable for cybercriminals — not least because other targets like financial services institutions are becoming distinctly harder nuts to crack.
Data is the gravy
The prize for customer data is rich pickings for unscrupulous cybercriminals. ‘There’s more of gravy than of grave about you, whatever you are,’ might be the sentiment from the retailers.
For retailers, staying safe is a relentless task, but necessary to safeguard customer data and vital applications.
Fortunately, there are a range of advanced security solutions for organisations to arm devices in real-time against all manner of online threats, without the user having to do anything. This snuffs out the danger of things like users being misled to bogus websites or having their credentials exposed through malicious scripts, which target the application, user and device. Today, device and behavioural variables can be rapidly ascertained, seamlessly clearing the way for honest consumers to shop away while malware or nefarious bots are left out in the cold.
Strong threat analysis measures should be in place to capture any irregularities from the outset. At the very least, online retailers should ensure they have “Trusted Shop Certificates”, which guarantee a minimum, but standardised level of security and consumer trust. Even so, the stark truth is that, without some form of fraud protection, they are walking on very thin ice.
Switched-on retailers can also give customers invaluable credit card peace of mind by using solutions that rigorously encrypt at the application level, ensuring that any data intercepted by troublemakers is impenetrable.
To conquer the seasonal holiday onslaught, the onus is on retailers to deliver an intuitive, connected experience for consumers. A sustainable, consumer-facing website needs to focus security efforts as closely as possible to the application.
Notably, the ability to scale into the cloud is fast emerging as an e-commerce prerequisite to ensure customer satisfaction, business continuity and profit. This calls for robust security measures at every juncture, including identity and access management (IAM), encryption/decryption technologies (SSL/TLS), as well as anti-fraud and DDoS mitigation technologies. A Web Application Firewall (WAF) is also essential for online businesses, as they rely on web-enabled applications. Available in any deployment scenario (and as a standalone service), a strong WAF solution will protect apps and data from known and unknown threats, defend against bots that bypass standard protections, and virtually patch app vulnerabilities.
Spirit of the future
As the story goes, ‘there are some upon this earth who lay claim to know us, and who do their deeds of passion, pride, ill-will, hatred, envy, bigotry and selfishness in our name’.
However, there is no point being a Scrooge when it comes to cybersecurity. Retailers can do much more to prevent attacks occurring. The amount of data being transferred across the internet is only growing and service providers must protect the traffic they are managing. Like many other online sectors, retail is becoming more reliant on infrastructure providers to provide the first layer of defence against targeted attacks on network traffic.
Consumers want to shop with peace and goodwill and peace of mind. In time, organisations that are compliant and provide secure online services will earn trust and associated repeat custom.
Those operations that ignore the learnings of the past will soon become obsolete. Indeed, “if they would rather die… they had better do it, and decrease the surplus population”. Or perhaps, if both retailers and consumers get into the spirit of cybersecurity, then we will bear witness to a prosperous future and enjoy a happy New Year.