Data privacy is top of mind for consumers, with almost daily reports of breaches leaving consumers at risk of identity theft. eCommerce operations are especially vulnerable to security threats. These breaches can be very damaging to businesses that suffered the breach, both fiscally and in reputation. In addition, the legal consequences of carelessly losing customer data are getting more severe. Online fraud attempts during the 2017 holiday season were up 22% from 2016 and could continue to rise throughout the remainder of the year. As the holiday season approaches and customers increasingly do their shopping online, several factors make the risks higher than normal.
Factors increasing holiday risk
- The increase in sales volume helps attackers to cover their tracks. When software runs slowly or erratically, managers and employees may just assume their systems are being pushed to the limit in order to handle the influx of holiday traffic. Security software may register more false positives, obscuring any real problems.
- IT employees take time off during the holidays, and it becomes harder to monitor systems properly when the best people are on vacation.
- Temporary employees are brought in to handle the increased volume of business. Their lack of experience combined with the need to create many new accounts for these employees can create security risks.
- Employees often use their work computers for holiday shopping. If they get fooled by nasty websites or email fraud, they could let malware onto their machines.
- Excitement or stress from travel, parties, and shopping makes people pay less attention to their work responsibilities, and they may become less aware of any new or ongoing security issues during this time.
- Some seasonal advertising could be “malvertising,”: online ads that put harmful scripts on trusted pages.
— Cyber Security (@Webimprints) January 25, 2019
Customer privacy concerns
Legal requirements to protect personally identifiable information (PII) have grown stronger in recent years. As the volume of customers jumps toward the end of the year, the need for care becomes urgent.
For businesses that handle credit cards, PCI compliance is essential. Failure to handle them securely can lead to the loss of card processing privileges.
Additionally, Europe’s GDPR, which went into effect in May 2018, put in place stricter requirements regarding data privacy and the handling of customers’ data. Despite the fact that GDPR is a European Union regulation, it concerns all businesses around the world. The penalties for negligence or for failure to report breaches promptly can be huge, and therefore the importance of shielding customers’ data from security threats is more crucial than ever before.
How to keep risks under control
The basics of security do not change during the holiday season; they just come under more stress.
- Review existing security measures, make sure that all software is up to date and firewalls are working properly, and protect all parts of the network with security software.
- Test security of systems with penetration testing tools and/or services. These tests should be capable of identifying vulnerabilities included in the Open Web Application Security Project (OWASP) top 10 at a minimum. Advanced tools and services can test for full PCI-DSS compliance.
- Have a policy on how to handle security breaches. Dealing with them quickly minimizes their damage.
- If possible, keep IT security people on call during the holidays. While they deserve their vacations, answering occasional questions about suspicious situations should be a priority that will not take much time out of their schedule. Use a VPN (virtual private network) so that vacationing employees can access the network securely.
- Temporary employees need to follow standard security measures including creating strong passwords and limiting the use of company computers for personal purposes. Temporary accounts should have the least privileges necessary to do the job and should be terminated promptly when they leave.
- All employees need to be particularly careful with email as attractive-looking greeting cards and offers could contain Trojan Horses. Make sure spam filtering is working properly and remind employees not to open suspicious mail.
- Limit or eliminate the use of removable media, which can carry viruses from one computer to another. With central file servers and cloud systems, there’s little need for removable media today.
- The easiest way to avoid PCI problems is to avoid handling credit cards. Allowing specialized services do the work enhances security and eliminates the need to deal with credit card fraud internally. Companies that do handle them need to understand techniques such as encryption and tokenization of credit card data which lessens the potential exposure of sensitive data.