It's the time of year when thoughts drift to images of sugar plum fairies and chestnuts roasting on an open fire. Unfortunately, it's also the time of year for thinking about how to prevent data breaches.
As the Christmas shopping season has shifted online over the years, bad guys have followed all that money in an effort to take advantage of all the personal financial data moving back and forth. And, as research data from security vendor ZeroFOX shows, they're capitalizing on a growing array of attack vectors to get at consumer data.
Perhaps no day of the year presents more opportunity for hackers—and more need for vigilance from retailers and consumers alike—than Black Friday. A recent Forbes report predicted that 2019 Black Friday sales will hit a record $7.5 billion.
"… following the money makes Black Friday a veritable magnet for criminal chancers of all varieties, which means more links and attachments delivering malware, more social engineering to separate you from your login credentials and more need for security awareness to be front and center," read the Forbes post.
But Black Friday is just the opening bell, as the opportunities for data thieves will persist throughout the season. A recent Security Boulevard post detailed many of the ways in which the opportunity for breaches will remain ripe through the new year, including projections that more than $1 billion in holiday e-commerce sales will be rung up every day through December.
That's an awful lot of credit card data with which to tempt the bad guys.
Also, in a classic example of self-fulfilling prophecy, more than 40% of surveyed shoppers say they'll be looking to purchase connected devices this holiday season—so they'll be able to make even more online purchases going forward.
The importance of retailers staying a step ahead of the threat landscape has already been on display, thanks to a suddenly familiar target: Macy's. The retailer's trustworthiness took a hit at the worst possible time of year when it revealed a breach that occurred between Oct. 7 and 15, during which data thieves made off with an undisclosed number of consumer names, addresses, payment card numbers, security codes and expiration dates. The breach came just months after Macy's disclosed a separate breach that occurred between April and June.
But as is typically the case, one company's misery is everyone else’s shot across the bow. And there's no reason to believe that a high-profile, pre-holiday breach won't sharpen everyone's focus as the holiday season picks up.
According to a piece in Independent Retailer, retailers can home in on a few threat vectors that are the most likely to burn them. Topping the list is staff, which, either accidentally or maliciously, accounts for 90% of all data breaches. And when it does start with the bad guys, it's usually going to fall into three buckets: unauthorized access, phishing or denial of service and ransomware attacks.
Given that list, it's no surprise that Independent Retailer recommends more staff training, attention to cybersecurity basics, and regular testing and monitoring of security measures as effective strategies for minimizing risk.
Meanwhile, Stephen Bowes, head of technology for BSI, recently wrote on Irish tech news site Fora that retailers should consider a number of proactive steps, including having an icon that confirms for shoppers that there's security in place for online purchases, verifying the origins of emails, ensuring compliance and offering transparency about data collection practices.
But the burden doesn't fall solely on retailers. Consumers can help prevent breaches, especially if they consider adopting a few practices suggested in a recent piece in Forbes. To begin with, the piece recommends never providing any real bank or credit card information, and instead using services like Privacy.com or Blur to create temporary payment cards that link to checking accounts and credit cards but keep all the associated data private.
Forbes also suggests getting serious about creating strong and unique passwords and using a password manager such as Last Pass to help keep track of them all. Last, Forbes recommends using an email spoofing tool that obscures consumers' real email addresses by setting up disposable email addresses that point toward the real ones.
It's all solid advice, but through it all, we can't help but think there's another perspective to consider: Namely, assume breaches will occur, because they will on a somewhat regular basis. If you're on a corporate security team, that means taking the steps to minimize the impact of an inevitable breach. For consumers, the message is simpler: If you want your data to be as safe as possible, then keep an eye on it, engage in safe data practices and share as little as possible.
None of this will guarantee that data stays safe for the holidays, but it certainly can't hurt.