Black Friday, 26th November, and Cyber Monday, 29th November, are key times of the year both for retailers and for cyber criminals.
The pandemic has changed the way that we shop, with more businesses than ever getting online. But by increasing your businesses visibility, you also increase the risk to your business being attacked by a cybercriminal.
Cyber criminals love retailers, with personal data and payment details that this sector is known for being key information for criminals wanting to make money.
In the last year 1 in 8 retailers faced a cyber-attack according to data published in a report by financial auditor, Grant Thornton’s.
Verzion’s 2021 Data Breach Investigations Report recorded that System Intrusion, Social Engineering and Basic Web Application Attacks represent 77% of breaches in the retail sector, but it was noted that retail also suffered from a high number of Denial of Service (DoS) attacks.
Imagine this situation:
At the start of the week, you start noticing your website is slow and then fails to respond altogether. Your company has been targeted by a DoS attack. You receive a ransom demand saying that unless you pay then they will do this throughout the Black Friday and Cyber Monday period. What would you do?
In amongst this DoS noise the criminals are also trying to get malware into your system, but because of the DoS attack you don’t notice.
On Black Friday and Cyber Monday, the sale starts at 00:01hrs, just at the time that your IT support are tired, sleeping or even shopping. Even if you paid the ransom, they might still try to get the malware into your system whilst your have a higher amount of traffic, distorting your network “normal”.
Afterwards, if you have paid the ransom, be prepared for more ransom demands, you’ve paid once, why wouldn’t you pay again? And if the criminals got malware into your systems, then this would be the time that the data breach and theft will take place, now you have boosted your customer and payment database.
Businesses need to recognise that Black Monday and Cyber Monday may be ideal times, when staff are already extremely busy, for a phishing attack to be overlooked, which could be a precursor to these other attacks. An incident response plan could be a great start to thinking about what you would do if you were in this situation. The ECRC has developed a free incident response plan as a starting point for businesses. Download your free plan. Top tips to build your resilience:
Use strong, unique passwords – passwords should be complex. The NCSC recommends using three random words to generate strong passwords. Take a memory (the tree fell down, smashed the fence and the dog escaped) and take three words from it EscapedSmashedTree. Add in some capital letter, symbols and numbers and you have a strong password. If you are like us at the ECRC and have too many passwords to remember. Use a password manager.
Enable 2 Factor Authentication (2FA) wherever possible – strong passwords can only protect your accounts so far; the passwords could be stolen in a data breach or a phishing attack. 2FA protects your accounts further as the criminal won’t have the second piece of verification. If you want more information on 2FA watch our videos.
Backup your data – if the worst happens, and criminal gains entry to your system, encrypting all of your data, you want to be sure that you can recover as quickly as possible – ideally without having to pay a criminal! Backing up your data (and testing your back ups work) can help your recovery. Backups should be automatic and offline.
Update your devices and systems – criminals know about published vulnerabilities and will actively look for companies which are using those systems to exploit them. Make sure that your company isn’t part of the low hanging fruit for criminals and update your devices and software, as soon as possible after an update is released.
Be aware of the phish – phishing, in all ways email, text, voice calls, is the highest attack method of cyber criminals. Successful phishing campaigns can lead to gaining access to your systems, fraud, theft and data encryption. Staff are both the weakest link and your strongest protection. Ensure that they know what they are looking for in a phish and what to do about it if they do unfortunately fall for it (it will happen) or even if they don’t. You can read all about phishing URLs in our other blog.