The past two years have presented some really unique challenges and opportunities for the sector. Brexit, COVID, increased fuel costs and inflation have all made their mark. But as we approach Christmas there is an expectation of increased footfall both through the digital and physical shop doors. However, the increase in digital presence and sales also presents an opportunity for cybercriminals to steal your money, your data, and your customers.
98% of UK businesses are now operational online in one way or another, benefiting hugely from the use of online websites, social media accounts, and online banking, and with the ability for customers to shop 24/7 online it is no surprise that cybercrime is trending upwards.
Online shopping surged 30% amid the global pandemic and in the run-up to Christmas 2020.
70% of shoppers bought goods online - significantly higher than the 55% in 2019. It is highly anticipated that online sales will remain strong again this festive season, following numerous news stories warning the public about stock shortages for things like festive food and gifts.
So here at the Eastern Cyber Resilience Centre we ask this question to the whole sector
Can you afford to take another hit from scammers and cyber criminals?
If not, spend a little bit of time and effort to beef up your cyber resilience, and make sure that next few weeks provide you with a much-needed profit bonanza ahead of tough early 2023.
Cyber Attacks in the Headlines
Most of the reported attacks against retail relate to big companies – but remember – small is not safe. Small businesses are more likely to be victims of a cyber-attack than a large one.
In October of 2021, supermarket chain Tesco announced that their website and app were offline after a deliberate attempt was made to disrupt their services. In a similar incident, Costco suffered a data breach after finding a payment card skimming device had been set up in one of its warehouses.
In April of 2022, The Works made the headlines when the UK retailer was forced to close some stores with others forced to only transact using cash after they were faced with a cyber-attack. Many stores then faced the knock-on effect of delayed stock arriving and some customers having online orders deliveries arrive much later than promised.
The Works said all debit and credit card transactions were processed outside its own systems by third parties, so customer payment data had not been compromised by the attack. But the company was forced to hire forensic cybersecurity experts to investigate the attack and didn't know if other data had been accessed.
Common website cyber threats
If you don’t understand the jargon talk to us at the centre
Weak passwords allow criminals to log in to your systems – no technical experience required but easy to fix from your point of view.
Your website isn’t updated with the latest security patches – criminals know when security patches are released and will look for those sites which haven’t been updated and therefore have a known security issue that they can exploit.
Your website is vulnerable to SQL injection attacks – this is a technique where a criminal places malicious code into SQL statements via web page inputs and could potentially destroy your database!
Your website is vulnerable to XSS (Cross-site scripting) attacks – this is where the criminal compromises the interactions that users have with your website or application.
Your website has insecure direct object references – this is part of access control implementation mistakes which can lead to access controls being circumvented and a criminal able to access your valuable data.
Do you know if your website is vulnerable?
The only way to really know is to test your site. But do you really want to know? Nothing bad has happened so far and if you don’t know about it then surely you can’t be guilty of not fixing it?
But ask yourself these questions:
How would the people that you represent feel if their sensitive data were stolen and sold?
How would your supply chain feel if their confidential data were leaked?
Would your customers have expected you to do everything you could to protect their data?
What website testing is available?
There are a number of different tests that can be run on your website, from fully automated scans to an ethical hacker attempting to exploit everything a cyber criminal might do, and of course these range in cost, based on the type of testing and the size/complexity of the infrastructure.
The ECRC offers two affordable website testing options:
- First Step Web Assessment - this is a set fee of £250
- Web App Vulnerability Assessment - you can get a free of charge quotation to see how much this service would cost your business
What's the difference between the assessments?
Our CyberPATH students can provide two levels of website review. The first step web assessment, is intended to give you reassurance on the basic set up of your site. It looks at the products used to configure your site, and the way they are put together, to establish whether there are likely to be known vulnerabilities. It focuses on more obvious vulnerabilities, with simpler fixes.
The full web app test looks at how the web products are configured and made to work. It takes a more intrusive approach to testing whether they are all used in the most secure way possible.
| First Step Web Assessment | Web App Vulnerability Assessment |
Reconnaissance/enumeration Identifies the structure of the site and how it is made up | X | X |
Automated Vulnerability scan Checks whether the site has a number of known vulnerabilities | X | X |
Sensitive Data Exposure Checks whether user data input to the site is being properly protected | X | X |
Vulnerable and Outdated components A manual version scan of products used by your site, checking for known vulnerabilities | X | X |
Broken Access Control Tries to bypass credentials to get into the inner workings of your site | | X |
Insecure Design A check on how the components of your site are put together, and any resulting insecurity | | X |
SQL injection/ cross site scripting Checks whether user data input to the site can be used to break in | | X |
Security Misconfiguration/ XML external entities Ensures configurations are properly complete, and don’t leave ports exposed | | X |
Broken Authentication Checks whether the system prevents ‘brute force’ password breaches | | X |
Software and data integrity failure Checks if the site performs adequate checks before updating components | | X |
Security logging and monitoring failure Does the site monitor failed logins so you can take preventive action? | | X |
Server side request forgery Can access be gained via your site onto the server itself? | | X |
Report length | 2 - 3 pages | Extensive |
What next?
The impact of a successful attack against your website or network can be catastrophic and lead to website downtime, loss of data and permanent loss of reputation. But all is not lost.
Here at the centre, we would advise you to do three things now
Join our free core membership. Start implementing some simple changes now and start protecting your organisation, staff, customers, and supply chain. Join the centre as a free member and we will take you as far as the Cyber Essentials accreditation process. And if you want to pay for the assessment, we can refer you one of our Trusted Partners – all regionally based cyber security companies that can help you become accredited.
For all businesses across the Eastern region we would recommend that you look at improving your overall cyber resilience and work towards achieving Cyber Essentials accredition – the basic government backed kite mark standard for cyber security. And remember that a company operating under Cyber Essentials processes is 99% protected either fully or partially from today’s common cyber-attacks. Our free Little Steps course can help you understand what you need to do.
Consider our affordable cyber services and see if they are right for your company. We're always happy to have a chat about CyberPath and the services that we can offer. Why not find out more?
Whatever you decide to do, doing nothing is no longer an option. Here at the ECRC we are already working closely with hundreds of organisations across the seven counties to help them tackle the continually changing cyber threats that they face. So come and join our community as free members and let us help you protect your organisations from the ever presents threats out there in the cyberverse.
Reporting a live cyber-attack 24/7
If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress), please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day, 7 days a week.
Reporting a cyber-attack which isn't ongoing
Please report online to Action Fraud, the UK's national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.
Comments