With the holiday season approaching, cybercriminals are increasing their phishing attacks. Follow these tips to ensure you and your customers don’t get stuck between a rock and a ransomware payment.
The Holiday season is upon us . And despite the emergence of the Delta variant, a volatile supply chain and a nationwide labor shortage, online spending is still expected to increase 11% this year, reaching $910 billion globally. This is good news for many retailers, but it’s also a prime season for cybercriminal organizations, which have already been working overtime since the start of the pandemic. This year, for example, cybercrime is predicted to inflict damages of $6 trillion globally, more than any country’s economy other than the US and China.
Security Gaps Lead to Security Incidents
The topic of cybersecurity can feel a bit daunting, especially given the numbers cited above and the growing list of large companies that have suffered breaches over the past year. However, regardless of the increased frequency and severity of cyberattacks, there’s one factor that remains constant—cybercriminals typically go after low-hanging fruit. When you dig into the source of many security breaches, you usually find that basic security hygiene steps were overlooked or ignored:
- Software patches were several months out of date.
- VPN software credentials weren’t shut down after an employee left the company.
- A sensor or other production equipment was exposed to the internet, leaving it vulnerable to hackers.
The examples listed above are just a small sample of security mistakes organizations make – to their detriment. One of the best ways to detect these blind spots is by building or assessing your organization’s cybersecurity program and aligning it to an industry-standard framework. A commonly used framework is the NIST Cybersecurity Framework (CSF) developed by the National Institute of Standards and Technology (NIST). It effectively balances the need to be thorough while still being approachable for organizations new to leveraging and maintaining a cybersecurity framework.
Using Third Parties to Assess Your Organization’s Risk
Suppose you don’t have the in-house IT expertise or bandwidth to conduct a security audit. In that case, you may need to hire a cybersecurity firm to perform an assessment of your organization’s cybersecurity risk and help you develop an incident response (IR) plan. Here are two primary types of testing to consider:
- Tabletop exercises. These services typically take about four hours. The process entails bringing the IR team and other key stakeholders into a room and running through various “what if” scenarios. For example, the leader may ask, “Suppose several of your network files were locked during a ransomware attack. How would you restore the files?” The person responsible for this process would explain how the files are backed up, including how often and the file restore procedure. The leader could then ask several probing follow-up questions, such as, “When was the last time you successfully restored a backup file, and how long did it take?”
- Red team and purple team assessments. While tabletop exercises are good at getting employees to think through scenarios, assessments take things to another level. For example, a red team assessment involves ethical hackers using penetration (PEN) tools to attempt to break into your network like a real attacker would do. The ideal assessment is a purple assessment—which gets its name from red plus blue (i.e., the security defenders), each working independently of the other. A purple assessment typically takes two weeks to complete.
Embrace a “Zero Trust” Security Strategy
Within the last couple of years, the term “Zero Trust” has gained popularity. This security strategy can be summarized as “never trust; always verify.” It also follows the principle of least privilege, which means only giving users access to files and shares necessary to perform their job duties. The pandemic brought the concept of Zero Trust to the forefront, as corporate offices emptied and millions of workers started working from home.
Whether you’re new to this strategy or know it well, and whether you have an e-commerce site that’s about to see a massive spike in traffic over the next couple of weeks or not, here are a few Zero Trust best practices you should keep in mind:
- Protect your customers from typosquatters. Have you ever accidentally mistyped a company’s URL address but still landed on a website? For example, maybe you left out the “o” in “Amazon.com,” and it opened a shopping site that somewhat resembled Amazon’s. This is an example of typosquatting, a social engineering technique used by cybercriminals to redirect victims to malicious sites to steal their data. Some companies try to prevent this problem by buying all similar spellings of their domain.
However, a more practical and less costly approach would be to choose a domain provider that includes this service, known as homographic protection. For example, TrueName by Donuts incorporates advanced anti-phishing technology with its domain registration service. The service automatically prevents bad actors from misappropriating a customer’s brand, business and identity through homographic phishing.
- Give your email an AI advantage. Email-based phishing scams increase exponentially during the holiday season. Common scams try to trick users into clicking on malicious links by claiming a credit card has been suspended, a shipment is delayed, or an order has been canceled. Likewise, fake charity and mobile app scams use the same psychological tricks to steal payment data. Hackers carefully tailor attacks to their victims by collecting publicly available personal information about them and playing to their sense of urgency to get a response. Research from Barracuda found that 3% of employees will click on a malicious email, exposing the entire organization to attackers.
The best way to combat this problem is by implementing a comprehensive email protection solution that includes an AI-based next-generation email gateway. The AI acts as an extra set of eyes, learning the unique communication patterns of each organization and spotting and quarantining anomalous emails, even if the emails don’t contain obviously malicious signals, such as malware or links to compromised domains. In addition, this technology should be paired with email security awareness training that includes phishing simulation, a safe way to remind employees about being more careful about handling emails from unknown sources.
- Eliminate weak passwords with IAM. According to the 2019 Verizon Data Breach Investigation Report, more than 80% of data breaches result from an attacker logging into a customer’s applications using stolen passwords—often initiated by an email phishing attack. The problem with passwords is that to be effective, they need to be hard to guess, but to be usable, they need to be easy to remember.
The best way to avoid this conundrum is with an identity and access management (IAM) solution. An IAM solution allows IT administrators to manage users’ digital identities and access privileges securely and effectively. It also enables multi-factor authentication (MFA) and single sign-on, which improves security without harming the user experience. Plus, an IAM allows administrators to assign role-based access control, track and report user activity, and enforce corporate and regulatory compliance policies to protect data security and privacy.
- Use SSL encryption. SSL stands for secure sockets layer, a security protocol that creates an encrypted link between a web server and a web browser. In short, SSL keeps internet connections safe and prevents criminals from reading or modifying information transferred between two systems. When site visitors see a padlock icon next to your URL in the address bar, it gives them confidence that anything they share during their session, including sensitive information such as their SSN or credit card data, is protected. The cost for an SSL certificate can range from less than $10 a year (e.g., a domain validated SSL certificate from Comodo SSL starts at $7.95 a year) to $249 (e.g., a GlobalSign Domain SSL).
Not only does this small investment protect your site visitor’s data, but it also helps your SEO (search engine optimization) with Google, which no longer indexes sites that don’t use SSL certificates.
- Ensure end-to-end payment encryption. One area of your website that could present a security weakness, especially if your site isn’t built on one of the standard out-of-the-box platforms (e.g., WordPress, Wix, Squarespace), is your payment processor integration. So besides ensuring your site is encrypted and you’re working with reputable payment processors (e.g., Stripe, PayPal, Clover, Datacap, North American Bancard), it’s vital that the integration and connection between your site and processors are encrypted.
As changes in technology continue to evolve, it’s no surprise that the notion of trust is being examined when it comes to accessing data. The benefits of a Zero Trust program can securely advance an organization’s business objectives. A Zero Trust architecture assumes a breach is inevitable but can prevent it from exposing data to loss. Also, with a Zero Trust architecture, organizations can customize their security for their specific data and assets.
This holiday season will be challenging for companies and their employees in many ways. However, by putting policies, training, and technology in place to guard against seasonal cyber threats, you and your customers can safely ring in the New Year with your data, networks, applications and identities intact and secure.