Secure your Online Sales from Cybersecurity Threats during the Holiday Season
The holiday shopping season is upon us. Typically, it begins around Black Friday, goes through Cyber Monday, and extends until the New Year. This year, online retailers are pushing the boundaries with “Black November” in the hopes of improving their online sales. Amazon even went further with its Amazon Prime Day event in October. With the uncertainty around in-store shopping due to COVID-19 and the risk of infection, many customers are choosing to make their purchases from the safety of their own homes. What should you expect? If your business includes e-commerce, look for more users and devices connecting to your sites to access applications than in past years.
The Good News…and the Bad
The good news for e-tailers is that overall sales are expected to grow this holiday season, which is critical as many businesses rely heavily on holiday shopping to meet their yearly revenue targets. Predictions for holiday spending vary, ranging from flat to +3.5 percent. However, one thing is clear. Online sales will take center stage. Results from an annual survey by the National Retail Federation (NRF) and Prosper Insights and Analytics indicate that the majority of consumers (60 percent) plan to make their purchases online this year. They’re not the only ones who anticipate growth in online shopping. The International Council of Shopping Centers (ICSC) is estimating a 25 percent increase in e-commerce sales, while Deloitte forecasts online sales to grow 25-35 percent during the holiday season compared to 2019, generating $182 billion-$196 billion.
So, what’s the bad news? Just as online sales are at the forefront, so is cybersecurity. Retailers aren’t the only ones looking to capitalize on the increase in online spending. The holiday shopping season offers hackers an opportunity to profit as well. We’ve already seen a huge uptick in cyber-threats due to COVID-19. Now, online holiday shopping provides cyber-criminals with additional motivation to launch their attacks. Let’s take a look at some of the top threats online retailers are up against.
- Phishing – Phishing and its variants, including spear-fishing and whaling, are email-based attacks that leverage social engineering techniques to fool recipients into providing sensitive information to the attacker. While spear-fishing and whaling attacks are more targeted than phishing, all three forms attempt to get the victim to read the email, click on a link, possibly open an attachment, and ultimately disclose valuable personal or corporate information.
- Ransomware – Ransomware attacks, which seek to extort money from victims by encrypting access to files or entire systems until they pay the attacker a ransom, have become increasingly popular in recent years. Much of this has to do with the potential to make large sums of money from the ransoms. Another reason for the rise in ransomware attacks is the availability of ransomware-as-a-service (RaaS) kits, which are inexpensive to purchase on the black market, making it easy for novice hackers to launch their own attacks. Phishing emails are the top threat vector to distribute ransomware.
- Distributed Denial of Service (DDoS) – DDoS attacks are designed to stop a computer, server, website, or service from operating by flooding it with internet traffic generated by an army of bots called a botnet. The tremendous growth in Internet of Things (IoT) devices, many of which are not secured, has made it easier for attackers to take control of more devices and create botnets. DDoS attacks can be especially damaging to e-commerce businesses during the holiday shopping season if customers can’t access their websites to make purchases.
- Malware – Malware attacks take many forms including viruses, worms, spam, spyware, and more. Some malware threats such as spam are more of an annoyance, while others such as viruses and worms can spread across a network infecting systems and negatively impacting their performance and user productivity. Similarly, spyware can slow down your systems. However, it can also be used to report sensitive information such as passwords back to the hacker.
- Injections – Injection attacks such as cross-site scripting (XSS) and SQL injections are used to exploit vulnerabilities in web applications by injecting malicious code into a program, which then interprets the code and changes the program’s execution. In other words, it gets the application to do something unintended such as alter the behavior of a website or expose confidential data like login credentials to the attacker. E-commerce businesses hit with an injection attack could find their customers redirected to a fake site which illegally harvests customer information.
The Consequences of Poor Cybersecurity
While these attacks occur year-round, they reach new heights during Black Friday, Cyber Monday, and December as more shopping goes virtual. As a result, cybersecurity takes on added importance. If your organization isn’t prepared to stop malware, DDoS attacks, and other threats, the consequences of a successful attack could be significant. Here’s what your organization could be facing.
Lost Revenue – Perhaps the biggest impact to any organization is revenue lost as a result of an inability to sell products or services online. Any downtime to a web server that prevents customers from making a purchase is damaging to online sales and can potentially have a severe impact, especially for smaller organizations.
Data Theft – The increase in online shopping during the holiday season is a lure for cybercriminals to launch attacks aimed at stealing corporate and customer data. Phishing emails claiming to have information on fake shopping receipts, shipping status, and customer surveys are very popular during the holidays.
Disruption of Services – DDoS attacks can target services that we deem essential. So can ransomware. E-commerce sites, public utilities, and schools are just a few examples of their victims. Shutting down access to a service, even for a short period time, can have major financial and social impacts.
Damaged Reputation – Damage can extend beyond short-term financial losses and data theft. Consumer confidence and brand reputation can quickly erode when consumers have a poor online experience. Customers aren’t shy about using social media to express their displeasure.
Reduced Productivity – It’s not just customers who feel the impact of a successful attack. If your employees can’t access the applications they need to do their jobs, expect to see a drop in productivity with an accompanying rise in undesirable workarounds.
Steps to Take for the Holidays and Beyond
Cybersecurity isn’t just something to think about during the holidays. It’s an everyday concern. Fortunately, there are some things you can do to keep your applications, your network, and your organization safe from threats, especially during times when online shopping spikes.
First, look for a solution that provides DDoS detection and mitigation to ensure your services are continually available to legitimate users. Hackers have learned how to weaponize IoT devices to launch complex multi-vector and volumetric attacks capable of bringing down application servers and entire networks. Second, protect your web-based applications with web application firewall (WAF) technology. Outdated applications are especially vulnerable to attacks. A WAF will secure them from hackers looking to exploit HTTP and web application-based flaws. Third, find solutions that meet your current and future platform needs. You may not have made the transition to the cloud yet, but chances are you have some cloud-based apps, so be sure your solution is ready when you are, whether it’s to a hybrid cloud or multi-cloud infrastructure. And finally, continue to educate your employees on the need for good cyber hygiene. According to a 2019 IBM study, 95 percent of cybersecurity breaches are caused by human error.
If you’re looking for assistance with application availability and protection from cyber threats such as DDoS attacks, application vulnerabilities, and malware, A10 Networks can help. Our Thunder® Application Delivery Controller (ADC) provides high-performance advanced load balancing that can be extended on a global basis to ensure your applications are always available worldwide. Our Polynimbus secure application services approach will help you gain greater visibility across your hybrid cloud or multi-cloud deployment. Thunder ADC incorporates application security with ICSA-certified WAF and DDoS protection as well as DNS server protection with DNS application firewall (DAF). Tight integration with A10 Harmony® Controller provides central management and analytics, with a drill-down map by country that gives you an at-a-glance view of attack information when you’re busy. No matter where you are in your journey to the cloud, A10 Networks has a Thunder ADC solution to meet your needs with hardware, virtual, bare metal, and container platforms.
For the highest performance in DDoS detection, mitigation, and cloud protection, A10 Thunder Threat Protection System (TPS) delivers industry-leading precision, intelligent automation, and scalability that’s powered by machine learning. Thunder TPS takes a proactive approach by leveraging reputation data from over three dozen security intelligence sources to instantly assess and block traffic from millions of known bad actors.
The holidays are here and that means more online shopping. If your organization engages in e-commerce, expect to see a spike in your web traffic from eager customers. Remember that securing your applications, servers, and networks from cyberthreats is essential, not just during the holidays but all throughout the year.