Cyber Monday is around the corner, and that means — among other things — attacks on e-commerce platforms will be higher than before. Retail analysts’ forecasts make Cyber Monday 2020 a high-stakes security test for online retail businesses of all sizes. In this post, Source Defense’s Matthew McGuirk passes along a well-timed warning on what companies can do to shore up their defenses ahead of this online-heavy holiday shopping season.
While the 2020 calendar marks November 30 as Cyber Monday, every day in the holiday shopping season could be Cyber Monday in the post-pandemic world. But business leaders overseeing e-commerce sites shouldn’t break out the eggnog to celebrate yet – not when hackers are just as eager for Cyber Monday as they are.
This is because criminals always follow the money, and the money is clearly going online: COVID-19 has driven an unprecedented e-commerce boom, as curbside pickups and contactless deliveries have enabled consumers to continue living their lives while following physical distancing recommendations from health officials.
As a result, companies will see a 32.4% year-over-year e-commerce growth rate boosting total sales to $794.50 billion in 2020, according to a forecast from eMarketer. Before the outbreak, this level of online spending wasn’t anticipated until 2022. In contrast, brick-and-mortar sales are projected to decline by 3.2 percent, to $4.71 trillion.
Given the shift, e-commerce holiday sales will surge by 25% to 35% this season, generating between $182 billion and $196 billion, according to Deloitte’s annual forecast. But overall holiday spending will top out at $1.15 trillion, with a relatively flat increase of 1.5 percent. In fact, 52% of Americans plan to sit out Black Friday, and only 22 percent expect to do the majority of their holiday shopping in physical stores, according to Morning Consult.
That’s why cyber grinches in the form of hackers are now planning for Cyber Monday and the weeks that follow. Some may have already compromised their retail victims and are just waiting for the spending season to officially launch.
Meanwhile, companies are more dependent than ever on multiple third-party vendors to support online sales, using 40 to 60 third-party tools while adding three to five new third-party technologies to their sites every year. This further exposes these businesses to possible compromises because the bad guys realize third parties are the weak links of the supply chain and target them.
Learn More: How to Secure Your E-commerce Business Against Cyberattacks
So what threats can businesses expect? Stealth attacks designed to steal credit card information from unsuspecting customers should emerge as the top concerns. Through formjacking and Magecart schemes, cyber thieves inject malicious JavaScript code into ecommerce websites to skim data from online checkout pages.
Formjacking accounts for 87% of web breaches, while 2020 has seen 425 Magecart incidents per month. To make these attacks even more effective (and harmful), the transactions usually go through. Hence, customers have no idea that a cyber crook has stolen their credit card data until it’s used for an unauthorized transaction later.
In a high-profile case last year, for example, Macy’s confirmed the presence of credit card-skimming Magecart malware on its checkout and wallet pages just as Cyber Monday approached. The malware allowed the hackers to capture customers’ data on the pages if they inputted their credit card information and clicked “place order.” A Macy’s cybersecurity team removed the code by October 15.
To avoid a similar situation, companies need to start preparing now to meet the challenges associated with protecting their customers and the integrity of their online transactions.
To do so, they should address the following questions:
Are we capable of preventing these attacks?
E-commerce security teams must implement real-time safeguards to ensure that breaches are prevented before they occur, rather than depending on an after-the-fact detection strategy, which will result in customer information stolen and abused.
Are we enforcing zero trust?
It’s critical for e-commerce businesses to develop zero trust strategies that restrict third parties to only the information for which they’re authorized, so they cannot access customers’ private and payment information. This is known as the “least privilege” rule – a central tenet of zero trust. Currently, 85% of organizations have budgeted for zero trust initiatives.
Learn More: Cybersecurity in 2025: 4 Trends That Will Change the Face of Security
What technologies are we using to enforce that zero-trust model?
There are many technologies available that solve parts of this problem but not the problem itself. Isolation and enforcing real-time behavioral control over third-party code is the only technique that provides a complete solution.
Do we have a complete risk profile?
Security teams need to inventory both internal and third-party risks to know what possible threats exist and how to stop them. They must develop this profile well in advance of Cyber Monday, so they are positioned to defend customer data before it becomes a problem. As part of this process, they should view web pages as their customers do (from the browser side) instead of viewing them strictly from the server-side. Why? Because customers “see” the browser page when they shop, and hackers will target these pages.
If there is money to be made, there will always be cyber grinches. Fortunately, if e-commerce businesses address these four questions to deploy real-time monitoring and zero trust enforcement while maintaining absolute risk-profile awareness, they’ll ensure these hackers can’t clutch their customers’ credit card information.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.
