Given the untimely festive lockdown that cast a shadow over the UK in December 2020, many families will be eyeing an extra special Christmas this year.
For some, this will mean spending a little extra on gifts for loved ones. PwC’s Pre-Christmas Survey reveals that more than a quarter of UK citizens plans to spend more this year, with only 8% expecting to spend less.
The average spend across all age ranges and regions is expected to increase from £384 in 2020 to £428 in 2021. This is predicted to amount to £21bn in spending on presents and celebrations.
With the pandemic still ongoing and many still worried about the idea of frequenting crowded shopping centers, many of these purchases are likely to be made online. Indeed, according to PwC’s survey, 67% of people are planning to complete their Christmas shopping either partially or wholly online – up from 55% in 2019.
This aligns with our own findings here at Menlo Security; our survey of 2000 employed people revealed that 63% of people in the UK (65% in the US) plan to complete more online Christmas shopping in 2021 compared to previous years.
It’s easy to see the benefits of online shopping, from greater convenience to wider choice. However, there are many drawbacks, with online shopping posing an increasingly difficult challenge from a cybersecurity perspective.
As we all know, hybrid working models have been adopted by many companies, and the lines between work and home have become blurred. Within this new normal, many individuals are opting to use their work devices for personal activities and vice versa, such as shopping for Christmas presents online.
Our research backs this up, with more than half of our survey respondents stating that they have performed non-work-related tasks on company devices. In fact, nearly half of respondents (45% in the UK; 48% in the US) reported shopping for gifts this festive season on a work-issued device, be it a laptop, a mobile phone or other.
For cyber-attackers, this represents an opportunity – one they are attempting to capitalize upon by adapting their practices.
As of mid-November 2021, it was observed that one phishing campaign used by threat actors was posing as supermarket chain Lidl, enticing targets with the promise of free prizes should they complete a survey.
"As we all know, hybrid working models have been adopted by many companies, and the lines between work and home have become blurred"
Further, last year saw a series of logistics smishing scams take place, with threat actors posing as organizations such as Royal Mail and DHL and sending updates about expected deliveries to draw targets into clicking malicious links.
Such activities are rising in frequency; Menlo Security’s survey showed that 48% of UK workers and 58% of US workers have observed an increase in scams and fraudulent messages this festive season.
This awareness is of use. For example, most respondents (80%) express concern about their personal data being stolen while online shopping, and many recognize the threats.
Looking at the UK, malware is recognized by 81% of respondents, ransomware by 61% and credential phishing by 45%. HTML smuggling is also acknowledged by 16% of UK respondents, with just over one in 10 (12%) not familiar with any of the aforementioned online threats.
It is promising to see that many are also taking proactive measures to protect themselves with this knowledge.
Again, analyzing sentiment in the UK, steps taken to combat cybercrime include the use of strong passwords (71%), antivirus software (58%), only shopping with familiar online retailers (55%), confirming that URLs/emails do not have suspicious characters (37%), checking for the lock next to a URL (46%) and using a singular dedicated card for online shopping (20%). Further, less than one in 30 don’t take any such measures when online shopping.
These are undoubtedly positives, but the major challenge stems from the fact that nearly two-thirds of people feel secure from cyber-threats when using a company device and are therefore more willing to undertake activities that may expose their corporate networks to a variety of vulnerabilities.
Companies, therefore, need to take the initiative to properly protect themselves, achieving by adopting zero trust-aligned principles, architecture and technologies.
Zero trust takes a default ‘deny’ approach to security, rooted in the principle of continual verification. It recognizes trust as a vulnerability and therefore commands that all traffic – be it emails, websites, videos, documents or others that originate from inside or outside an organization – should be verified.
To achieve zero trust in its truest sense, isolation can be used. This technology shifts the browsing process from the desktop to the cloud, preventing malicious payloads from executing on the endpoint.
Isolation-based zero trust does not leave anything to chance, capable of stopping cyber-attacks and threat actors in their path 100% of the time.