The UK’s second national lockdown means that the mass discounting we’ve become accustomed to from retailers in the run up to Christmas have been almost exclusively online this year.
For many brick and mortar stores - as well as the multitude of new micro retail businesses that have started up during the pandemic - this will be the first time taking their festive sales online.
Despite lockdown lifting in just a couple of days, and non-essential stores set to re-open, it’s highly likely that retailers will still be relying heavily on their online operations to make much needed sales before Christmas.
Along with any opportunity naturally comes increased threats - in this instance, in the form of cyber threats from hackers looking to capitalize on increased ecommerce traffic. There are a number of things that businesses can do right now to protect themselves from some of the most common threats.
Develop a DDoS prevention and response plan
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt traffic to a website. For ecommerce businesses hoping to attract significantly more traffic during the festive period, a DDoS attack is potentially fatal.
Perform a risk assessment to understand what vulnerable entry points there are in your network - and attempt to fix them. Make sure you’ve nominated a response team and built a plan to identify who’s responsible for doing what in the event of an attack.
Monitor POS software providers
It’s really important to do your due-diligence on your Point-of-Sale (‘POS’) software. Will all of your customer and payment data be encrypted to ISO 27001 standards? Does the provider have a good history of operational ‘uptime?’
The moment that your customers enter their personal and financial information is key. Failure of the POS software can result in downtime, preventing that sale from being made. It could also enable hackers to steal the personal and payment details of your customers, which would have significant legal and liability implications.
Understand your PCI-compliance requirements
If you accept debit or credit cards as a payment option, you’ll need to assess your PCI compliance annually and maintain compliance 24/7. The PCI Security Standards Council exists to implement standards for creating secure payment solutions and, if followed correctly, can help protect your customers and ensure that your payment mechanism is not vulnerable to infiltration by hackers.
Not only that, but also be aware that PCI assessments, fines and penalties for alleged or actual breaches of compliance can be extremely expensive and can result in reputational damage.
Undertake rigorous testing of email systems
Email systems are prone to malware and vulnerabilities. If taking orders over email, or if using email to communicate with customers, it’s vital that your email system remains protected from security breaches. Make sure you use strong passwords (with a combination of numbers, letters and special characters) and consider using multi-factor authentication for setting and changing passwords.
Encrypt sensitive data
Encryption software converts data into ciphertext (unreadable text) to prevent highly sensitive data within payment transactions from being useful to malicious third parties - giving you an extra layer of security. Encryption is good practice to implement across all of your critical systems and networks where critical data is stored or processed. It should also be a prerequisite for any third party or service providers you engage with for technical or IT services.
Ensure regular back-ups
Backing up your data (your customers’ and employees’ personal and financial information, your commercial data and inventory/stock records, etc) will put you in a good position when trying to get up and running after a cyber-attack or any other downtime. Back-up technology is becoming increasingly seamless and secure, so it's a worthwhile investment.
Implement ongoing firewall and network monitoring
Good firewalls will prevent malicious intrusions and activity on your website and systems from outsiders. They should be updated regularly in line with advice from the provider to ensure you are benefiting from the leading protection. Having a monitoring system in place (behind the firewall) will flag any intrusion, activity or unusual behavior which could provide cause for concern.
Educate your customers
Lapses in cybersecurity might not happen at your end, but with your customers. Consumers are far more likely to have weaker passwords, no basic cybersecurity and less of an awareness around phishing.
Therefore, be sure to communicate clearly with your customers about the type of communication (and frequency) you will have with them, so they don’t fall for any phishing emails or malicious third parties pretending to be you.
By taking this guidance into consideration, online retailers can concentrate on making the sales they so desperately need in the coming weeks - with minimal external threats.