The Christmas holiday and retail sales period that follows is often credited with providing retailers with a disproportionate amount of the year’s profits. As consumers continue to shift toward spending in the online environment, businesses are doing their best to capture a slice of the digital pie.
Relatively new retail trends such as the Black Friday and Cyber Monday sales in November are giving customers new reasons to seek online exclusive deals, and there is certainly money to be made: there was a 12.2% increase in online spending in the UK this year over that single long weekend.
What does this mean for retailers? Alongside the considerable logistics and fulfilment concerns, the strength of your cyber security policies and procedures can make or break the season. As websites see increased traffic, they present opportunities for malicious actors to access unprecedented personal data. A single ransomware attack could see your business lose the opportunity to trade through the busiest time of year.
It’s clear the stakes are high. So, what should your business be doing to protect against digital incursions? In an ideal world, your current cyber security protocols would be sufficient to absorb the additional traffic and risks of the holiday period. When online retailing is becoming more ingrained as a consumer habit, no matter the time of year, it’s prudent to ensure your operations are safe from attack.
As we’ve touched on before, often the largest cyber security vulnerability comes from end user behaviour. When employees click on phishing email links or download attachments filled with hidden malware, there’s little anti-virus software can do to prevent it. Likewise, customers using your website may be completely unaware of basic security procedures like updating passwords or deleting credit card data from individual websites.
There is not much you can do about these sorts of issues. One way to influence customer behaviour, however, is to put strict password requirements on accounts to make them more difficult to crack. This recent Sainsbury’s Money Matters infographic shows some of the steps shoppers can take to stay safe online.
You can also inform customers and clients of how you will communicate with them, and confirm that you will never ask for personal or payment details via email. Educating them about your communication methods may make them alert to phishing attempts.
Audit your current cyber security protocols
An ounce of prevention is better than a pound of cure, and this certainly applies to the realm of cyber security. Throughout the year, schedule time to audit your company’s policies and procedures. Check that the following are up to date and robust:
- Software updates and patches,
- Vulnerability management,
- Malware protection,
- Website script security,
- Monitoring services, and
- Anti-virus programs.
Verifying these processes will mean that your internal security is up to date. If you’re unsure about the latest threats or developments in web security, enlist a trusted team to help you assess your level of security either via audit or penetration testing.
Identify current high-risk data
Identify what sensitive data your business holds, and where it is stored. If the data is stored by a third party (such as on external servers), speak to your provider about how the data is protected. It’s prudent to seek out any weaknesses in your data protection processes. This also includes data handling by staff or automated processes (like plug-ins on your website, for example). Regularly audit staff access to data, and assess if permissions are up to date and relevant.
The implementation of the GDPR is looming, and it’s foolish to think that your business will be unaffected by it. Knowing what data is classed as ‘sensitive’, where it is held and who can access it gives you a powerful level of protection against incursions.
Incident response and disaster recovery
Smart business operators know to act as if it’s a matter of when an attack will occur, not if. Online shopping creates vulnerabilities, no matter how stringent protections are. Do you know what to do if an attack is identified? Creating an incident response procedure can:
- Give business owners confidence,
- Provide a step by step list of actions to take, so nothing is missed,
- Direct staff to act quickly and focus attention on urgent tasks,
- Provide an impartial, rational document to follow in a stressful situation, and
- Limit damage and costs to the company.
Disaster recovery is the other side of the incident response coin. After the threat is detected and dealt with, there will likely be some clean up and recovery that will need to happen. The aim here is to minimise down time so that your business can trade and continue to take advantage of online consumer spending. Alongside down time, data breaches and losses will need to be identified. A solid disaster recovery plan could address:
- Data recovery options,
- Press kits or media contacts to communicate with customers if required,
- Regulatory reporting obligations,
- Back-up systems and how they operate.
As part of your disaster recovery plans, a reliable back-up of system and client data should be maintained at all times. Data back-ups should be conducted regularly, and automatically where possible. Having copies of data will help specifically in cases of ransomware attacks, where a workstation or network may be immobilised under threat of ransom. It may be possible to disconnect infected computers and restore back-ups, thereby minimising down time.
Online shopping isn’t going anywhere but up. Consumers are excited by the ease and convenience of shopping online. For some businesses, there are seasonal peaks and troughs in spending. The peaks can be stressful enough, without trying to implement security processes and policies. It is crucial to have these things in place before the busy times arrive. When procedures are routine, more energy can be spent in shoring up the resources in the face of increased traffic and risk.
About Mustard IT, your cyber security partner
Mustard IT provide the design, build, and installation of secure IT servers and networks, alongside extensive cyber security consulting and process implementation. Our trusted team are experienced and able to explain complex issues to you in a language you’ll understand. Contact us today to find out how we can help you.