Where there’s a sale, there’s fraud.
Fraud and other cyber-crime incidents always spike around popular sales events – holidays, Black Friday, Cyber Monday, and Memorial Day are some of the best times of the year for fraudsters. People are busier than usual making personal arrangements and preparing for those blockbuster sales everyone loves. As a result, things get missed, corners get cut, and less attention, in general, is given to any one particular task. Fraudsters are under the exact same crunch preparing to take advantage of this perfectly normal behavior. It’s up to the individual to remain vigilant.
Here are some things you can do to help ensure website security through big events:
- Do a pre-event software update check – This is really stating the obvious but it never hurts to repeat. Many software companies will release small, bugfix-only updates in the weeks leading up to large online events. Critical patches should be applied within 7 days of release, less serious patches should be applied within 30 days of release.
- Review admin-level accounts and privileges for your store, marketing software, and any internet-facing servers and tools. Disable or delete unused accounts. Update permissions according to the Principle of Least Privilege – https://learn.microsoft.com/en-us/azure/active-directory/develop/secure-least-privileged-access.
- Increase your fraud protection offering – More shoppers means more fraud. According to the TransUnion Holiday Retail Fraud Survey, 46% of customers are concerned about being the victim of fraud when shopping online.
- Prepare your customer service team – Ensure your processes are clear and concise with a tested method for validating a customer is who they say they are. Hold security training sessions focusing specifically on phishing campaigns – what they are, why they work and how to spot them. There have been a number of high-profile, very successful phishing campaigns in recent months. Studies show that >90% of all incidents now begin with a phishing email.
- Follow the most recent NIST password recommendations – The NIST recently overhauled its guidelines for password creation. They now advocate using easy-to-recall-but-lengthy “passphrases,” replacing the traditional minimum-length, minimum-complexity password requirements. A passphrase has the advantage of being far easier for a person to remember than a password made up of 16 random characters, which in turn reduces the chances of someone reusing passwords, writing passwords down, or otherwise storing them insecurely. As always, the longer the password/passphrase, the more difficult it is to crack.
- Verify your systems do not store any credit card data unencrypted – Ideally, you would not store any cardholder details but if you must, it must be encrypted at rest. Storing unencrypted cardholder data is one of the most common, and easily corrected, risks found today. Once a hacker gets access to a system, they have access to any and all data the software on that server has access to. More often than not, that access includes sensitive customer data. The only defense left at this point is encryption. It may not stop a hacker but it is another obstacle they must deal with before they can sell your precious data on the dark web. A trusted sensitive data discovery tool can potentially save you some serious headaches.
- Perform new vulnerability scans – Ideally, this would be done on a continual basis but must be done at least quarterly. An emergency maintenance window right in the middle of your Black Friday sale is great news for your competitors. Being proactive is key.
Feeling a little overwhelmed? Not sure where to begin? Open Professional Group offers a full range of software development and security services to fit every type and size of business. Talk to us and find out what we can do for your business.
~ Joe H.