Retailers and shoppers are gearing up for holiday shopping as we are heading to the festive Christmas and Chinese New Year. There is a caveat though. With multiple COVID-19 outbreaks this year, the government announces social distancing measures for crowd control and people are advised to stay home. Shoppers go online to enjoy the seasonal sales and promotion deals.
Since the first pandemic outbreak, the landscape of the retail industry has gone through massive changes. Retailers must quickly ramp up their e-commerce applications and online platform[1]. According a GlobalData research, e-commerce market in Hong Kong will grow at a compound annual growth rate of 9.9% by 2024 to reach US$29 billion[2].
While the pandemic has fueled a new stay-at-home economy and unleashed the surging demand for online shopping, this has also attracted the attention of cybercriminals. Findings of a Barracuda report supports it with 72% of retail and catering businesses in APAC saying they see the necessity to accelerate digital transformation to ease the pains of traditional business model. Yet, security could be the major roadblock to their digital transformation agendas.
The Barracuda survey also found that 45% of APAC retail and catering businesses have already had at least one data breach or cyber security incident since they shifted to remote working amid COVID-19. Fifty percent of them were concerned about unknown threats that will cause business disruption in the next 6 months. Within the industry, the chain apparel retailer Bossini was reported to be hit by Maze ransomware and experienced a data breach.
So how can retailers minimize business disruptions and improve their ability to consistently serve customers in the rapid age of digital transformation?
eCommerce Requires Always-on Availability
Organizations working to develop a competitive advantage through omnichannel customer experiences cannot afford sluggish responses. With this COVID-19 crisis, we are all in unchartered waters. While consumers are going online more, the traffic patterns and spikes in demand can be quite unpredictable. Just like e-commerce infrastructure itself, web application security solutions need to seamlessly accommodate traffic volume. Perhaps even more importantly, they need to have Distributed Denial of Service (DDoS)[3] protection, as an unmitigated DDoS attack can block all traffic and quickly bring an e-commerce business to its knees.
Today, retailers need to protect against sophisticated hackers that are very skilled at breaking into online stores and web applications. In addition, we are seeing a rise of malicious human-like bad bots targeting e-commerce sites that use sophisticated techniques such as credential stuffing[4] to quickly cause major damage.
In mid-November, Barracuda researchers ran Barracuda Advanced Bot Protection in front of a test web application, and the number of bots they detected in just a few days was staggering, with millions of attacks coming in from thousands of distinct IP addresses. Cybercriminals use bots to run distributed denial of service (DDoS) attacks, make fraudulent purchases, and scan for vulnerabilities they can exploit. Retailers need to deploy web application security solutions that can protect against both sophisticated hackers and automated bot attacks.
Payment Card Industry Data Security Standard (PCI-DSS) Compliance
In e-commerce and digital retail, protecting your customers’ sensitive information is arguably the most important obligation. all companies that accept, process, store or transmit credit card information maintain a secure environment must comply to the PCI DSS, created by the major payment card brands and launched in September 2006, is a set of security standards[5].
Non-compliance of the PCIDSS may result in fines, reputation damage or even lawsuits. To avoid these and improve trustworthiness, retailers must take the requirements seriously and compliance with PCI-DSS standards. For example, it is important to use a firewall that provides multiple layers of protection and automatic prevention of unknown malware, spyware, and ransomware. It also helps to certify and offers the highest level of encryption to prevent digital theft.
Beware of Brand Impersonation
“Brand impersonation” is designed to impersonate a company or a brand to trick their victims into responding and disclosing personal or otherwise sensitive information. It includes “service impersonation” and “brand hijacking”.
“Service impersonation” is a type of phishing attack designed to impersonate a well-known company or commonly used business application. It is used in 47% of all spear phishing attacks. Cybercriminals can use this technique to steal personally identifiable information such as credit card and ID card numbers. “Brand hijacking”, on the other hand, occurs when an attacker sends emails with false, or spoofed, domain names that appear to be legitimate appears to use a company’s domain to impersonate a company or one of its employees.
As we are expecting the shift to e-commerce continue to accelerate, retailers must take steps to secure business and customers data from reputational and financial damages at a time when they can least afford it. Ultimately, that is not an outcome that is good for business.Written by
James Forbes-May, Vice President, Barracuda Networks Asia Pacific
[1] https://www.weforum.org/agenda/2020/05/covid19-coronavirus-digital-economy-consumption-ecommerce-stay-at-home-online-education-streaming/
[2] https://insideretail.asia/2020/07/20/covid-19-fuels-breakthrough-in-hong-kong-e-commerce/
[3]https://www.barracuda.com/glossary/ddos?utm_source=blog&utm_medium=39697
[4]https://blog.barracuda.com/2019/04/02/is-2019-the-year-credential-stuffing-dominates-the-threat-landscape/