Head of Enterprise
The UK’s second lockdown means Black Friday will be an almost exclusively online event. Bricks and mortar stores, as well as the multitude of new micro businesses that have started up during the pandemic, will be taking their Black Friday sales online for the first time and competing with established ecommerce stores to make much needed sales before Christmas.
While online demand is likely to be significantly higher over this year’s Cyber Weekend, all online retailers also face increased risks from potential cyber threats. Here are our 10 top tips to successfully navigate these risks and help ensure a profitable Cyber Weekend:
Develop a DDoS prevention + response plan
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt traffic to a website. For ecommerce businesses hoping to attract significantly more traffic over the Cyber Weekend, a DDoS attack is potentially fatal. Perform a risk assessment now to understand what vulnerable entry points there are in your network - and attempt to fix them. Make sure you’ve nominated a response team and built a plan to identify who’s responsible for doing what in the event of an attack. You want to minimise disruption and downtime.
Monitor POS software providers
It’s really important to ensure that you do your due-diligence on the Point-of-Sale (‘POS’) software that you use. Is the provider well-known with a good reputation? Will all of your customer and payment data be encrypted to ISO 27001 standards? Does it have a good history of operational ‘uptime?’ The moment when your customers enter their personal and financial information is a key moment for you, as you’re about to make a sale. Failure of the POS software can result in downtime, preventing that sale from being made. It could also enable hackers to steal the personal and payment details of your customers, which would have significant legal and liability implications.
Understand your PCI-compliance requirements
If you accept debit or credit cards as a payment option, you’ll need to assess your PCI compliance annually and maintain compliance 24/7. The PCI Security Standards Council exists to implement standards for creating secure payment solutions and, if followed correctly, can help protect your customers and ensure that your payment mechanism is not vulnerable to infiltration by hackers. Be aware that PCI assessments, fines and penalties for alleged or actual breaches of compliance can be extremely expensive and can result in terrible reputational damage.
Undertake rigorous testing of email systems
Email systems are prone to malware and vulnerabilities. If taking Cyber Weekend orders over email, or if using email to communicate with customers, it’s vital that your email system remains protected from security breaches. Ensure you have strong passwords (with a combination of numbers, letters and special characters) and consider using multi-factor authentication for setting and changing passwords. Avoid web-based email services if possible.
Encrypt sensitive data
Encryption software converts data into ciphertext (unreadable text) to prevent highly sensitive data within payment transactions from being useful to malicious third parties: giving you an extra layer of security. Encryption is good practice to implement across all of your critical systems and networks where critical data is stored or processed. It should also be a prerequisite for any third party or service providers you engage with for technical or IT services.
Ensure regular back-ups
Anyone who has suffered from a ransomware attack or experienced a data breach will give you one major piece of advice: regularly back-up your data. Backing up your data (your customers’ and employees’ personal and financial information, your commercial data and inventory/stock records, etc) will put you in a good position when trying to get up and running after a cyber attack or event. Back-up technology is becoming increasingly seamless and secure, so it's a worthwhile investment.
Implement ongoing firewall and network monitoring
Good firewalls will prevent malicious intrusions and activity on your website and systems by outsiders. These should be updated regularly in line with advice from the provider, to ensure you are benefiting from the leading protection. Having a monitoring system in place (behind the firewall) will flag any intrusion, activity or unusual behaviour which could provide cause for concern. It’s good practice to nominate at least one person to be responsible for keeping an eye on this monitoring to ensure any important warnings aren’t missed.
Have an incident response plan
An incident response plan is a good undertaking to ensure that you and your team understand everyone's role, should the worst happen and you fall victim to a cyber attack or data breach. Acting quickly is vital, so it’s important to be prepared. A good breach response plan will help you here. An incident response plan usually includes:
- Details of the roles and responsibilities for each of the incident response team members
- A business continuity plan
- A summary of the physical resources, technology and tools required
- A list of data recovery and critical network processes (i.e. how to access your back-ups)
Educate employees about likely threats
Any employees involved in the operational elements of your ecommerce business need to be aware of the likely threats that may occur before and during the Cyber Weekend. As well as the tips above, tactics such as phishing emails will try to lure employees into unknowingly giving away sensitive information and will include links that open up a website’s vulnerabilities.
Educate your customers
Lapses in cyber security might not happen at your end, but with your customers. Individuals are far more likely to have weaker passwords, no basic cyber security and less of an awareness around phishing. Be sure to communicate clearly with your customers about the type of communication (and frequency) you will have with them, so they don’t fall foul to any phishing emails or malicious third parties pretending to be you.