The holiday season presents a lucrative opportunity for online retailers to finish the year on a high note; however, various factors pose threats to online businesses.
According to the IBM Cost of a Data Breach report, the global average cost of a data breach was $4.45 million, which is a 15% increase since 2020. In response, 51% of organizations plan to increase cybersecurity spending this year. While it’s clear that cybersecurity attacks are on the rise and the importance of robust cybersecurity measures in the retail sector is rapidly increasing, the forces driving this mounting pressure among retailers are less known.
Here are a few of the factors that are turning up the cybersecurity heat on retailers this holiday season:
Increased SEC Regulations
In July, the SEC set its final rule on Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure, requiring domestic companies to disclose material cyber incidents to the agency within four business days of determining that a cybersecurity incident is material. The rules are designed to ensure investors and other stakeholders are informed about breach events in a more timely and consistent manner.
Disclosure can seem daunting for a company’s cybersecurity program if it won’t withstand investor scrutiny. Many companies are not ready today to reveal their cyber capabilities to the extent that the new rule requires. Because of this, retailers are experiencing even more pressure to protect their brand against bad actors.
Turbulent Geopolitical Climate
Uncertainties loom large, and a rising tide of malicious actors has reshaped the role of cybersecurity in the context of global politics. Cyberwarfare has become a potent weapon in geopolitical conflicts. These attacks have grown increasingly sophisticated and persistent, making it crucial for businesses to fortify their defenses.
Businesses perceive geopolitical tensions as the foremost threat to the global economy, according to an Oxford Economics survey. With the increase of digital warfare, geopolitical cyberattacks are not only jeopardizing sensitive customer data but also eroding trust in online shopping globally.
The Rise of Artificial Intelligence
AI, the crown jewel of tech advancement, now wields human-like prowess atop a sea of data. Yet a shadow lurks — the growing threat of chatbots falling prey to “prompt injection” attacks, which can compromise the functionality and safety of online ecommerce customer chat systems.
A great example is the Stanford student who used a prompt injection attack to discover Microsoft Bing Chat’s initial prompt, asking it to ignore previous instructions in order to divulge its initial instructions, which were written by OpenAI or Microsoft and are typically hidden from the user. An attacker can plant an injection and silently allow the chat function to seek out and infiltrate personal information. All the user has to do is interact with the chatbot for the prompt injection attack to commence.
Don’t Wait for the Holidays to Prepare
With 75% of U.S. shoppers intending to conduct the majority of their Christmas shopping online, now is the time to mitigate cybersecurity threats before it’s too late.
- Identity is the new perimeter: To protect your online store from potential attacks, ensure that no account is shared, multi-factor authentication is used and that all API keys have a lifecycle. Regularly review and revoke access for users, API accounts and apps that no longer require access to the control panel. Examine staff action logs to identify recent changes, periodically rotate API account credentials and assess third-party apps and scripts regularly.
- Do your part to ensure site maintenance: It is critical to distinguish between the maintenance responsibilities of your ecommerce platform provider and those of you, the retailer. Application security issues often stem from heavy customization and the usage of third-party technologies. Ensure there is a formalized process around updating libraries and capabilities that aren’t native to your platform.
- Understand the updated requirements introduced by PCI DSS 4: While many of these requirements will be met by your ecommerce provider, others will be the responsibility of the retailer. New requirements bring with them new challenges, but fundamentally, the updated PCI DSS 4 requirements will only improve your security posture and provide confidence for your shoppers.
In an age of heightened cybersecurity threats, retailers face unprecedented challenges during the holiday season. The time to act is now as we enter the holiday season with a surplus of online shopping and cyber threat experiences.
Dan Holden is an accomplished technology innovator and recognized cybersecurity expert with over 25 years of experience in the IT and cybersecurity industries. Currently, he serves as the VP of Cybersecurity at the Austin, Texas-based open SaaS ecommerce company BigCommerce, where he and his team are responsible for ensuring the company balances associated risks and benefits related to cybersecurity.