Second national lockdown could trigger spike in online attacks against retailers, warns Sonassi
Retailers must recognise where threats to their websites lie and take action
In the midst of a second national lockdown, it is imperative retailers make every effort to ensure their IT systems are water-tight against the threat of cyber-attacks. This is according to James Allen-Lewis, development director at Sonassi.
Recent data from the UK’s National Cyber Security Centre (NCSC) revealed, it had handled a record number of cyber security incidents in the last year. With non-essential retail shops now closed until 2nd December as part of government restrictions across the UK, Allen-Lewis, warns retailers must take preventative measures against cyber-criminal activity.
“It’s likely we’ll see cyber criminals wanting to capitalise on retailers pivoting from bricks and mortar stores to online, following a second national lockdown.
“For many businesses the world of online retail is still very new and will likely have been driven by necessity, rather than choice. Smaller retailers are grappling with using card payments and online operations for the first time. Larger retailers are trying to improve their use of data to drive efficiencies and maximise profit margins.
“In doing so, this has increased the attack surface for criminals to target. While it’s understandable retailers at this time will be completely focused on driving sales, it’s important they understand where the threats to their business, notably vulnerabilities across their website, lie.”
Elaborating on this further, Allen-Lewis says, “Firstly, any area where a user can gain extra permissions represents a risk. An obvious example would be via the admin rights for a website. If there is no protection against the admin account and this can be accessed from anywhere in the world, criminals can keep trying multiple usernames and passwords until they penetrate. Locking this down with two-factor authentication prevents this.
“Another area of risk is via a websites input boxes which any user has access to. An example might be an email box for a newsletter at the bottom of your site encouraging customer sign-ups. An SQL injection attack could see code uploaded to this email box which allows all your customer details to be downloaded by an attack. It’s imperative these boxes are monitored for any suspicious activity.
“Finally, another consideration is how customer card details are stored. If, for example, a hacker was able to obtain a user’s contact details and then logs onto a website, they could start making purchases and then check-out without ever needing that users card details. Because of this it is critical steps are taken to lockdown customers accounts. There are simple ways to prevent this. A CAPTCHA system, is a system that allows web hosts to distinguish between human and automated access to websites and stops brute force attacks of this nature.”
Allen-Lewis concludes, “The enforcement of a second national lockdown couldn’t have come at a worse time for retailers as we enter the run up to Christmas. Understandably, driving sales at this time is of critical importance but to ensure this is done with peace-of-mind, the right security practices must be implemented in order to protect customer information.”