With another record breaking holiday season of spending underway, be cautious and keep your eyes peeled for suspicious activity. Hackers and scammers are innovative, which is why consumers and SMBs alike need to be extra mindful at this time of year.
Cyber-attacks are and will become more vigorous, if not downright creative. We’re going to highlight what you should watch out for to keep your business protected.
Ransomware is a year-round threat. However, hackers expect greater success during the holidays because they know retail businesses have a shorter window to react to infections if they expect to capitalize on seasonal spending. There is less time to investigate, report, and restore sufficient data. Businesses may simply comply with extortion demands, weighing the cost benefit between doing so and lost revenue resulting from holiday “downtime”. Reduce the risk of ransomware attacks by referencing SIRKit’s guide on the seven cyber-security pitfalls to avoid. This includes increased adoption of the cloud, which can reduce risk.
With more staff using mobile devices to access or review corporate information, hackers are diverting attention to mobile devices at record rates. Mobile malware is on the rise, which is malicious software designed to attack smartphones and tablets by exploiting operating system or application-specific vulnerabilities.
Although data shows mobile malware threatens Android users at a greater rate than Apple users, all devices present risk, and certain precautions should be taken if staff will be using them to access corporate systems:
Implement a server-side security policy that ensures mobile devices adhere to specific security requirements before access is allowed (eg. must be an encrypted device, must have an alpha-numeric password, up-to-date, etc). Office 365 and Microsoft Exchange offer built-in tools to enforce these measures.
Implement an MDM (Mobile Device Management) to track and control devices
Ensure access to all systems is protected by MFA (multi-factor authentication)
Install anti-malware (available for Android)
Ensure mobile devices can be remotely wiped
Limit access to business-owned devices only
Forbid staff from using public WiFi to access corporate information, use LTE/3G directly and tether other devices (eg. laptops)
Regularly train and remind staff exercise common sense when using their mobile device for work or leisure. Only visit sites with valid SSL encryption, don’t click on suspicious links, only install verified applications, don’t respond to texts from anonymous parties, etc.
This is low hanging fruit during the holidays. A massive number of transactions occur over point-of-sale terminals and e-commerce websites. If your business uses POS terminals of any kind:
Ensure they are behind a business-grade firewall with advanced threat monitoring
Ensure they are isolated away from other internal networks (eg. ensure surveillance systems are housed away from payment networks)
Ensure all related software (OS, Applications, Hardware) is totally up-to-date
Ensure your systems use encryption to protect information at rest and in-transit (call the vendor to verify)
Ensure staff use MFA (multi-factor authentication) whenever logging into online cloud platforms that house payment, financial, or personal information
This sneak attack occurs when hackers gain access to a website and replace URLs (links) or content with their own. This tactic has a better chance of success because buyers exercise less caution with websites they typically trust. Studies show that over 50 percent of online shoppers believe the stress of the holiday season can cause them to behave carelessly online.
How does it work? Let’s say an e-commerce website has been compromised and the malicious 3rd party revises certain code to redirect visitors to their own website when you click a specific URL or button. As the visitor, you click the modified button (which looks exactly the same) to purchase a product, the background code delivers you to a fake payment page that appears the same and you unknowingly supply them with your credit card and personal information.
This can also occur outside of an e-commerce environment, be careful when personal information is requested on a website. Analyze the URL carefully.
To help the shear number of threats, modern cyber-security platforms based on AI and machine learning are emerging, but it’s always a good idea to manually inspect all links to ensure they aren’t malicious. Pay careful attention to the website URL before you enter information.
The holiday season is extremely busy and a perfect opportunity to increase phishing and spear-phishing activities. For example, current and prospective vendors/suppliers may contact your staff with holiday season promotions, competing to give you the best deal for the season or fiscal year. In an effort to capitalize, staff may be more likely to click links and open attachments to review an offer, and in doing so may infect their systems and potentially compromise other IT systems.
Tell staff not to click on unsolicited links without vetting them first and be sure to use email providers you can trust that support SPF, DKIM, and DMARC sender verification checks.
Do you have a plan to address a cyber-attack on your business? Working with a mature MSP that focuses on security can help your business establish strong defenses and a solid IT disaster recovery plan.