How to Safeguard Your Retail Business from Cyber Grinches this Holiday Season

By Neal Quinn, Head of Cloud Security Services, North America, Radware

As the holiday season approaches, retailers eagerly anticipate a surge in online shopping. However, a cast of cyber grinches pose significant threats if retailers don’t effectively safeguard their business from these skilled adversaries.

Smarter, Greedier Bots

During the holidays, malicious bots will be out in force. These automated programs are used to buy up trending retail items seconds after they appear on a website, leaving legitimate shoppers empty handed. The bots are operated by profit seeking cybercriminals looking to quickly resell the “sold out” items for financial gain. Bots can also take over user accounts and compromise personal information that could potentially lead to identity theft. Even though the threat of bots is not new, it is getting worse because bots have become more adept at bypassing traditional bot management systems.

Effectively defending against bots relies on real-time differentiation between good and bad actors. While traditional defense mechanisms like web CAPTCHAs are still used to reduce illegitimate transactions, they also frustrate shoppers and are increasingly ineffective. What is required today is robust bot management solutions that incorporate cryptographic challenges and automated, advanced machine learning algorithms. These solutions are key in helping retailers distinguish between genuine shoppers and malicious bots.

"Is your online store safe from bot threats, API vulnerabilities and DDoS attacks? Now is the time to take measures to prevent threats of this season’s cyber grinches and ensure holiday shoppers have a safe and seamless online shopping experience."

—Neal Quinn, Head, Cloud Security Services, Radware

Open APIs that Invite Trouble

DDoS Attacks that Wreak Havoc

Safeguarding the Holiday Season

The proliferation of application programming interfaces (APIs) is another grinch that could turn the tables on a successful holiday for retailers. Unsecured APIs expand the attack surface for bad actors who are out to exploit vulnerabilities and pilfer sensitive customer information, such as user credentials, payment information, and other personally identifiable information. The risk of a breach is even greater during the holidays when there is more traffic volume and increased API calls to websites, making exposures and entry points even more difficult to detect. Retailer risks are further compounded when their integrated partners and suppliers have unsecured APIs along with access to the retailer’s data and systems. Malicious actors search for these partner loopholes and use them to infiltrate the retailer’s digital infrastructure.

To protect their APIs, retailers should look for an easy-to-implement solution that supports a positive as well as negative security model. Effective API protection must also include auto discovery of APIs. According to a recent Radware survey, 62% of companies admit that a third or more of their APIs are undocumented. An effective solution enables security teams to automatically identify and secure undocumented APIs without relying on human intervention or application and security expertise. It should also work in real time to detect and block a broad range of threats, including data theft, data manipulation, account takeover attacks, and more. It’s important to note that API protection is one important component in an overall application infrastructure that should also include a web application firewall (WAF), bot management, and DDoS protection.

Some of the most formidable cyber grinches that retailers will face this holiday season are DDoS attacks, which continue to increase in volume, complexity, and frequency. During these attacks, cybercriminals overwhelm websites or online services with an onslaught of internet traffic, rendering sites inaccessible to legitimate users. The resulting downtime can lead to significant financial losses, tarnished reputations, and customer frustration. To win and maintain customer trust, retailers must overcome a specific set of business and technical hurdles associated with safeguarding the availability and security of their e-commerce platforms, networks, and applications. This includes ensuring high levels of availability.

DDoS attacks are not a new problem, so most retailers have some form of protection in place. What retailers need to be especially aware of this holiday season is what their existing solutions can and can’t do. For instance, even solutions bought two years ago are not built to stop the randomized Web DDoS attacks that are currently being waged by state actors and hacktivists. These aggressive encrypted HTTPS attacks are designed to bypass traditional solutions and elude detection by appearing as legit traffic. That’s why it’s important for retailers to talk with their existing security providers to find out how they would automatically mitigate emerging threats like Web DDoS Floods without blocking the legitimate traffic that is driving holiday sales.

Security is only as strong as the weakest link. Now is the time to shore up vulnerabilities and ensure holiday shoppers have a safe and seamless online shopping experience, free of the menacing threats of this season’s cyber grinches.