Akamai Diversity

The Akamai Blog

No holidays for cybercriminals

This year marks the 10th anniversary of the Great Singapore Sale (GSS). Over the years, we have seen how the annual event has evolved - from expanding into the heartlands to retailers moving online, attracting more customers.

Shopping has long been recognised as a national pastime for Singaporeans, with eCommerce fast becoming a norm. PayPal observed a 12% year-on-year increase in purchases made by online shoppers in Singapore during the year-end holidays of 2013, largely driven by Singaporeans attracted to overseas sale seasons like Black Friday in America and the Chinese New Year sales in China.

The up-and-coming GSS will be a true test for retailers as many more are looking to extend more discounts and deals to their online shoppers. According to a survey by Groupon Singapore on consumer habits during the GSS 2013, it was revealed that 60.4% of Singapore's shoppers shopped online during the GSS, with majority surfing the net for the best deals before purchasing.

Mobile shopping is also on the rise, with a recent study revealing that Singapore's mobile commerce market is expected to reach S$3.1 billion by 2015. With smartphones and other mobile devices becoming an integral part of our lives, as we conduct out daily activities such as mobile banking, shopping and social networking on these devices, cyber criminals are increasingly targeting mobile devices.

We have always observed a spike in cyber-attacks during sales seasons. They are orchestrated to hit the retailers when it hurts the most, with increased traffic and sales transactions. These attacks are particularly detrimental for the retailers. Retailers and customers suffer from financial losses, loss in revenue during downtime and more importantly, long term damage to the retailer's reputation and credibility.

Here are some tips on how retailers can protect themselves and their customers:

Monitor threats and trends
Akin to tracking the latest trends, retailers need a program or system to help monitor the threat landscape to identify latest attack techniques and trends. While this may be a time-consuming task that leaves many experts guessing what their real threats are, many security vendors and partners serve as trusted resources on the topic. It is important to leverage these resources and make informed decisions.

Access the latest countermeasures and defences
Once new threats, such as attack vectors and techniques, have been identified, retailers need to understand what the best countermeasures to adopt for protection are. While it may seem easy and straight-forward, these two steps are too often ignored. Given the rapidly changing nature and attack techniques, organisations need to quickly adjust their defences and avoid exposure to their business critical websites.

Weigh the risk and reward of defensive controls
It is important to ensure that your security investments are aligned with the goals of your websites. Too much security can hinder the users' experience. Just think of 'Captcha', the funny squiggly letters that one needs to decipher and enter accurately to gain access to the site, too often creating a displeasing user experience. Yet too little security can create exposures that if exploited erode brand value and worse, could result in fraud and unauthorized disclosure of sensitive customer information.

Evaluate, and adjust your defences
Now the new defences (rules, signatures, controls) are in place, but it is still not finished. Information security is very much an ongoing and iterative process. Once you've updated your protective controls, it is back to step 1, review, and adjust, so you can maintain that level of security and prevent your website from falling victim to an attack.

Depending on the size of the company, securing a website can be a full-time job. Attackers are working overtime to poke holes in retailer's security measures, so it is essential that experts are up-to-date on the latest threats and trends, constantly re-evaluating the rules implemented. If retailers do not have the time (understandably) to manage these processes themselves, they must ensure that they are working with a trusted third party who will monitor threats and update the defences regularly.

However, despite all best efforts, sometimes cyber adversaries are still able to get through the defences. It is important for retailers to have a comprehensive security and incident response strategy in place to prepare themselves for a potential security breach. It is never fun to be scrambling for a response protocol in the midst of a cyber-attack, always be prepared.