Bugcrowd CTO Casey Ellis covers new cybersecurity challenges for online retailers.
Every year retailers face a heightened level of risk during the online holiday shopping season. COVID-19 drastically shifted consumer buying behaviors, forcing retailers to accelerate digital transformation efforts to support an exponentially higher number of online transactions. Projected U.S. e-commerce sales will hit close to $710 billion in 2020, the largest jump in a single year. To adapt to the online shopping increase, many retailers have had to take new systems online faster than planned— and therefore not necessarily with enough time to test— to accommodate an all-time high in online transactions.
Speed is the natural enemy of security. When vendors rush things to production without proper testing, security blind spots are more likely to occur, creating the perfect opportunity for cyberattacks.
Adopting a “neighborhood watch” approach to security by inviting the global network of security researchers to proactively hunt for and disclose vulnerabilities before cybercriminals can exploit them improves retailer security and consumer confidence.
What’s in Store this Online Holiday Shopping Season
Over time, consumers have been evolving to shop predominantly online around the holiday season more often than in stores. Black Friday 2019 saw nearly 20 million more online shoppers than in-person in the U.S. However, retailers are emphasizing online sales more than ever before amid the pandemic. This year’s holiday-buying season kicked off earlier than usual, with Black Friday sales in advance of the traditional start of the day after Thanksgiving. The 2020 Amazon Prime Day sales, which was declared the ‘unofficial’ start to holiday shopping, surpassed last year’s numbers by 45.2 percent.
Retailers Must Account for Heightened Levels of Risk
Even before this year’s holiday shopping season, retailers have seen a massive increase in online shopper numbers throughout 2020.
A full 62 percent of U.S. shoppers say they shopped more online this year than before the pandemic. And 36 percent of U.S. consumers now shop online weekly, up from 28 percent before the pandemic. To account for this increased number of online interactions, many retailers innovated in near real-time to meet customer demand and build new systems in a hurry that can manage more transactions than before.
Systems built in a hurry are much more likely to have unintended consequences. As retailer developers work to innovate, they often unknowingly leave development systems and data exposed on the internet that should otherwise be behind closed doors. If attackers can view source code, they can then analyze it at a granular level. Alongside this, the sudden transition to “work from home” earlier this year forced similar changes to development practices, allowing attackers to siphon off API keys, corporate credentials and large databases of customers’ information.
Additionally, thanks to COVID-19, retailers now must worry about their own employees’ homes as an extension of their enterprise attack surface. Attackers can have a field day compromising remote workers through their insecure home automation technology, smart appliances, and more. They can then move laterally to the corporate network if the proper protections are not in place.
Enter Neighborhood Watch Security
Even though unprecedented risks await retailers this holiday shopping season, they can still take steps to level the security playing field against adversaries by engaging the assistance of a global network of talented security researchers and employing a neighborhood watch security approach as part of their security program. To engage security researchers, retailers should start by creating a vulnerability disclosure program (VDP) and then progress towards a public bug-bounty program. These programs invite researchers to test retailers’ infrastructure and share security feedback, giving retailers a continuous “attackers-eye view” of their attack surface.
By establishing VDPs and considering progressing to a bug-bounty program, retailers can ensure and transparently assert that they are doing everything possible to safeguard their consumers’ security. In turn, consumers can have the confidence that their data is out of harm’s way and respond by choosing to shop at stores they feel are the safest.
Casey Ellis is chairman, founder and CTO at Bugcrowd.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.