No one loves the holidays more than hackers. With seasonal sales, retail events like Black Friday and Cyber Monday, and the general uptick in shopping for gifts and festivities during the end months of the year, cybercrimes across the country recently experienced a spike.
A study by a Netherlands based VPN service firm, Surfshark, showed a 300% peak in cyberattacks on Black Friday. This, despite a 1.3% year over year fall in online spending, as reported by Adobe Analytics' Digital Economy Index.
“In actual numbers, November started with 15 million cases of malware attacks and rose to 60 million on Black Friday,” a Surfshark release said. Intrusion attacks fell by 15%, showing hackers potentially adjusting their strategy to malware. The attacks stabilized going into Cyber Monday.
“During the high shopping season, it's much easier [to target people] when people are constantly getting bombarded with a variety of emails,” said Chris Bradley, CIO at ProTech Services Group, a Memphis-based cybersecurity firm.
People tend to let their guard down, and that’s when they click on something they shouldn’t.
“Unfortunately, sometimes that's all it takes: a quick click on a URL. … Next thing you know, you've got ransomware, and it's encrypting everything you have,” Bradley said.
Tennessee experienced relatively fewer cases of cybercrime compared to the national average. For instance, Surfshark data showed that, on average, 364 per 100,000 people had fallen prey to cybercrime in the U.S. since 2018. In Tennessee, that number is 0.8 times lower, at 285 per 100,000, with nearly 20,000 victims of cybercrime.
The study pointed out that apart from a breach of data, cyberattacks also result in significant monetary loss, with Tennesseans having to work about a month and a half to recover financially. For businesses, the impact is multifold, ranging from lost revenue, a hit to their reputation, and, in some cases, legal consequences.
All costs considered
E-commerce has seen exponential growth over the past 10 years, yet businesses, particularly small and mid-sized businesses, are on the fence about cybersecurity.
“The misconception is that we're small, no one's going to target us, we don't have enough critical data,” Bradley said. "And that's not true.”
Verizon's Data Breach Investigations Report for 2021 showed that cybercrimes are an increasingly "one size fits all" situation, where there isn't a big difference between the sizes of organizations targeted. In fact, businesses with fewer than 1,000 employees had a higher frequency of breach incidents as opposed to those with more employees.
For hackers, it’s all a numbers game. But, for businesses, costs pile up. Bradley said bouncing back from these attacks can take a day or two or, in some cases, several weeks.
“The attacks themselves have the cost of downtime. There's the cost of forensic analysis to identify what was breached. How did they breach it? And then, the recovery,” said Mike Skinner, managing partner at Memphis' Horne Cyber.
Despite the consequences, costs of protecting their businesses seem to be keeping these businesses from investing in cybersecurity in a big way. While small businesses are aware that firewalls and antivirus are required, they need to understand that “some of the things that go into securing them do cost a little more," Bradley said. "That's sometimes where the apprehension lies.”
Another challenge is getting the right resources to implement the purchased protection.
“Businesses sometimes spend the money on the tools but not the money on the resources, internal or external, to maintain those tools,” Skinner said.
With its constantly evolving nature, there is no silver bullet for cybercrime, so it needs to be simultaneously updated. But businesses become apprehensive, Skinner said.
“It takes a combination of tools and the people to run those tools and monitor the network to really be effective,” he said.
How to protect your business?
Experts suggest that phishing is the most common way for attackers to target businesses.
"Over 90% of the attacks are done through phishing email attacks or some sort of social engineer," Bradley said.
Cybercrime has become more sophisticated today, with attackers being very specialized. Groups exist, he said, that do nothing other than send targeted phishing emails.
Security isn’t always easy for users, Skinner said, but it is essential to secure the network. Tedious as it may seem, this would mean remembering complex passwords, routinely training employees, restricting access to essential data within the organization, and network segmentation.
“Making sure areas of your network are appropriately segmented so if one part of your network is breached, it's harder for the attacker to move across your network and cause a bigger impact,” Skinner said.
Cyberthreats, while daunting, should not be used as fear-mongering, said Regina Whitley of the Greater Memphis IT Council.
Below are a few ways Whitley shared that businesses can better protect themselves from the threats.
- Secure your email. Email protection is the first line of defense. Use Microsoft Office 365 email protections with encryption tools to ward off phishing incidents.
- Implement “zero trust” strategies that limit access to the e-commerce site by third-party vendors through a status of “least privilege” to access.
- View your website with a “customer view” to see the vulnerabilities in the browser for order and payment process.
- Provide cybersecurity training for all employees. Staff-up during peak season with online monitoring.
- Explore moving your e-commerce site to cloud platforms that provide built-in protections for cybersecurity with firewalls and other enterprise-level protections.
- Employ multifactor authentication.
- Consider engaging a managed service provider for greater expertise and monitoring of your e-commerce activity.
- Back up your data to be less vulnerable to Ransomware attacks.
