Enterprises face risk as cyber-criminals use shopping spree to target employees

News by SC Staff

An error by an employee - in device hygiene, network safety or email security - can compromise an entire organisation's IT security this shopping season

Your work email is awash with Black Friday-Cyber Monday offers, firing up the pre-Christmas holiday shopping season. As cyber-criminals gear up to capitalise on the shopping spree, unapproved website use or personal IT devices of employees being connected to office networks increases cyber-risks this holiday season.

PerformanceIN reports that over half of UK consumers are set to shop on Black Friday, which originated from a financial crisis and not sales shopping. A majority of this shopping is expected to be done online. 

A survey by nCipher Security says 23 percent of people in the UK don’t know how to tell if a website is secure and 53 percent will only feel "somewhat safe" if they see a formal seal of encryption appear on the screen - for instance a green check used on retail sites to indicate secure e-payments.

The retail industry is one of the least trusted in the UK when it comes to encryption, with only 15 percent feeling confident that companies will protect their personal information.

The security posture of the retailers -- from loyalty programmes to email security -- leaves a lot to be desired, reported SC Media UK. A misstep from an employee -- in device hygiene, network safety or email security -- can compromise an entire organisation's IT security. 

nCipher Security vice president Peter Carlisle provided SC Media nine tips for companies to share with employees on how they can keep their personal and office networks safe this Black Friday and Cyber Monday.

Maintain device integrity

Employees bringing their own devices to work and taking office hardware home has offered a freedom to workplace design and improved connectivity. However, this has opened the attack surface for cyber-criminals. Know the conduct policy of your organisation with regards to personal devices. Limit the use of office hardware for personal shopping.

Also read: Mobile devices are more personal, more vulnerable

Use trusted websites for online shopping 

The nCipher survey showed that in the UK, only 43 percent of respondents considered HTTPS to indicate a secure website to make a purchase. HTTPS is the first and the most important indicator that the website being visited has a secure and encrypted connection. All users have to do is to look if they see the green lock at the top left of your browser.

Also read: HTTPS encryption for all, says non-profit

Use payment gateways for purchases

As the name indicates, a payment gateway facilitates the transfer of money between the online store and the payment processor that receives the payment from the customer. They are designed to protect your credit card, debit or PayPal payment methods. PayPal is regarded as one of the most secure payment methods, but it is recommended that for online payments shoppers connect their PayPal account to their credit card, rather than their debit card, for added fraud protection.

Also read: Skimming operation creates fake 3rd-party payment processing page to phish victims

Patch, update or buy new software

Ensuring that all your connected devices are running up-to-date software - from the operating system of your computer or mobile phone to the apps of your favourite shopping site - goes a long way in securing shopping. The nCipher survey showed that when it comes to keeping connected devices secure, only 29 percent of respondents in the UK said they did this by checking for software updates.

Also read: More than 800,000 systems still unpatched for BlueKeep

2FA is bare minimum

A password is a single factor of authentication and is no longer safe. Personal data and financial details are privileged information and they warrant two-factor authentication (2FA) at the minimum. Layers of authentication can be added depending on the value and volume of data. Users should always opt in whenever a service offers the added security of multi-factor authentication.

Also read: User-proof security - replace passwords with 2FA & push notification

Stay away from public Wi-Fi

A busy, crowded street is not a place to count money. Likewise, public Wi-Fi is not a secure place to transmit personal and financial data. In the UK, 37 percent already avoid connecting to public Wi-Fi networks in an effort to keep their devices safe, says the nCipher survey. Users should be very careful when using shared computers, as they may have malware, skimming devices or vulnerabilities, and, in many cases, they are not updated with the latest security patches.

Also read: Android vulnerability exposes users data via WiFi

Offers from unfamiliar sites often hold malware

If shoppers see a deal from a company they have never heard of, or worse, make the mistake of going to a site that only looks like their favourite ecommerce site, they should check the URL to ensure they are on the right site. They should always prioritise using well-known ecommerce companies that have a reputation for strong security. Most established sites have a number of tools to quickly identify or prevent malware.

Also read: UK privacy watchdog warns consumers that shops can track them

One cart at a time

A shopper would not leave their card with the cashier in a shop and then go shopping for other goods. Likewise, online shoppers should not leave their online payment window complete with details and then surf for other products. It’s a known fact that ecommerce websites have several advertising or information links, some of which could be tapped for malicious purposes.

Also read: Mobile advertising Trojans become top mobile malware threat 

Be suspicious if emails/sites ask for personal information

Going back to the first tip, when a user receives emails that ask to click on a link or input information, they should check the URL to ensure it is HTTPS and rollover the link with their mouse to ensure the site they are clicking on matches where they think you are supposed to go.  A difference of one letter or number means that they are about to visit the wrong site that can then steal their information.

Also read: Cyber-squatting greatest threat to brand reputation

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews