As far as singers go, Andy Williams knew nothing about cybersecurity. For our sector, December is about as far away from “the most wonderful time of the year” as you can possibly get. Hackers love holidays: they disrupt security teams’ schedules, increase the volume of traffic and pressure on a system and ultimately expose vulnerabilities. Just last month, CISA shared a reminder noting that “malicious cyber actors [launch] serious and impactful ransomware attacks during holidays and weekends,” citing Independence Day and Mother’s Day as recent examples.
The holiday season will provide hackers with more time and opportunities to scam customers, tarnish business’ brands, steal Internet Protocol (IP), phish employees, expose businesses to GDPR violations and spread ransomware. Moreover, the fact that many new and lapsed users will begin using new services and devices — and likely request password resets in the process — will put additional strain on security teams.
Instead of Andy Williams, cybersecurity should look to Dr. Seuss, who knew to expect the Grinch on Christmas Eve. These best practices can help retail enterprise security leaders prepare for the high-stakes, high-pressure holidays:
Give users what they want — security and convenience
Every security team needs to balance security with convenience. That’s particularly urgent for retailers, who must remove as much friction as possible while still safeguarding customers’ information and protecting their accounts. Retailers also need to accommodate customers’ varying levels of comfort with technology; ensure that customers can authenticate using a range or devices and operating systems; and authenticate customers across all their channels — even if customers are offline. Finding this balance is challenging, but it’s absolutely essential to achieve as more of our lives play out online.
The first step that retailers can take to create that balance is to minimize their biggest vulnerability and go passwordless. As a security measure, passwords are fundamentally flawed — the average user has around 100 passwords; two in three people use some form of the same password across multiple accounts, which can allow hackers to jump from one service to the next; and it takes less than a second to crack the most common passwords. Given these figures, it’s no surprise that, in 2020, 4 out of 5 hacking-related data breaches involved brute force or the use of weak or stolen passwords.
In addition to improving security, removing passwords is also good for retailers’ bottom lines. The rate of abandonment demonstrates that customers will walk away from a bad user experience or virtually any friction in the online shopping process: one report found that 57% of shoppers will abandon a site if they have to wait three seconds for the page to load. Long ago, passwords made some degree of sense when we were typing on full keyboards. But entering increasingly complex strings of numbers, letters and characters is much more challenging now on our phones. A recent report found that two-thirds of online shoppers lost interest in creating an account due to password requirements, and that nearly 40% of mobile users abandoned their cart when it became too difficult to enter their personal information.
By integrating a variety of factors to establish trust, contextual authentication can verify that a user is who they claim to be more quickly, easily and safely than passwords can. Retailers can use a customer’s location, their IP address, the time that they’re making an access request, the device that they’re using and any other number of factors to inform this decision-making. They can also integrate external data — such as known IP addresses and breached emails — to increase or decrease their confidence.
Not every risk is created equal
Some access requests pose a greater degree of risk to your users and, by extension, to your business. Retailers should determine what requests or scenarios could pose the most harm to their business — an existing account logging in from a new device, changing a delivery address once an order has been submitted, submitting orders above a certain threshold, etc. Once you identify the scariest and likeliest incidents, begin using risk-based authentication to step-up verification requests when the situation demands it. Contextual authentication factors can also inform risk-based authentication and train security systems to make smarter decisions about when to challenge users. The best solutions will use machine learning to continuously improve and automate access decisions in real time.
For retailers, one size never fits all
Retailers need authentication that accommodates different users on different devices. But retailers’ generosity should never extend to the authentication vendors themselves. When sourcing authentication providers, retailers should demand solutions that can fit within their overall environment. That means looking for resources that maintain the look and feel of a retailer’s website and branding. If your authentication service can’t do that, or if they send your users bouncing between different pages to complete authentication, then start looking for another vendor.
Everyone needs multi-factor authentication
One gift that both retailers and their customers need is multi-factor authentication (MFA). By making MFA part of the user registration process, retailers can begin building trust early on and learn more about their customers, their habits and their preferred contact methods. Doing so also provides customers for a way to reset their passwords in case they become locked out.
Make your list and check it twice: by prioritizing authentication, eliminating passwords, deploying MFA and focusing on user experience, retail enterprise security leaders can ensure that hackers only get a lump of coal in their stockings.