Eight cyber hygiene steps to help mitigate the digital risks of your holiday shopping

The following post is a paid partnership between Spectrum Enterprise and Chuck Brooks.

Black Friday, the day after Thanksgiving, marked the beginning of the US holiday season. Last year a record-setting $9.12 billion was spent online in the US on Black Friday and Cyber Monday. Sales this year may surpass that. And the holiday shopping season extends through to the new year and beyond. Unfortunately,  retail online shopping is also a heightened time of activity for criminal hackers, and businesses and consumers are in the crosshairs. 

Managing the retail cyber ecosystem is getting harder and harder and good cyber hygiene is necessary for strong cyber defensive postures if an organization wants to withstand attacks. The attacks of today don't come and go. Instead, they are surging, and the resulting overload is disastrous. While there may not be perfect cyber defenses, good cyber hygiene can help thwart cyber-attacks and is imperative for sound risk management. 

Ransomware trending  

On Black Friday and Cyber Monday businesses and consumers should be particularly on the lookout for ransomware attacks. Although ransomware has been around for decades, recently it has become a preferred cyber-weapon of choice for hackers. Any geopolitical tensions have also turned some of these loosely state-sponsored or affiliated actors loose on many new targets with their AI-enabled ransomware tools. 

Being able to exfiltrate and hold hostage data for payment of cryptocurrencies has made the deployment of ransomware a growing trend. To increase the likelihood that their ransomware assaults will be successful, hackers continue to focus on zero-day vulnerabilities, (a zero-day is a security flaw for which the vendor of the flawed system has yet to make a patch available to affected users) and carry out supply chain attacks and look for weaknesses in end-of-life products. Given the rise in ransomware assaults and other severe cyberattacks, practicing good cyber hygiene needs to be a primary line of defense for businesses and consumers in 2023.

Good cyber hygiene: what is it?

Good cyber hygiene means that a company, organization, or individual will be in the best possible position to both repel attacks and, in the event of one, resume regular operations with the least amount of interruption by implementing a mix of measures. Days in lieu of hours. days as opposed to weeks. Lastly, even in a weakened position, continuing to be able to work through the disruption. 

What follows is a cyber hygiene to-do list for the holiday shopping season:

1. Make use of multi-factor verification (MFA): MFA's primary advantage is its ability to reduce the likelihood of unwanted access. Passwords and usernames are here to stay, but if you don't change your password frequently, your account could be stolen or subject to brute force or credential stuffing attacks. On the dark web, billions of credentials can be bought - sometimes for extremely small sums of money. Enforcing always on multifactor authentication (MFA) through temporary secondary codes or other physical constraints not only makes life harder for cybercriminals, but can also slow them down enough to divert them from their malicious activities. MFA isn't flawless. However, it is beneficial.
2. Use robust password security: A majority of hacking-related data breaches involve either stolen or weak passwords. Companies need to acknowledge that one of the best defenses against illegal access to their vital infrastructure is a strict password policy. When creating passwords, make sure they are complex and avoid using the default ones on your devices. Think about lengthening them or utilizing characters, numbers, and letters to create phrases. Additionally, avoid using the same password across several accounts. Make it harder for hackers to gain access in a single attempt.
3. Continually patch, update, and back up your devices: There's a reason "critical" is "critical"; act on it within 72 hours of release. For many of today's businesses, they must decide which vulnerabilities are relevant to their ecosystem and which ones to start patching immediately. Patch and vulnerability management is not attractive, but it is a necessary task. When using outdated systems, use caution. Yes, you can fix them, and it is understood that some people cannot pay the initial capital expense. However, the crucial problem is that these system stops' fixes are no longer supported. Once these systems have outlived their "patch life," hackers will find them to be easy prey. If you’re concerned about these risks, or if your in-house IT team lacks the expertise or bandwidth, consider working with a managed services partner to ensure you have the right experience and support to mitigate these risks. For recovery, a strong backup procedure is essential. Having a solid backup plan offers you some peace of mind in the event that all other efforts fail. You need to know what you are backing up, where you are backing up, how far you are backing up, and how you are testing your backups. There are three types of backups: one on-site, one off-site, and one on the cloud. If you have a clean backup that is prepared to be transferred to your machine, there is less need to pay for ransomware.
4. Recognize the phish: Phishing is still the tool of choice for many hackers. Phishing is commonly defined as a technique of hackers to exfiltrate your valuable data, or to spread malware. Anyone can be fooled by a targeted phish, especially when it appears to be coming as a personal email from someone higher up the work chain, or from a bank, organization, or a website you may frequent. Usually, phishing malware comes via email attachments but can also be web-based. It is important to teach your employees (and yourself) the proper practices for spotting spear-phishing attempts. Phishing testing ought to be included as normal in staff training these days since phishing is one of the main reasons for data breaches. Although no one is impervious to a cunning phish, some steps may be taken to reduce the likelihood and expense of a breach. First and foremost, never open an attachment from someone you do not know, and even if you believe you do, always double-check, and confirm the sender. On your PC, watch out for visually enticing pop-ups as well. 
5. Implement strong identity and access management (IAM): To make sure that the tools your employees need to perform their duties are only accessible to the appropriate individuals and job positions within your company. Your company can control employee apps without requiring them to log in as administrators by using single sign-on apps. Your company may manage a variety of identities with identity and access management systems, including people (like employees), software, and hardware like robots and Internet of Things devices. Under IAM principles, companies should inquire as to whether a user is who they claim to be when logging onto the network, whether locally or remotely, and whether or not the person has the minimal access necessary to carry out their assigned duties. 
6. Understand how your intrusion detection and prevention system operates: Does it rely on signatures? Could it be behavioral? Perhaps it's both. New technologies are needed for new cyberthreats. Logs are an effective tool for identifying unusual activity. Although reviewing is laborious, a business can combine security analytics and make use of automation. This is where artificial intelligence (AI), automation, orchestration, machine learning, and cognitive computing all are important in fortifying cyber defenses.
7. Consider using a Managed Security Service Provider (MSSP) or Managed Service Provider (MSP): Not every business has in-house expertise in cybersecurity, or an IT team with the bandwidth to effectively mitigate evolving security threats, and any business might be severely damaged by a ransomware assault. If this describes your organization, consider working with a manager service provider. The right partner can provide expert support in critical areas such as security, and equipment integration and can offer enhanced visibility and control over your network. When it comes to working with a managed services partner, the benefits drastically outweigh the costs.  
8. Recognize the latest risks and trends in the evolving cyber-threat landscape: Artificial intelligence and machine learning are examples of new technologies that can be utilized both offensively and defensively. Read about, talk about, and stay informed about current and upcoming cyber-attacks on social media and in publications.

As you proactively cyber-prepare yourself for holiday shopping, it is important to recognize that the “perfect” cyber hygiene technique does not exist. Instead, decide what is best for your company and for you. You should not undervalue the significance of taking steps to better your cyber defenses. Maintaining good cyber hygiene is a good starting point. Perfect is the enemy of good enough, so keep moving forward with improving your cyber hygiene posture without letting your never-ending quest for the “perfect” answer impede you.