Skip to content

November 12, 2020 | Matt Pacheco

Cybersecurity Tips for the 2020 Holiday Shopping Season

Recently, BiopharmaDive did a story on the race to develop a COVID-19 vaccine. With so many companies working on the challenge – and making excellent progress – smart money seems to be on at least one vaccine being available by the end of the year. Unfortunately, that’s too late to impact the 2020 holiday shopping season, and many experts predict an explosion in online purchases that could have consequences for the unprepared business.

“For the last four years, e-commerce growth has averaged between 13% to 17% increase, and last year it was up 14.7%. This year it will go ballistic, somewhere around 25% and it may go higher.”

Rod Sides, Vice Chairman and U.S. Leader Retail and Distribution

One of these consequences is an increase in cybercrime. In a recent interview, we asked Paul Mazzucco, TierPoint’s Chief Security Officer, to share his perspectives on the 2020 holiday shopping season and how consumers and businesses can protect themselves.

What makes the 2020 holiday shopping season different from prior years?

Mazzucco: In some ways, it’s more of the same, just accelerated. Online shopping has been increasing year every year. This year, we expect it to increase by a larger percentage than usual. But I don’t think we can separate the increase in online shopping from the rise in the number of employees working from home. I don’t have the numbers right in front of me, but in past years, we’ve seen reports that showed a significant percentage of people did their holiday shopping while at work. With no one to look over their shoulder now, I don’t expect we’ll see those percentages go down any.

That increases the risks to employers because employees working from home don’t always have the multiple layers of security on their systems that they would at the office. Hackers know that, and they’ll be looking to exploit the situation.

See what Paul said last year: 2019 Holiday Shopping Security: Threats and Tips

What are some of the threats that businesses should be watching for?

Mazzucco: A lot of it still revolves around malware delivered through email. Pretty much everyone knows that they shouldn’t click on a link from an unknown sender. The problem is, hackers are getting really good at imitating legit email traffic. One of the more common tactics is seemingly legit stores sending out e-cards that contain malicious links. I received several of these myself on Amazon Prime Day. If the seller isn’t one you shop at frequently, do not click on the link.

Hackers are also sending out fake shipping notifications, knowing that people are in a rush and probably ordering lots of stuff online. The recipient clicks on the link thinking, “It must be one of the items I ordered recently,” and malware is downloaded onto their computer or device. Same advice as before—don’t click on a shipping notice if you don’t recognize the vendor. Even if you do recognize the vendor, the safer bet is to track your shipment from their site.

Businesses will want to make sure they have the latest and greatest in spam filters installed. Of course, that won’t catch everything, so frequent reminders to employees can’t hurt.

Lastly, there are a lot of phony causes that pop up on social media this time of year—and during every election cycle. We don’t want to discourage giving, of course, but check out the charity or organization before you give. If it looks like a cause you want to support, use the links on their site instead of the ones in a tweet or Facebook post.

What kind of malware is typically embedded in these links?

Mazzucco: Ransomware is still pretty prevalent, but it’s gotten even more pernicious. It used to be that ransomware would lock down your system, you’d pay a small ransom in bitcoin, and your system would probably be unlocked. Now, when the ransomware encrypts your data locally, hackers simultaneously exfiltrate your data and store it on their servers. Then, they up the ante by threatening to release this data to the public if you don’t pay up. If you’ve got sensitive data stored on your servers, that’s a real threat.

The issue is that, even if you pay the ransom, your data is put into a service pool where the next group can buy the data at a reduced cost. The business then gets a second round of emails from a different group of bad actors saying, “We have your data and we’re going to release it into the market unless you pay us.”

It’s usually not worth it to pay the ransom. Once your data is out there, it’s just out there. Instead, they should contact their insurance company and contact the FBI to file a case, while internally, they get some forensics going to restore backups and get their systems and data functional again.

What can businesses do to protect themselves this time of year?

Mazzucco: With everyone working from home, one of the absolute mandates is to use a secure VPN infrastructure. Make sure your VPN is an encrypted tunnel.

Make sure your passwords are strong, too. With today’s computing power, eight-character passwords are too easy to crack. Did you know that a standard eight-character password takes less than a minute? A complex eight-character password—one that requires a combination of numbers, lower- and upper-case letters, and symbols—can still be cracked in a couple of hours.

We always recommend 12 characters at least. A simple 12-character password takes about a year to crack, provided the user isn’t making standard mistakes like using ‘password123’ as their password. If the 12-character password is complex, it can take up to 200 years to crack. That’s a huge amount of value for the company simply by having your end-users type in four more characters, literally four more characters. Less than 2 seconds worth of work bought you 200 years’ worth of security with today’s modern computing systems.

Finally, we also recommend using unique names and passwords for accounts. If users are working from home and connecting through the company VPN, don’t allow any user’s main account to be an administrator account. There should always be a separation. Anybody using an active directory or who has system admins should absolutely make sure that users cannot log in an as administrator. It just kills the audit trail.

We can help you evaluate your cybersecurity

Have questions about protecting your IT infrastructure from cyber-attacks? TierPoint offers a wide range of security services. Reach out to us to learn how to defend your applications and data from attackers.

Strategic Guide to IT Security_2020 edition

Subscribe to the TierPoint blog

We’ll send you a link to new blog posts whenever we publish, usually once a week.