Looking to avoid much of the well-publicized mayhem that seems to erupt each year at brick-and-mortar stores around the nation during Black Friday sales, more and more people are now turning to the Internet to do their shopping. In what has become known as “Cyber Monday,” online and traditional retailers have, in recent years, started offering steep discounts on consumer goods on the Monday following the Thanksgiving holiday weekend.
According to the National Retail Federation, online sales in November and December are expected to grow between 13 to 15 percent over last holiday season to as much as $82 billion. Just because there won’t be any violence among shoppers or incidents of shoplifting, however, doesn’t mean there aren’t security risks associated with Cyber Monday. SIW recently spoke with Kevin Kalinich, cyberrisk global practice leader for Aon Risk Solutions, to get a better understanding of what these risks are and how retailers can protect themselves,
SIW: What is the largest threat posed by Cyber Monday to retailers and how does it differ from other day-to-day threats from cyberspace?
Kalinich: Retailers face third-party and insider privacy, as well as various security exposures on a daily basis. The difference is that there is a significant risk of overwhelming IT networks that were not designed or tested for the massive increase in volume on Cyber Monday. How much revenue would a retailer lose if its payment processing or website went down on Cyber Monday?
SIW: Are retailers aware of these threats and are they taking them seriously enough in your opinion?
Kalinich: Prudent retailers recognize the threats and have taken appropriate risk mitigation and risk transfer steps to protect their financial statements. However, cyber threats are constantly evolving, and it is a race to maintain protections faster than the threats evolve.
SIW: What kind of redundancies do retailers need to have in place to ensure that they can handle the sheer volume of traffic to their sites on Cyber Monday?
Kalinich: The challenge is to build in sufficient redundancies in a cost-efficient manner when the volume on Cyber Monday may be two to 10 times higher than the average. It does not make sense to pay for a year’s worth of redundancies that are only necessary to satisfy one day per year. Retailers basically have three choices:
1. Build and pay for a year’s worth of redundancies
2. Purchase “redundancies on demand” through a third-party, such as cloud computing
3. Do nothing additional to your current system that is designed for an average sales day and be prepared if it does not hold up on Cyber Monday.
SIW: Given the damage that can be inflicted upon an organization from a data breach, not only financially but also from a reputation standpoint, what steps do retailers need to take to prevent payment card information and other sensitive customer data from falling into the wrong hands?
Kalinich:
- Coordinate internal resources. Companies need to collaborate IT, sales, security, legal and risk management teams to actively identify, qualify and quantify cyber exposures. In Houston, this could mean critical infrastructure vulnerabilities for energy companies.
- Mitigate exposures. Develop contracts and IT due diligence protocol with third-party vendors that service your organization. Third-parties who play a part in the online collection of customer information should be held contractually liable, and should be able to demonstrate that they have the necessary insurance to cover the costs of a cyber-attack involving the services they provide.
- Internal use policies. Educate, train and monitor your employees as well as independent contractors, on the company procedures.
- Analyze. Monitor your existing insurance policies to ensure coverage for first-party risks, such as website outages, resulting in business interruption or third-party exposures, such as privacy or security breaches.
- Fill in the gaps. Consider a cyber-specific insurance policy to fill the gaps and avoid a class action lawsuit against your directors and management for breach of fiduciary duty.
- Update your plan. Update your data breach response plan to prepare for the 2013 holiday season and safely accommodate your organization’s sales increases.
SIW: In addition to attacks from cyber criminals, do retailers also need to be on-guard against threats posed by so-called hacktivist groups and what steps can they take to protect themselves?
Kalinich: While hactivist groups are a growing threat, they use many of the same attack methods as other cyber criminals. It is unfortunate that protestors do not use solely legal methods to demonstrate their disagreements with legitimate opposing opinions.
SIW: Are there any risks posed by Cyber Monday people aren't currently aware of that could potentially cause significant damage to retailers?
Kalinich: Third-party outsourced service providers, such as cloud computing, payment processors, mobile device networks, social media and big data analytics, face aggregation risk from the combination of their retail clients using their services at the same time on Cyber Monday. The outsourced systems have not been tested for the pure volume of such activity, and may not be able to withstand the onslaught. If one of these third party providers is interrupted, it could affect multiple retailers at the same time.
