Online retailers are dealing with more cybersecurity threats than ever before, and the holiday (shopping) season is when they have to fend them off most aggressively. In this interview with Help Net Security, Dr. Taher Elgamal, cryptographer, infosec leader and currently the CTO of Security at Salesforce, talks about the obstacles retailers’ need to overcome to increase their cybersecurity posture and his expectations for the threat landscape in 2022.
How are Salesforce retail customers approaching cybersecurity for e-commerce operations?
We think of cybersecurity as a team sport. A company’s security posture is only as strong as its weakest link, so we encourage our customers to promote a security-first culture where everyone is accountable and educated on best practices for keeping data and their systems secure. This includes investing in a strong security awareness program and nailing the basics, like implementing Multifactor Authentication (MFA) and enforcing patching requirements for corporate devices.
What are the greatest obstacles they need to overcome?
While the deluge of online transactions during the holidays is great for business, it can also make it easier for cyber attacks to slip under the radar. While retailers should always be diligent when scanning for suspicious activity, they should always look to harden their cybersecurity posture during busy seasons, including the holidays.
But allocating the necessary resources to security can be a major challenge, especially for smaller companies. Many turn to third-party vendors in an attempt to outsource their cybersecurity functions (among other business needs); those who choose this path must be aware that vendor networks come with their own set of risks, including an increase in exposure.
What are some currently popular solutions to those obstacles? Is it becoming obvious that some work better than others?
A strong security awareness program is crucial. If employees know what to look for, it can make all the difference in thwarting or identifying an attack or vulnerability sooner to mitigate damage and maintain your customers’ trust.
To help solve this challenge, organizations across the industry, including Salesforce, Google, Okta, and Slack, partnered to design Minimum Viable Secure Product or MVSP, a vendor-neutral checklist designed to provide businesses with a simple, practical way to establish minimum acceptable security baselines.
Even if organizations only leverage MVSP as a starting point, it can help raise the bar for security standards across the industry. Many companies outsource additional cybersecurity protections to third-party vendors. This is a popular solution, but it’s crucial that they make sure all vendors follow the same standard of secure practices.
What retail-related cybersecurity threat trends can we expect to continue or arise in 2022?
Most cyber criminals are motivated by financial gain, and I anticipate this kind of activity continuing to increase next year, especially in the form of ransomware attacks and compromising data to sell on the Dark Web. We should also be prepared to see broader attacks that exacerbate the global economy’s ongoing supply chain challenges.
What cybersecurity advice can you offer to retailers?
I’ve been in this industry a long time, and one of the biggest lessons I’ve learned is that there is no silver bullet to security. Nailing the basics (MFA, patching, etc.) and cyber education can go a long way in preventing an attack, but it’s also just as important to know how to respond in the event of a cyber incident. Instead of blaming the hackers, focus on bolstering your security and business resilience from the inside out.
But beyond the “everyday” prevention, there are some additional protection layers retailers should implement during the holidays when the threat of attacks is even greater. It’s important to make sure your entire team is on alert and knows what red flags to look for and how to report them.
You should also consider additional fraud protection measures, running pre-holiday checks of all your systems for potential bugs, and reviewing account privileges before you’re faced with an influx of web traffic.