In a few short days it will be Cyber Monday, the kickoff to the financial madness that is the holiday shopping season. For cybercriminals and fraudsters, December represents the mother lode of hackable data.

How big is the risk?

The malevolently-inclined are getting more ambitious (a 2014 study by the Ponemon Institute that evaluated security-breach costs in the retail sector suggests that average size of a breach is about 30,000 records) and more damaging (average loss is now about $105 per stolen record). The same study estimated that the average cost of a cybercrime for the retailer is about $3.15-million. These are average numbers only: recent large-scale retail breaches have involved records in the millions, with costs similarly increased.

The hackers are also getting more sophisticated, with the development of custom-made malware to target specific companies, the rise of hacking-as-a-service, the sale of ready-made exploit kits and the creation of a black market of hacked data.

The temptation for hackers will likely increase as the use of online shopping and payment cards skyrockets. A report from  BMO indicates Cyber Monday lured almost half of all of Canadians online in 2013. According to Mastercard, 90% of the money spent in Canada takes place via credit and debit transactions (or some other form of payment other than cash), making us the third most cashless society in the world. Mobile payments are also gaining traction: data released by IBM shows mobile sales accounted for 17 per cent of all Cyber Monday online sales, an increase of 55 per cent year-over-year.

And it doesn’t end with Cyber Monday. Many Canadians wait until the last minute to make their holiday purchases, traditionally making December 23rd the busiest shopping day of the year. In 2013, the number of transactions peaked on this day between 1:45 p.m. and 4:45 p.m. EST, at 439 transactions per second.

Not surprisingly, hackers can barely contain themselves.

How can companies protect themselves?

Even for companies which aren’t in the retail sector, the shopping season can present significant risk. Lost productivity alone can add up: a recent ComScore study found that 50% of all online holiday purchases occur during working hours (especially true in Canada where Cyber Monday is not a holiday). The typical productivity loss for these companies during the holiday season averaged $15,000. Adding insult to injury, the additional traffic can lead to network slowdowns due to significant increases in bandwidth usage.

Employees may be the backbone of a company, but they can also be its weakest link. There are no end of  cleverly-designed greetings, shopping offers and holiday videos entreating employees to click, thereby introducing malware into company systems, or tricking employees into giving away company information. Companies will want to ensure their antivirus software is current, patches and updates for Web browsers, email clients and operating systems are all installed, and firewalls robust and thoroughly tested.

Retailers and others with particularly high exposure during the shopping season may want to incorporate some or all of the following practical tips as part of their overall approach to cybersecurity:

  1. Coordinate your internal resources. Companies need IT, sales, security, legal and risk management teams to collaborate to actively identify and manage cyber risks, as well as to respond quickly if a breach is detected. Are these people going to be reachable if a breach occurs over the holidays?
  2. Keep your plan current. This assumes you have a breach response plan in place (do you?). Ensure it is up to date. Your 2009 plan from when your organization did $1 million in sales may no longer be suitable now that you’ve topped $10 million.
  3. Ensure you have consents. Do you have a privacy policy, and does it tell consumers what information you are collecting? Or has your online presence expanded and your privacy policy hasn’t kept up? Similarly, this is the first holiday season under Canada’s tough new anti-spam law which features fines that can reach up to $10 million – do you have adequate consent to send your electronic marketing materials to consumers?
  4. Confirm insurance coverage. Review your existing insurance policies to ensure coverage for first-party risks such as website outages/business interruption or third-party exposures such as privacy or security breaches. If your existing insurance policies don’t cover this (many don’t), look into it.
  5. Protect directors and officers. Consider a specific cyber- insurance policy to fill gaps in your current coverage, and to guard against lawsuits (particularly class action lawsuits) aimed at your directors and officers for breach of fiduciary duty, CASL non-compliance  and privacy-related intrusions.
  6. Develop and/or review contracts.  Develop and/or review  contracts with third-party vendors that service your organization. This applies to all third parties, whether they are directly involved in the collection or use of customer information, or whether they are providing ancillary services which happen to require passwords or login credentials to your systems. Some companies are moving to contracts that attempt to hold third parties liable and require them to demonstrate that they have the necessary insurance to cover the costs of a cyberattack involving the services they provide.