The retail and financial service industries take the most heat when it comes to holiday season security. One third of U.S. households now shop online, according to the National Retail Federation. This holiday season is projected to be one of the biggest for online shopping with sales predicted to grow by 20 percent, upwards of US$211 billion.
Ensuring that all consumers can log on to shop is a business imperative. Instead of shoring up security, many companies will be tempted to refrain from performing vulnerability scans and dangerously reduce maintenance windows in an effort to limit any interruptions online. But neglecting this important security process only increases the risk of information and identity theft for consumers and raises the jackpot for cyber thieves.
Even for companies that do not experience a significant jump in business during the holiday season, the fourth quarter is viewed as a time to ensure that sales projections are on track, set budgets and plan accordingly for the next year. With this maniacal focus on end of year, taking the time to ensure that all security programs are functioning well often ends up at the low end of the priority list.
The reduced focus on security at this time can also be attributed to the lack of budget available in the last few months, meaning that even simple tasks like performing external vulnerability scans on the network may go unattended. It's also the time of year when resources are at a minimum with a number of employees taking time off. For all of these reasons, it is natural that the security "to-do" checklist is set aside. Natural, but dangerous.
Unfortunately, it's the regular tasks, such as external scanning, that ensure network security health. Unmitigated vulnerabilities leave holes in the network and provide a tacit invitation for hackers to access critical information. During this busy season, there is a great deal more critical information at stake.
With normal defenses down, organisations often find themselves the victims of hacker and exploit attacks via probes and SQL injections, as well as command line malcode that leverages even the most commonly known vulnerabilities. This is also a time in which common website defacements escalate, as well as spamming and phishing schemes. These all negatively impact a business' brand and reputation at the busiest time of the year.
While there are a number of reasons why security does not receive its due attention in the fourth quarter, it is absolutely essential for organisations to:
- Keep up with vulnerability scanning on outwardly facing websites, as well as those devices that store, process or transmit critical information to reduce the risk of information theft.
- Take a reality check.
Review and refresh security policies and procedures in place. Do they appropriately reflect what is considered critical information? Are they current? Make sure these procedures are being followed, not just noted on paper. If an organisation does not have security policies and procedures in place, the fourth quarter should serve as a wake-up call to develop and implement them.
- Streamline security and compliance goals by creating robust policies that address all the organisation's relevant needs at once. This prevents security and compliance silos from developing that would otherwise enable businesses to leverage shared resources across multiple security programs and regulations. Streamlining security and compliance initiatives allows organisations to efficiently maintain a strong security posture with reduced resources, even during the hectic holiday season.
In the midst of all the holiday season excitement, it's important for businesses to keep their security wits about them. Adhering to the three "must-haves" enables organisations to focus on their core business goals while maintaining a strong security posture.
Eat, drink and be merry this holiday season. But when it comes to security, make sure to recharge and refresh your security program so that you can ring in a secure - and profitable - New Year.
Jennifer Mack is director of product management for Cybertrust.