This time last year we blogged about Black Friday and Cyber Monday. The context back then was the end of COVID-19 restrictions and the fragility of supply chains.
We spoke both in terms of the instability in supply chains and the ransomware threats that seemed to be impacting businesses on a regular basis. We also noted that at critical times of the year, the threat from ransomware and other forms of disruptive attack was increased – if you are relying on one weekend’s trade to make the difference between a good year and a mediocre one, then you don’t want your key systems and data to be affected by a cyber-attack (ransomware, DDoS) or by an outage (human error or technical failure) at the critical juncture. Black Friday and Cyber Monday will be a similarly important trading period for retailers again this year.
The retailers’ dilemma
The challenge for many retailers is that margins are tight and so their need to minimise costs and maximise volumes is important – just look at Amazon or any of the major supermarket chains.
So costs and outgoings will again be a consideration, and regrettably data protection and cyber security efforts more generally, often fall into the discretionary spending category.
In the last 12 months there has been a dual focus in security on the cyber hygiene controls (the ones that are likely to be the first ones probed by an attack) and the way these are reported on. But not everyone is on board.
Basic security settings, configurations and processes can be surprisingly complex to get right – we all know we should patch systems, choose good passwords and have regular backups – but achieving that is harder in practice; particularly when the cost of goods keeps going up.
From a cyber security perspective, we are seeing a growing need for visibility and reporting of these controls by security teams. Management needs to understand their risk position with frequent and accurate assessments of the state of their organisation’s security control effectiveness to, critically, inform data-driven security decisions.
If business has learned anything about digital transformation in recent years, it is that any process like this needs to be informed by technology rather than people – the repeatability, accuracy and cost of technology-driven solutions wins every time. It is the same in cyber security – oversight is important but the devil is in the detail and technology can help there.
The value of having a clear view of your cyber security controls and the vulnerabilities that threaten the IT assets of your network (increasingly being referred to as your “attack surface”) is being increasingly recognised by security experts. The cyber security, and hence ongoing operation, of your business could actually depend on those controls and technology platforms working.
Speed of execution
Speed is of the essence. This blog post will be published a couple of weeks before Black Friday and Cyber Monday. If you read this and don’t know the status of your controls it is important that you take steps to fix that problem quickly. It is almost inevitable that cyber-attacks will keep coming.
With the growth of digital enablement across business and enhancement of the offensive capabilities of adversaries, the cyber attack surface areas of organisations will become an important line of defence. Only technology can gather the appropriate control performance and status information on cyber security in a time frame that is useful, and give you the chance to mitigate those risks before they become security liabilities, and even spare some time to validate the changes you’ve made before the big weekend.