Cyber attacks are always bad news for companies that make their money through online retail. But the price tag for attacks during the all-important holiday season is eye-popping, according to a new study by RSA Security and The Ponemon Institute.
Ponemon released the results of a survey of 1,000 retail-focused IT professionals on Monday. Data collected from the survey population pegged the direct cost of Holiday Season cyber attacks at around $8,000 per minute – or $480,000 an hour.
Modern attacks, which often use global “botnets” of compromised systems to abuse business logic flaws in sophisticated e-commerce sites are also difficult to detect. More than three quarters of all attacks are not detected quickly, according to data from RSA and Ponemon.
The report paints a picture of a treacherous holiday online shopping season, beginning with “Cyber Monday” (the first Monday following the Thanksgiving holiday) and continuing through Christmas. Online retailers may see a 55% jump in online shopping volume via computer and mobile device during the month. But 64% of those surveyed by Ponemon also said they saw attacks and other malicious activity increase during the period.
Botnet and distributed denial of service (DDoS) attacks, mobile “app store” fraud, click fraud and eCoupon abuse are among the attack scenarios that retailers expressed concern over, RSA and Ponemon reported.
Despite the costs to their business, close to seven in ten of those surveyed said that their organization does not take additional precautions in anticipation of the attacks, the companies reported. Demetrios Lazarikos, an IT Threat Strategist at RSA, said that online retailers often have a difficult time identifying modern attacks, which manipulate so-called “business logic” flaws in the underlying application code.
Cyber criminals also increasingly rely on global “botnets” of compromised computers to carry out attacks on retail sites, moving through web sites at lightening speed to abuse any vulnerability or loophole. Online retailers that hope to attract customers with online deals, sweepstakes and coupons often find themselves on the receiving end of automated attacks that can inflate the cost of such offers or knock web applications offline and deny legitimate (human) customers an opportunity to participate.
There are many reasons for retailers’ struggles with online attacks, Lazarikos said. Chief among them: aging applications that lean on older, “legacy” code and a lack of secure coding expertise within the development organizations that maintain them.
“In my experience, you have legacy features that are still out there. Often, the developers who wrote the code are gone and you have contractors who have come in to maintain it, but nobody really understands what the code does,” he said.
Retailers need to inject security earlier into the application design process, he said. They also need better security analytics that can spot automated attacks. For example, companies should know what normal online shopping sessions look like so that they can spot unusual activity that may be associated with automated hacks, he said. Holiday traffic patterns should resemble normal traffic pattern on your site, even if the volume of it is greater, he said.
Retailers often see the cost of adding security during the design and deployment phase as an optional cost that isn't justified by the (unlikely) event of an attack and web site outage. However, retailers need to think more broadly about the true cost of disruption, Lazarikos said.
The Ponemon survey, for example, said that retailers could lose as much as $3.4 million an hour for a web site disruption during the holiday season, after lost business, damaged reputation and customer churn are factored in. Finally, having to respond to an attack also diverts internal resources from the “front lines” where they can help serve customers, he said.
RSA said that retailers should look for some telltale signs of automated attacks. Specifically: scripted traffic that attempts to log-in to or traverse a site at a high velocity should be a red flag for online retailers.
Retailers should also keep an eye out for traffic coming from unusual domains or locations, and consider throttling traffic from areas of the globe that often serve as the source of online attacks. “For example, you might look at your sales to customers in Romania last year,” he said. “If it was negligible, you might consider throttling traffic from that region as a precaution.”
In designing online promotions, retailers should think about ways to prevent abuse, he said. Special offers should be one-time offers and have a hard expiration date. Don’t allow customers to forward or recirculate coupons, he said. Finally, IT security should coordinate with the business side of operations ahead of the holiday season. “You need to understand what campaigns are going out and what is the time frame,” he said.