The Black Friday weekend is traditionally one of the biggest of the year for online sales, but those sales hinge on the ability of retailers to keep their e-commerce sites going and to fend off threats from cybercriminals.
The stakes are undoubtedly high for retailers, as well as all kinds of companies, and so are the risks. Cybercriminals know that many IT security professionals will be home eating turkey instead of keeping an eye out for online attackers over the long weekend, making it a good time for them to launch an attack.
That’s why the Cybersecurity and Infrastructure Security Agency on Wednesday reminded companies, especially those that involve critical infrastructure, to keep their guard up, reiterating guidance it issued last year.
The message isn’t lost on Jon Hocut, head of information security at Brooks Running, who plans to stay close to his laptop the entire weekend. He’s charged with protecting the personal information of the runners who buy his company’s products, as well as guarding Brooks’ overall corporate systems from online attackers.
In terms of sales, the “cyber five” stretch, including Black Friday and Cyber Monday, is a huge sales event for the 100-year-old company known for its running shoes and apparel. Its e-commerce team expects traffic on the company’s retail site to jump 30% to 50% over those peak days.
If the site were to crash over the weekend, it could mean millions in lost sales and throngs of disappointed runners, but the Seattle, Washington-based company has more to worry about than that. Its computer systems also hold “shoe secrets” that need to be kept confidential, as well as the software that sends and tracks shipments to retailers.
The ransomware problem
The “worst nightmare” for many companies, Hocut said, would be a targeted ransomware attack, probably involving a Russian criminal gang staffed with cyberexperts, that would quietly infiltrate a company’s systems, then move through them without being detected.
The attackers would figure which systems are most critical, then find and compromise the company’s backed-up data. Everything would appear to be OK until around midnight on Thanksgiving, when the company’s incident response team is home, stuffed full of turkey and nearly asleep, he said.
“That’s when they start hitting all of your systems and taking them down,” Hocut said. “When you’re at your least ability to respond.
“That’s the nightmare, and that’s what we have to keep from happening.”
Ransomware really is nightmare stuff. The attacks, which have locked up entire computer systems at businesses, schools, hospitals and elsewhere, are getting more frequent, more successful and more expensive.
According to Sophos’ State of Ransomware report earlier this year, 66% of organizations surveyed said they were, up from 37% in 2020. And 6% of those attacks were successful in encrypting their victims’ data, up from 54% the year before. On top of that, the average ransom paid by organizations for their most significant ransomware attack grew by nearly five times, to just over $800,000, while the number of organizations that paid ransoms of $1 million or more tripled.
A big part of preventing that is making sure systems are locked down and there are enough people to respond if something does happen over the holiday weekend, Hocut said. At Brooks, the entire incident response team will be on call 24/7 over the holiday weekend.
The company also recently hired the cybersecurity company Illumio to help shore up its defenses. The idea is to segment off Brooks’ systems so that the damage is limited if a system is breached, said PJ Kirner, Illumio’s co-founder and chief technology officer.
Kirner likened the company’s systems to the structure of a submarine, noting that subs are built in compartments, so that if one part of a sub is breached, it can be sealed off and stop the sub from sinking. If a company can quickly detect a breach and prevent the attackers from moving through its systems, it also can limit the damage, he said.
The idea isn’t a new one. The inability of companies to silo off their most precious data has long been blamed for some of history’s most massive data breaches. But segmenting massive computer systems is easier said than done, Kirner said.
That’s particularly true for Brooks, Hocut said. The century-old brand, a subsidiary of Berkshire Hathaway, has seen significant growth in recent years. In 2021, its revenue totaled $1.11 billion, marking its first year over the $1 billion mark.
The threats companies face have also changed, Kirner said. While the thought of a massive data breach might have kept security professionals awake at night just a few years ago, the major threat now is the kind of ransomware attack Hocut described.
“If you look at attacks maybe five years ago, they were data confidentiality issues,” Kirner said. “You got the customer list, you got emails, you got credit cards. They were about a breach of confidentiality.”
Ransomware, in comparison, is about a company’s operations.
“Why are we talking about retail now? Because Thanksgiving is the most impactful operational day of the year,” he said, adding that customer data is just as valuable to cybercriminals any other day of the year.
It’s those operational threats that will keep Hocut and his staff on “maximum paranoia mode” at least through the end of the weekend. They’ll be taking a close look at any alerts that pop up and will be very grateful and happy when they turn out to be false positives, he said.
Other IT professionals may not be so lucky.
“I expect that 90% of my friends who do incident response as a specialty will probably be working on somebody’s painful experience this holiday weekend,” Hocut said.