The turkey has been stuffed, and the leftovers devoured. New York City has cleaned up the last vestiges of the Macy’s Parade, and college football players are preparing for finals. With all of these momentous end-of-November events behind us, customers are starting to think about gift-giving. While the average shopper puts up holiday decorations and prepares for the annual airing of grievances, online retailers need to make sure they follow best practices to protect customers on Cyber Monday.
What are the data risk statistics?
If 2019 follows the same shopping patterns as 2018, online retailers face both a profitable and risk-laden December.
A quick glance at Salesforce’s predictions for 2019 indicate that online retailers are going to have a short but sweet season:
- 50%: completed amount of revenue expected by 12/6
- 48%: estimated increase in digital shoppers purchasing online for pickup between 12/20 and 12/25
- 67%: percentage of shoppers planning to buy online this year
In other words, it’s a good year to be an online retailer.
Or is it?
In December 2018, Security Magazine reported:
- 22%: increase in online fraud attempts on government-issued IDs
- 109%: increase in attempted fraud perpetrated during the online verification stage
With an increased customer interest in purchasing gifts online in 2019, the odds that malicious attackers will increasingly target those vectors is better than an angry George Castanza on Festivus.
Why does Identity Governance and Administration protect my online retail business?
Many online retailers assume protecting themselves from malicious actors exploiting flaws in their cybersecurity controls, such as a firewall, is the best way to protect their customers’ information. As always, malicious actors are one step ahead of you. Since they know you’re already reinforcing those external vulnerability controls, they’re going to try to hit you where it really hurts: at the user access level.
Identity Governance and Administration (IGA), the premise that you need to make sure that the right users are accessing the right data for the right reason, focuses on protecting this shifting perimeter by preventing access to data resources and within IT ecosystems.
Often, malicious actors steal user credentials, such as login ID and password, to gain entrance to a data source. Taken a step further, malicious actors increasingly target privileged account credentials. After all, disguising themselves as an IT administrator with almost unlimited access to an organization’s entire IT ecosystem is a nearly perfect way to perpetrate a digital crime. Consider this the digital equivalent of “the butler did it” in old murder mysteries.
5 Best Practices for Protecting Customers on Cyber Monday
To protect yourself and your customers both during and after the holiday shopping season, you need to invest in an IGA solution that enables you to continuously monitor access to your on-premises, hybrid, and cloud-based ecosystems.
Limit Access According To Least Privilege
Although it might seem against the “streamlined budget-conscious” online retail mentality, large online retailers do hire seasonal workers. For example, one article estimates that Amazon will hire 30,000 seasonal workers in 2019.
To be profitable, you need these extra users up and running as fast as possible. You also need to ensure that they have the least possible amount of access to cardholder data. Manual birthright provisioning can take days or weeks, which means the jolly season will be over before your users have the access they need. To increase profitability, you need to automate your birthright provisioning process so that your seasonal workers have all the required access before they walk in the door.
Revoke Access as Soon as Possible
As Shakespeare would say, “aye, but here’s the rub.” Seasonal workers only last the season. Each seasonal employee account is another access threat. The risk is less about being able to trust that your seasonal employees will purposefully misuse their access and more about the potential for malicious actors to steal the credentials.
Credential theft occurs when malicious actors determine the formula your organization uses to generate user IDs then use software or code that helps them guess at the most used passwords, a process formally called “credential stuffing.” For example, if your company ID are email@example.com and someone sets a password like 123545, chances are a malicious actor is going to be able to hijack that account.
To protect customer information, you need to set time-bound rules that automatically revoke account access as soon as possible. If you leave unused seasonal worker accounts sitting around, they won’t be unused for long; a malicious actor will take them over.
Prevent Risky Access Requests
People always want more. More candy, more presents, more access. While more presents might be ok, more candy and more access both come with risks. Too much candy can lead to tooth decay while too much access can decay your access controls.
Many organizations find themselves short-staffed during the holiday season. With that in mind, helpful employees may ask for additional access to fill in where the company needs more hands. In a digital world, helping other departments or areas often requires access to another application or additional roles within current applications.
Maintaining cardholder data security requires you to think carefully about whether users can inappropriately access information. For example, a customer delivery worker who doesn’t want to burden an already overworked sales representative may request access to the customer order details to review an address. However, that access is outside the delivery worker’s job role and should not be granted because it puts the payment card details at risk. An overburdened IT staff or line of business manager may automatically grant access without making the connection.
To decrease IT burdens, you need a way that users can request access and automatically be granted no-risk access while requiring approval for requests which incur higher risk.
Govern Data Access
People are fickle. What someone buys today in your store, they may want to return tomorrow. Unlike brick and mortar stores where people hand over their cards, online returns and refunds happen digitally.
To protect your customers, you need to prevent people from transmitting cardholder data inappropriately. For example, an employee might take notes over the phone that include a customer’s credit card data, write those notes in a shared drive document, and then try to share that document using a link. Despite the best of intentions, this employee places the customer’s data at risk.
To protect against shared information, you should scan unstructured and structured data to prevent accidental cardholder data disclosures. With a data access governance tool, you can set criteria, such as cardholder name or primary account number, then scan the shared data. If the document contains protected data, the tool can quarantine the document and elevate for review or destruction.
Continuously Monitor APIs
As part of managing Payment Card Industry Data Security Standard (PCI DSS) compliance, many online retailers use application-programming interfaces (APIs) to receive (or even temporarily store) cardholder data.
Typically, the merchant creates a payment page that the customer’s browser displays as a payment form. The customer enters the data and sends it across the internet. The merchant’s web server transmits that data to the Payment Service Provider (PSP) which then receives it and sends it to the payment system which authorizes the transaction.
This process might seem secure, but malicious actors are sneaky. Increasingly, they target APIs using the same credential stuffing technique that they use against user IDs. APIs are another user identity in your IT ecosystem. Just like humans, they connect to systems, networks, or software where they interact with data, often transmitting it or changing it.
In the same way that you manage human user access to your software, systems, and networks, you need to manage your APIs. To protect your organization against API credential stuffing, you need to know what APIs access what resources and establish a governance process.
Why Saviynt? IGA to Protect Your Cardholder Data
Saviynt’s cloud-native, Gartner-recognized IGA solution enables e-commerce merchants to focus on what matters this holiday season – securing cardholder data to maximize customer trust and protect the organization from ending up on the naughty list of the front page.
Role-engineering for rapid birthright provisioning
Saviynt’s role-engineering capabilities help you create risk-aware role definitions across your entire IT ecosystem, enabling you to help onboard people quickly for that seasonal rush. With Saviynt’s platform, customers reduced the time their birthright provisioning takes to 24 hours.
Risk-based analytics for your seasonal workforce
Saviynt’s peer- and usage-based analytics give visibility to risk and enable organizations to prevent overburdened IT administrators and line-of-business managers from automatically approving potentially risky access requests. Once you create a risk-based access request workflow, we can automatically approve requests that meet your risk tolerance, elevating only those that need additional review.
Time-bound access revocation to prevent orphaned accounts
With Saviynt, you can set a termination time/date at the time you grant access. Instead of having to set yourself a reminder– or worse, just letting that access linger indefinitely– our platform automatically revokes access when the end date arrives. This feature prevents orphaned accounts that malicious actors often use as a backdoor into your ecosystem.
Scan unstructured data to prevent “share with a link” risks
Our data access governance intercepts documents when users share them internally or externally, then locks or quarantines them. The platform performs a data classification and risk analysis, then executes your data access policy such as sending the document for additional approvals/remediation/encryption. We won’t release the document until you complete the approval process.
Manage machine identities
Saviynt enables organizations to apply their identity governance controls to machine identities, such as APIs. Using our platform, you can establish controls over administrators and developers creating APIs and setting scopes. Additionally, our platform enables you to establish governance over APIs, just as you would for other user roles. Our combination of fine-grained access controls and near real-time analytics provide visibility into how your APIs interact with data to help you prevent unauthorized access.
Saviynt’s solution is here to help with the risks of the shopping season, and beyond. To learn more about how to leverage analytics and IGA to protect your e-commerce customers, contact us today.