Businesses advised to prepare for Cyber Monday

Many employees will spend a portion of their day hunting for bargains on the Monday following Thanksgiving weekend, and companies should prepare for the increased security risks, experts say.

The potential damage on Cyber Monday, a marketing term coined in 2005 by Shop.org, is greatest for small and medium-sized businesses. That's because they are less likely to have the technology for catching malicious Web sites or keeping Web browsers up to date.

Browsers pose the greatest risk because they contain third-party plug-ins that add capabilities, such as playing video or accessing Web services. The software modules often have to be updated independently from the browser, so many go unpatched for long periods of time.

[See our checklist: 11 security tips for Cyber Monday]

Data collected from more than 1 million Internet-connected computers over the last 12 months showed more than half with critical vulnerabilities in browsers, security firm Qualys reported on Tuesday. A third of all installations of the most widely used plug-in, Java, contained security holes, closely followed by Adobe Flash with a quarter of all installations vulnerable.

Such flaws can be exploited by malware downloaded by an employee clicking on a malicious link on a website. Symantec says 61% of malicious sites are legitimate properties that have been compromised.

Once malware is installed in the computer, it can steal user names and passwords, as well as company data. Once in the corporate network, some malware can easily replicate itself in other systems.

"Frequently, security inside networks is a little more relaxed, because people need to share data," said Wolfgang Kandek, chief technology officer for Qualys.

Banning employees from shopping on the Web would be a difficult policy to enforce, so a better solution is for small- and medium-size businesses (SMBs) to prepare for the inevitable by updating all browsers to the latest version. In addition, only necessary plug-ins should be installed, and businesses should check to make sure the modules contain the latest patch.

Individual plug-ins can sometimes be configured to be more secure. For example, the ability to run JavaScript, which is often exploited to install malware, can be turned off in Adobe Reader, the software used to view PDF files.

Only a small percentage of companies need to run JavaScript in a PDF document. "I've had it off for two years and I've not noticed a difference," Kandek said.

Many companies are aware of what employees will be up to come Cyber Monday. More than 60% of businesses surveyed by Dell said they expected productivity that day to decrease more than last year. That expectation is in line with the increase in retail sales over the years.

U.S. sales on Cyber Monday have increased steadily since 2006, when people bought $610 million worth of goods online. Last year, the amount topped $1.2 billion. Nevertheless, Cyber Monday is not the biggest online shopping day of the holiday season. That day is typically closer to Christmas.

Because of the popularity of Cyber Monday shopping, 59% of businesses were more concerned about loss of productivity than potential security threats to networks, even though hackers are extra busy sending out spam messages promising great deals.

Unfortunately, many employees may not be prepared to avoid such scams. Almost 7 in 10 businesses surveyed by Dell said employees could not identify fraudulent attacks on the corporate network.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags online securityapplicationsData Protection | Malwarelegalsoftwarephishingdata protectionqualyscybercrimeCyber Monday

More about Adobe SystemsDellQualysSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place