Why this holiday sales season could be a blockbuster—for cyber risks

November 16, 2020 / 3 min read

Since the dawn of e-commerce, each successive shopping season has seen a greater share of consumers trading the crowded bustle of the mall (and the potential body slam of a Black Friday tussle) for the serenity of a virtual shopping cart.¹

With COVID-19 surging uncontrollably throughout the United States, this trend appears poised to accelerate. Sixty percent of consumers say they’ll be shopping online this holiday season, up from 56 percent who shopped online last year.² Other analysts predict online shopping to grow by 25-35 percent this year from 2019 levels. ³

GettyImages-1068209682_teaser

Given the unprecedented surge in cyberattacks following the outbreak of COVID-19, there’s a good chance that as more consumers shift their shopping to online outlets, cybercriminals will be waiting in the wings.⁴

‘Tis the season… for cyber perils

There are several elements that combine to make the holiday shopping season so opportune for cybercriminals.

Change freezes: As online retailers brace for a crush of traffic, they typically institute a “change freeze” wherein they do only the most critical security patches but leave other updates and security enhancements frozen in place until the frenetic shopping period ends.⁵ This freeze can be a period of vulnerability where firewalls and other critical IT systems aren’t updated to keep pace with constantly-evolving cybersecurity threats.⁶

Human psychology: The holidays can be an opportune moment for social engineering attacks, like phishing scams that target shoppers checking emails and texts for shipping updates or the latest too-good-to-be-true deals.⁷ Cybercriminals are also notorious for hijacking our holiday generosity with fake charity scams and other phishing lures.⁸

Attack volume: The sheer volume of cyber attacks and intrusions during the holiday season can mean that even cybersecurity systems that are 99 percent effective at detecting and thwarting cyberattacks suffer more breaches. It’s simple math—blocking 99 percent of 100 attacks yields one success, but blocking 99 percent of 10,000 yields 100 successful attacks.

Managing retail cyber risk

With 62 percent of retailers having reported a breach at some point in their history, including a third reporting breaches within the past year, it’s clear that cybercriminals have retailers in their sights.⁹ Retail businesses, in turn, appear cognizant of their vulnerability, with 39 percent telling surveyors that they were either “very” or “extremely” vulnerable to a cyberattack.¹⁰ Such attacks could lead to business interruption, ransom payouts, and damage to a retail business’ reputation—risk exposures that cyber insurance is designed to address.

“Annual holiday season retail e-commerce sales growth in the United States from 2013 to 2019,” Statista, October 2019,
< https://www.statista.com/statistics/426712/holiday-season-ecommerce-development-usa/>, accessed on November 10, 2020
“Retail Holiday and Seasonal Trends,” National Retail Federation, < https://nrf.com/insights/holiday-and-seasonal-trends/winter-holidays >, accessed on November 10, 2020.
“A Tale of Two Holiday Seasons: As a K-Shaped Recovery Model Emerges, Consumer Spending Heavily Bifurcated,” Deloitte, September 15, 2020, < https://www2.deloitte.com/us/en/pages/about-deloitte/articles/press-releases/a-tale-of-two-holiday-seasons-as-a-k-shaped-recovery-model-emerges-consumer-spending-heavily-bifurcated.html >, accessed on November 10, 2020.
Rachel England, “FBI sees cybercrime reports increase fourfold during COVID-19 pandemic,” Engadget, April 20, 2020,
< https://www.engadget.com/fbi-cybercrime-complaints-increase-fourfold-covid-19-091946793.html >, accessed on November 10, 2020.
“The importance of a code freeze before the holiday shopping season,” Netsphere, July 15, 2013,
< http://www.netspherestrategies.com/blog/the-importance-of-a-code-freeze-before-the-holiday-shopping-season/ >, accessed on November 10, 2020.
Matthew Pasucci, “The Dangers of the Holiday Freeze,” AlgoBuzz Blog, December 19, 2011,
< https://www.algosec.com/blog/the-dangers-of-the-holiday-freeze/ >, accessed on November 10, 2020.
Geoff Blaine, “Black Friday Cyberattacks: Businesses Face Surge of Malware, Ransomware on U.S. Shopping Holiday,” SonicWall, December 10, 2019, < https://blog.sonicwall.com/en-us/2019/12/black-friday-cyberattacks-businesses-face-surge-of-malware-ransomware-on-u-s-shopping-holiday/ >, accessed on November 10, 2020.
Gary Davis, “‘Tis the Season for Cybersecurity: Stay Protected This Holiday Season,” MacAfee, November 18, 2019,
< https://www.mcafee.com/blogs/consumer/consumer-threat-notices/holiday-scam-cybersecurity-survey/ >, accessed on November 10, 2020.
“2019 Data Threat Report – Retail Edition,” Thales, < https://cpl.thalesgroup.com/retail-data-threat-report >, accessed on November 10, 2020.
Ibid