Implement MFA, store minimal information, and take employee cybersecurity training seriously to minimize data breach risk.
The holiday season is the biggest shopping time of the year, and for that reason, it's also the most popular time of year for cybercriminals.
With this post, we show retail teams how Auth0 can help them keep customers safe with three actionable tactics.
While these strategies are critical during the holidays, they're also highly applicable throughout the year. Teams that take security seriously are those that will safely scale and thrive in 2019 and beyond.
1. Implement Multi-Factor Authentication
With data breaches of retailers on the upswing in 2018 — including ones at Macy's and Adidas — teams clearly need extra support. Multi-factor authentication (MFA) delivers this. Implementing it correctly can make a huge difference in how secure your customers’ accounts are.
MFA ensures that even if a data breach does occur and passwords are leaked, hackers still can't get into customer accounts. To do so, they need a second piece of sensitive information, like a customer's thumbprint, facial features, or mobile device.
With Auth0 Guardian, you can add MFA to your site simply and securely.
After installation, retailers can easily switch on MFA push notifications. For your employees, it is a quick double-check that they are who they say they are (and that they can access sensitive customer data for work purposes). For your customers with the Guardian app, they receive a QR code on their device that they can scan before accessing their account. It's one more protective barrier to be sure they're not a hacker with the customer's credentials.
With more than 80% of passwords having inherent vulnerabilities, MFA is a critical investment to seal your customer data from unwanted eyes during times of high activity.
2. Only store the data and information you need
Storing only essential customer data means that if someone does get into your system, there’s less to exploit. This is a key component of complying with the EU's General Data Protection Regulation (GDPR). Some teams think that adhering to GDPR's strict standards is primarily to avoid hefty fines (the greater of €20 million or 4% of the global annual revenue); however, the standards are a must for protecting end users’ data and the integrity of your company.
If a cybercriminal does gain access to a company's confidential customer information, they can make off with:
- email addresses
- mailing addresses
- phone numbers
- customer device information
- financial data
- personal details like age, race, and religion
When hackers got into Under Armour's system this year, they were able to access many customers' hashed passwords. Since studies show that people tend to recycle their passwords, hackers have the ability to take these and access even more personal data in other accounts. The damage can quickly spiral out of control.
Storing less data can make you less of a target. You can also separate data, depending on how confidential it is. With Auth0's user management solutions, you can restrict access to specific data sets for only the most privileged employees.
3. Train employees in the importance of cybersecurity
Training employees in the importance of data security is an often overlooked—but essential—pillar of protecting your customers’ data. Taking the time to bring them up to speed on the latest cybersecurity concerns early in their onboarding process can help ensure that when the holidays roll around, they're on high alert.
When employees are aware of common hacks such as malware infiltration and phishing, they'll be able to recognize threats as they arise. And when they understand the reasons behind provisions such as automatic updates and multi-factor authentication, it’s easier to get their buy-in.
Our blog has many pieces you can use to help communicate security issues to your employees. Here are a few to get you started:
- Four Cybersecurity Attacks Your Employees Need to Know
- What is a Data Breach?
- What is Data Security?
You also might want to bring in experts for cybersecurity training sessions. While Auth0 doesn't offer these specifically, here are a few we recommend:
- InfoSec Institute's Security Awareness & Anti-Phishing Training. The program includes more than 1,000 phishing simulations, along with tailored learner assessments, to bring employees up to speed.
- The SANS Institute. This non-profit was established in 1989 and now collaborates with 165,000 security professionals worldwide. Offers many private trainings to upskill existing IT team members.
- Inspired eLearning. These efficient modules even include security awareness training programs for executives.
Sometimes education isn't enough. If you do suffer a system breach, Auth0 can quickly step in to protect your customers with tools like anomaly detection and breached password detection. In the first instance, in the Auth0 dashboard, an admin will receive a notification of a strange behavior like multiple failed login attempts and can quickly block the user while researching the issue further.
In the second case, Auth0's security team will work to keep a retailer informed if any of its customers' passwords match with those in our database of leaked passwords (which we update daily). If we see a match, we can work with a retailer's IT team to block the potential impersonator from getting further into the system.
Take advantage of what the season has to offer.
Holidays are the most important time of the year for retailers. It's when most retail teams make the majority of their sales, and missing out due to a security breach can set you back several quarters or years from hitting your targets. It’s more important than ever to keep your customer data safe so they continue to trust and work with you.
It’s never too late – or too early – to start thinking about the best ways to do so. Auth0 would love to help. Reach out at any time, and we'll be glad to set you up.
Auth0, a global leader in Identity-as-a-Service (IDaaS), provides thousands of customers in every market sector with the only identity solution they need for their web, mobile, IoT, and internal applications. Its extensible platform seamlessly authenticates and secures more than 2.5 billion logins per month, making it loved by developers and trusted by global enterprises. The company's U.S. headquarters in Bellevue, WA, and additional offices in Buenos Aires, London, Tokyo, and Sydney, support its global customers that are located in 70+ countries.