How to Handle Retail SaaS Security on Cyber Monday - Adaptive Shield

How to Handle Retail SaaS Security on Cyber Monday

Arye Zacks, Sr. Technical Content Specialist

If forecasters are right, over the course of today, consumers will spend $13.7 billion. Just about every click, sale, and engagement will be captured by a CRM, Marketing or Customer Service platform and more operational apps. Inventory applications will trigger automated re-orders; communication tools will send automated email and text messages confirming sales and sharing shipping information.

SaaS applications supporting retail efforts will host nearly all of this behind-the-scenes activity. While retailers are rightfully focused on sales during this time of year, they need to ensure that the SaaS apps supporting their business operations are secure. No one wants a repeat of one of the biggest retail cyber-snafus in history, like when one U.S.-based national retailer had 40 million credit card records stolen.

The attack surface is vast and retailers must remain vigilant in protecting their entire SaaS app stack. For example, many often use multiple instances of the same application. They may use a different CRM or ServiceNow tenant for every region they operate in or have different tenants for each line of business. Each one of these tenants must set up their configurations independently, with each one limiting risk and meeting corporate standards.

Here are a few areas retailers should focus on to ensure their SaaS Security over the entire holiday season.

Control Privileges & Access in Your App Stack

Access Control settings are particularly important to retailers as they typically have a lot of employees, in many types of roles and responsibilities, from operations and infrastructure to bookkeeping and finance. Retailers need to limit who can enter an application and the privileges those users will have once inside the app. Access and visibility to sensitive data should only go to those who require it to perform their job functions. Creating role-based access and monitoring employees then ensures that they have an appropriate level of access based on their role is a key step in reducing the risk level.

One additional area worth reviewing is access granted to former employees. Former employees should almost always be deprovisioned as part of the offboarding process. When applications are connected to an SSO and access is only through that SSO, the offboarding is automatic. Unfortunately, many retailers have apps that either sit outside the SSO or allow employees to log in locally. In those circumstances, employees must have their access removed manually from each application.

Prevent Data Leaks

This is also a time of year when people receive emails to their corporate email addresses for end-of-year sales and promotions. Threat actors use this as an opportunity to carry out phishing attacks, making it all the more important to harden anti-phishing controls within the SaaS stack.

Pricing information is one of the most sensitive pieces of information retailers have. While web crawlers may have access to published prices, it’s of paramount importance to protect future pricing strategies and plans. During the holiday season, when competitors are looking for every pricing and promotion advantage, securing this information behind serious data leakage protection is a top priority.

When available, turn on encryption settings to prevent unauthorized users from viewing your critical data. Turn off the ability to share or email files outside the organization and require some form of user authentication before users can access boards, spreadsheets, and databases.

Protecting customer information from leaks should be another high priority for retailers. Nothing will drive customers away from your website than reports of personal information, such as PII (Personal Identifiable Information) and payment information, being leaked. Harden security settings to prevent unauthorized data leaks from the application.

One additional area of concern is mobile users. These devices are often unmanaged, and when used to access corporate SaaS applications, they can be used to provide threat actors with an entranceway into the application. Users should be directed to only use managed devices when accessing corporate applications.

Defend Against Insider Threats

Unfortunately, we live in an era of insider threats. In Adaptive Shield’s annual survey, 43% of respondents said they had experienced corporate espionage or an insider attack within their SaaS stack. Preventing these types of attacks are notoriously difficult, as authorized users log in with verified credentials and their nefarious activities are all within the parameters of their access.

‍For retailers, monitoring user activity is one way to detect threats before they turn into full-blown breaches. Monitoring and analyzing user behavior allows organizations  to identify these threat actors by detecting anomalies in their behavior. By analyzing behavioral anomalies, which might include accessing data during unusual times or downloading an unusual amount of data, retailers can uncover insider threats and protect themselves.

Automate SaaS Security to Secure Applications

Some retailers may monitor these settings and behaviors manually or with older technologies like CASBs. Neither of those approaches are likely to be effective. SaaS settings can change without notice, and it’s far too easy to miss the signs of threats to the application.

SaaS Security Posture Management (SSPM) tools, like Adaptive Shield are the only effective way for retailers to secure their whole SaaS stack. They automatically and continuously monitor settings, even over the busy holiday season, to detect and identify misconfigurations, unauthorized access, and users that need to be fully deprovisioned.

Using an SSPM, retailers can move ahead confidently, knowing that every tenant of their applications in every country they operate is secure. They can update strategies, retain customer data, and monitor users to prevent insider attacks.

About the writer

Arye Zacks, Sr. Technical Content Specialist

Arye takes complicated concepts and makes them easy to understand. A gifted storyteller with a marketing background dating back to the 90s, he knows how to engage readers with stories that address the challenges they face. Oh, and he is beloved for his skills on the grill and smoker.