During a much-anticipated Black Friday weekend, shoppers increased online spending dramatically compared to in-person from prior years. In-store sales jumped only 1% from 2022, while online sales jumped a whopping 8%, according to a Mastercard analysis.

A retailer’s ability to maintain an online shopping experience that prioritizes availability and customer experience is critical to ensuring a sale and a returning customer. This is especially true over the holidays, when online sales have become a cornerstone of a profitable retail company. But cyberattacks continue to threaten the availability of online shopping for retailers — and the profits that come from it. Here are a few examples:

  • Earlier this month, Staples was hit with a cyberattack that started on Cyber Monday and disrupted website processing and delivery capabilities, customer service lines, and communications channels.
  • In November, Ace Hardware was hit by a cyberattack that disrupted shipments to franchise owners by suspending warehouse management systems, retailer mobile assistants, invoices, Care Center phone systems, and Ace Rewards, which continued for over five days.
  • In August, Clorox was hit by a cyberattack that disrupted portions of its IT infrastructure and forced personnel to take systems offline and process orders manually. Clorox later stated that its quarterly profits decreased because of the cyberattack and that the effects may be felt into 2024.

Forrester’s recent Security Survey underscores this trend: Security leaders at retail and wholesale companies report that they were breached an average of 6.8 times over the past year, compared to 3.4 times in 2022. This aligns to many of the challenges we see in the retail space, which, according to Forrester data, often has fewer chief information security officers and fewer security staff than other industries.

These challenges cannot be fixed overnight. To do so requires getting buy-in for the information security function, hiring the right staff, and, ultimately, putting in the work. So what can you do now? Here are a few things that every organization should do to prepare for cyberattacks this holiday season and into 2024:

  • Raise awareness with your staff. Employees are your first line of defense against cyberattacks. Helping them understand cyberattacks — especially those that pose the biggest threat, like ransomware — is critical. Gamify finding phishing attacks so that they know what to look out for, as phishing attacks are one of the main ways that cybercriminals target users.
  • Implement strong password use. Breaking into user accounts from weak passwords is a familiar pastime of cybercriminals. Further, once attackers know a password, they will often try to leverage it to access other accounts that may be reusing the same password in multiple places. Enforce a policy of strong passwords and no password reuse in your organization to make sure that attackers cannot break into accounts.
  • Prepare your incident response plans. If an attack happens, a fast and effective response can make the difference between days and hours of downtime. Incident response plans must extend to all parts of the business, not just security. When website processing or other IT systems go down, it means that the on-the-ground employees have to take action, often manually. Preparing those teams with what to do and when can make a massive difference in uptime.

To get direct advice on how to prepare your organization this holiday season and if you’re a Forrester client, please schedule a guidance session or inquiry with me.