Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.

As we enter the holiday shopping season, many retail organizations go into a “production freeze” where they halt updates and configuration changes in their payment and order fulfillment systems to limit the risk of interruption and slowdowns to mission critical systems. IT teams and security folks are scrambling to test and lock in configurations, verify controls, and plead to their respective deities that systems perform exactly as intended during the shopping rush.

This creates a particularly interesting situation: There will be very little in the way of updates to those systems over the next 90 days. Any steps to prevent an incident – that would make an organization a harder (or more expensive) target for criminals — are now on hold until after the holiday rush.

Think of this in terms of the security life cycle: Prevent, Detect, Correct – it’s also a good way to simplify the NIST cyber security framework — from this point forward, energy investment should shift from prevent to detect and correct.

Attackers already inside an organization will stay quiet until the time is right, as they will see more credit cards in the next couple of weeks than the next six months combined.

Here’s how organizations can prepare for the days ahead:

1. Check all third-party access and remote access pathways into payment networks. Change passwords and lock out vendors that do not need access right now.

2. Be 100 percent confidant that payment networks do not have access to the Internet, on any protocol, in any way. Some systems do online payment clearance and settlement. Make sure those systems can only talk to specified host names or addresses on defined ports.

3. Double and triple check network restrictions and segmentation, make sure guests and contractors cannot find a path into the payment networks.

4. Look for anomalies. Some organizations have enough similarity in their systems (like point of sale registers and kiosks) they can compare live systems to “known good” configurations.

5. Carefully observe account behavior. Monitor for and immediately investigate out-of-character behavior and login events from unexpected locations, especially in sanitized zones like payment networks, web, and database systems.

6. Increase your visibility through information sharing. There are groups like the R-CISC where retailers are safely sharing information and actively identifying attacker tools and techniques as well as tips on how to identify if they have a foothold in your environment.

Now is the time to pay close attention. If you didn’t stop the attackers from getting inside, this is your opportunity to prevent them from cashing in. Watch closely, and make it safe for your team to speak up if anything is out of place.

Trey Ford is Global Security Strategist at Rapid7.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.