Build your holiday readiness strategy
Prepare your ecommerce business for new security threats
Retail organizations typically spend several months preparing for the holiday season. And in my discussions with retailers, I often hear that preparation is becoming more difficult every year.
The holiday season remains a make-or-break period for most retailers. Purchases in November and December often comprise about 19% of total annual sales. And a growing volume is happening online: Salesforce reported that online sales reached an all-time high of $1.2 trillion globally in 2024, with $282 billion in purchases in the United States.
According to the same report, the majority of those global online sales — 69% — were made using mobile devices, up 2% from the previous year. As mobile sales continue to grow, low-latency performance, availability, and security for ecommerce sites and applications have become increasingly critical to delivering the experience customers want around the globe.
Given the rising tide of online sales, it’s no surprise that retailers spend months making sure they are ready for the seasonal flood of customers. First, they have to accommodate growing traffic volumes and evolving customer expectations. Retailers tell me they need to streamline checkout experiences, accommodate more mobile transactions, and deliver more personalized experiences, while also providing responsive technical support (like automating password resets). They also have to be ready to scale up infrastructure and ecommerce throughput in line with successful marketing campaigns.
At the same time, they have to plan for more threats from cybercriminals, who see tremendous opportunities for fraud, extortion, and other crimes in those rising levels of ecommerce traffic. Retailers must defend against not only traditional types of attacks and tactics, but also more powerful and sophisticated AI-powered threats.
To succeed during the holiday period, retailers need to build more engaging experiences, scale performance, and address the latest threats — all without adding costs or complexity.
Facing new and ongoing ecommerce challenges
Several IT objectives for retailers remain consistent from one holiday season to the next. For example, retailers must keep their entire ecommerce infrastructure continuously online — from APIs and payment gateways to the websites and mobile apps that customers use to make purchases. At the same time, many of the retailers I talk to are
focused on delivering fast, convenient experiences across all channels.
But new cybersecurity threats, traffic spikes, and limited resources are standing in the way of delivering these engaging, always-on, omnichannel experiences.
New cybersecurity threats: The number, size, and sophistication of cybersecurity threats continue to grow — and existing tools and processes are often inadequate to stop them.
In addition to attempts at fraud, cybercriminals are mounting large-scale, AI-enhanced attacks that could severely disrupt ecommerce operations. For example, cybercriminals are creating hyper-personalized phishing messages and using deepfakes that can dupe employees into entering credentials on spoofed sites or conducting fraudulent financial transactions. They are also launching autonomous ransomware attacks, which use AI to adapt to and overcome traditional defenses.
Addressing these threats is crucial for retailers: Downtime caused by a single attack could cost a retailer millions of dollars in revenue.
Traffic spikes: Requests to ecommerce sites (from legitimate shoppers) reached 405 billion on Black Friday 2024, according to data analyzed by Cloudflare. On that day, retailers saw a 50% increase in shoppers week over week and a 61% increase compared with the previous month. Overall, online sales in 2024 were up 3% globally compared with the previous year.
Retailers need to be sure their infrastructure is ready for greater demand because any increase in latency can have a significant impact on sales. If your ecommerce website pages or apps load even a hundred milliseconds slower because of higher traffic, shoppers might abandon their carts and click over to an alternative retailer. One recent study showed that pages that take more than four seconds to load experience a bounce rate of 63%.
Limited resources: IT and developer teams are being asked to deliver new, more engaging online experiences and handle growing traffic volumes while security teams must protect against threats — all with fewer resources and tighter budgets.
For many of the retail organizations I work with, addressing these challenges will mean augmenting security and finding ways to enhance customer interactions — building new, omnichannel experiences and reducing latency, even as the volume of visits and transitions grows. No matter what your plan is, maximizing the efficiency of your team’s work will be essential.
Strengthen security with a unified platform
Make sure you are prepared for the most prevalent and potentially damaging ecommerce attacks, including bot, distributed denial-of-service (DDoS), and ransomware attacks. Choosing a single, unified platform that can address all these cybersecurity threats will enable you to control costs and management complexity.
Bot attacks: Individuals or organizations might use bots to scrape content from your site or attempt fraudulent purchases. For example, competitors could scrape pricing from your site in an effort to undercut your pricing and gain a competitive edge. Attackers might use bots for password spraying or credential stuffing with loyalty programs. If attackers successfully gain access to customers’ loyalty accounts (which often lack real-time security capabilities), they could make unauthorized purchases using customer points or saved payment methods.
Adopting an advanced bot management service helps you distinguish good bots (like search engine crawlers) from bad ones. By accurately classifying bots, you can block bad ones automatically. You can also present challenges to bots without resorting to CAPTCHAs that frustrate real users.
DDoS attacks: Defending against today’s large-scale DDoS attacks requires cloud-based DDoS protection delivered through a network with tremendous capacity. Some of the largest attacks today generate several terabits of traffic every second, far more than any single organization’s website could handle alone. Routing that traffic through an enormous network, however, absorbs that malicious traffic without affecting website availability or performance for users.
Ransomware: Preventing ransomware attacks often starts by strengthening email security and improving cybersecurity awareness among employees, since many ransomware attacks begin with phishing schemes aimed at stealing user credentials. Requiring multi-factor authentication (MFA) for both employees and customers can help prevent the use of stolen credentials. And implementing zero trust security can stop attackers from gaining access and navigating laterally in an IT environment even if passwords or endpoint devices are compromised.
Data protection: Deploying end-to-end encryption and capabilities for preventing client-side attacks are critical for protecting sensitive transaction and customer data while complying with the Payment Card Industry Data Security Standard (PCI DSS). You also need to protect data from loss. Data loss prevention (DLP) capabilities can help you establish strict policies for protecting sensitive data and employ real-time detection to stop data from leaking. In addition, network segmentation can help you isolate sensitive data, preventing its loss even if attackers gain some degree of access to your network.
Deliver omnichannel experiences, efficiently
Providing responsive, low-latency digital experiences — and ensuring consistent experiences across channels — will be necessary to keep customers engaged and buying. Before the holiday season traffic hits, you might need to scale your infrastructure — or better yet, tap into cloud services that can accommodate peak shopping periods without performance slowdowns.
Building consistent and engaging omnichannel experiences might require new developer tools. Consider platforms that let developers access AI models to create personalized buying experiences that include personalized offers and loyalty programs. The right platform will also enable you to efficiently scale up customer support, which will be critical as traffic reaches peak level.
Leveraging an API-first approach to development allows you to connect multiple systems. You can more easily bridge online and offline retail operations, providing more seamless omnichannel experiences for shoppers. Of course, APIs are also an increasingly popular attack vector: Many organizations lack the security, architecture, and lifecycle management to protect APIs. So, transitioning to an API-first approach will require some security planning.
As you evaluate cloud services for building new experiences, look for platforms that offer automated application scaling. You need to accommodate that rising traffic during the holiday season without having to scramble to deploy more servers and other application resources manually.
If you are adding capabilities or tools, choose an integrated platform. The right platform will deliver the performance, security, and app development capabilities together, without requiring your team to navigate disparate tools. You can avoid the costs and complications of purchasing software from multiple vendors, integrating applications, and managing upgrades of individual applications.
Ready for the holiday ecommerce rush?
Cloudflare helps accelerate holiday preparedness through a unified platform of cloud-native services. Cloudflare offers scalable performance to deliver low-latency digital experiences; a full range of cybersecurity capabilities to stop attacks; and a developer platform for building and enhancing omnichannel experiences.
Providing cloud-native services through a single, integrated connectivity cloud platform enables you to prepare for the holidays quickly and efficiently: You can add all the cloud-based services you need with a few clicks — and without having to procure them from multiple vendors or manage numerous tools. As a result, you can have the performance, security, and app development capabilities in place long before the holiday season begins.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Dive deeper into this topic.
Discover key strategies for strengthening security, improving customer experiences, and increasing efficiency in the, Peak shopping ready: Four pillars of secure omnichannel retail ebook.
Author
Christian Reilly — @reillychristian
Field CTO, Cloudflare
Key takeaways
After reading this article, you will be able to understand:
The latest cybersecurity threats facing ecommerce retailers
Essential capabilities for addressing these threats
Strategies for improving omnichannel experiences