Elizabeth Weise

USA TODAY

SAN FRANCISCO — The holiday sales season and the online crush that accompanies it might seem a natural field day for hackers looking to attack the small and midsize retailers who depend on these sales to bump them into the black.

Surprisingly, it's not.

An analysis by IBM finds that cyberattacks don't peak during November and December. That's good, because security and IT staff are slammed as they are just making sure nothing breaks during the crucial sales season.

The list of things that could go wrong for retailers is far too long for comfort, security experts say. While many businesses see a downturn in activity over the holidays, for retail it's their lifeblood.

They know their employees could fall prey to "phishing" e-mails enticing them to disclose account information. They could unknowingly download malicious software by surfing the Web. Or they could use easy-to-break passwords.

Seasonal temp workers represent a huge potential weakness to the best-designed systems, said Akli Adjaoute, CEO of Brighterion, a San Francisco-based security firm.

"These less-trained workers that are hired during the holiday season are much more vulnerable to social engineering attacks," he said.

Training and actual bans on accessing the Web are key to avoiding trouble, according to a report by the Retail Cyber Intelligence Sharing Center.

Otherwise, "During low-volume hours, cashiers, clerks and seasonal workers may find fun things to do on the Web," the center said in a report issued this month.

Anything that could knock out a company's ability to sell online represents a huge blow to profitability. This year, Black Friday online sales are projected to be $2.48 billion, according to Adobe Systems' Digital Index online shopping forecast. Cyber Monday is projected to have sales of $2.6 billion.

IBM's Managed Security Service analyzed several years' worth of data loss records at USA TODAY's request and found that the Thanksgiving holiday weekend is not when crooks come calling.

"I went into this thinking it seems likely that corporations are attacked more during Black Friday — it's ripe for attack," said John Kuhn, an IBM senior threat researcher.

But when he looked, Kuhn couldn't find an uptick in attacks during the holidays, "not just to the retail industry, but for any industry," he said.

He speculates that attacks occur all year, as hackers are constantly looking for systems to infiltrate. Once in, they often spend months collecting and sneaking out data.

That's good news but no reason for companies to let down their guard. Hackers may not strike in December, but if they got there during swimsuit season, Christmas sales will suffer.

Protecting, testing and guarding systems to ensure there are no infiltrations and that the company's payment system can withstand denial-of-service and other brute-force attacks is crucial, say experts.

"It takes roughly six months to really prepare" for the holiday season online, said Peter Tran of computer security firm RSA.

Security upgrades must be installed, systems tested and monitoring put into place.

In addition, many companies put tech and security teams on retainer, so they can come in at a moment's notice if anything hits. All that takes time.

"It's like calling a swat team in; they already know the lay of the land," said James Christiansen of Accuvant, which provides security for the enterprise.

By the beginning of November, most retail operations kick into what's known as the "holiday freeze." At this point all new software and hardware must be installed, tested and then "left alone," said Demetrios Lazarikos, an Internet security consultant who owns Blue Lava Consulting.

The biggest shopping season of the year is not the time to introduce anything new into the network.

"The fear is that you're going to break a system," he said. That doesn't mean that critical software updated or security patched aren't installed, simply that anything optional is put on hold until January.

Next, the tech teams start running simulations. "You test the system; you stress it; you anticipate the traffic," he said.

"The week before Thanksgiving you're going through the playbook. What happens if we get hacked? What if there's a denial-of-service attack? What does our incident-response plan look like?" said Lazarikos.

All of which is made more difficult because the day the deluge starts keeps getting pushed earlier, he said.

In the past, security teams came in and set up for the big crush around Cyber Monday, the first day back at work when everyone started their online Christmas shopping. That was in the days when most people didn't have access to a home computer.

Now the online rush is hitting much earlier. Things start to run "hot" online beginning in October. There's a huge uptick simply from shoppers buying in stores on their phones on Black Friday itself.

At this point, any retailer needs to make sure it has "eyes on glass" 24 hours a day to monitor and fix any problems before the system — and sales — goes down, said Tran.

Not until Dec. 28, when the last, "Hail Mary pass" orders have been placed and sent, do the security teams finally get to go home.

"That's just life in this sector," said IBM's Kuhn.