Fighting cyber crime in the retail industry

The retail sector in the UK is thriving, which makes it an attractive target for cyber criminals.

The retail sector in the UK is thriving. Three million people work in the retail industry in the UK, which adds up to around one-in-ten of the working population. There are almost 300,000 retail outlets in the UK, generating a massive £3.5 billion of retail sales, which amounts to 5 per cent of total UK GDP.

Such a large economic powerhouse provides a very tempting target to cyber criminals looking for enterprises that they can hack into to steal money or, more likely, information on corporate or customer identities and bank payments details. Recent high profile retail industry victims include TalkTalk, VTech and Carphone Warehouse.

In 2014/15, the BRC Retail Crime Survey reported a 55 per cent increase in reported cyber crime against the British retail industry. Given the under reporting that is a general problem with cyber crime against business, this is almost certainly an under estimate. The BRC concluded that a majority of retailers had experienced an increase in cyber attacks and reported that most retailers regarded these attacks as a critical threat to their business. Hacking and theft of data were seen as the most critical threats.

Along with many other industries, the retail sector, has been taking increasing steps to harden their corporate security perimeter against the cyber threat, with the routine use of anti-virus software and firewalls. The increased difficulty of breaching perimeter security and the increased human resources available to cyber criminals has combined to produce a new point of attack, focusing on the weakest link in the corporate security chain, human beings rather than technology. So-called “social engineering” relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It is the art of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques.

The retail sector is especially vulnerable to this trend with its army of potentially vulnerable employees and its large customer databases, both of which provide a very tempting target for the hackers. With such a large and diverse employment base, variety in working hours and practices, this can sometimes provide an easy target for the growing number of cyber hackers looking to get around corporate security perimeters through the use of social engineering.

retail TRUST is a trade charity that aims to improve the wellbeing of employees in the retail sector, providing advice and support to both them and their employers. They have recently begun to tackle these new threats to their employees and those they work to support in the sector, by implementing a leading edge behavioural threat monitoring solution to trace and track suspicious activity on their own IT networks.

Having reviewed current security measures, retailTRUST has seen the benefit from both the organisation and employee perspective in implementing a behavioural threat monitoring solution. The one they have chosen is delivered by IT services and solutions company Transputec and is called ThreatSpike. This type of solution has a number of benefits to the retail and other business sectors:

  • Leading-edge monitoring solutions can provide proactive intelligence to prevent unauthorised activity from taking place. This protects both the employee and the company from becoming victim of the cyber attacker.
  • A successful cyber attack will have negative consequences on the employee as well as the company, even if no fault is attributed. The business will suffer financially and could even go out of business, with the employee losing their job as a result.
  • If the employee has been merely negligent, then this might well have disciplinary consequences in accordance with their terms of employment. High level protection will help to prevent this negligent from happening or spot it quickly and minimise the consequences.
  • The latest monitoring solutions will trawl a network and provide hard evidence of both current and backdated suspicious or unauthorised activity. This comprehensive data trawl will catch the guilty, but will also provide grounds to clear someone who has been falsely accused without proper evidence. 

The British Retail Consortium has also taken steps to helps retailers counter the social engineering threat by publishing its Guide to Tackling the Insider Threat. This includes the following advice:

Understand all access points into the business’ IT system - A comprehensive risk assessment of the insider threat to your business should include an examination of all the access pathways to your systems: wired networks; wireless; Bluetooth; USB and other removable storage; software; VPNs and mobile devices. Access to databases pose particular risks in terms of data breaches.

Put in place extra controls on access to your most sensitive data - Protect the most critical files or sensitive data from modification, deletion or download. Only members of staff who absolutely need access to these files should be given it. Most insiders steal intellectual property using authorised access, but in some instances the member of staff involved may have had a higher level of IT access than they actually required to do their job.

Strictly control the use of removable storage devices and downloads - Removable storage devices are an easy way in which a malicious insider can copy valuable or confidential data. Consider what removable devices are required by your business and specify how they can be used. Prevent sensitive data from being transferred to removable devices altogether and only allow data transfers to be carried out at particular workstations, by approved staff members.

Put in place activity monitoring systems and logs to identify suspicious activity - There is a huge range of software products available to allow automated monitoring of discrepancies in day-to-day IT activity. Such monitoring should allow you to track and create logs of activity such as staff access to databases, data usage, use of encrypted sessions, use of removable media, e-mail traffic and attempts to connect to VPNs.

Following this good advice, and making use of a good quality behavioural threat monitoring solution, can help all retailers to reduce their exposure the growing tide of cyber crime and at the same time protect their employees against the impact of such security breaches.

Sonny Sehgal, CEO of Transputec

Image source: Shutterstock/AlexLMX