Skip to main content

Cybersecurity risk in retail and how to handle it

(Image credit: Image Credit: Sergey Nivens / Shutterstock)

Hackers and their tactics evolve daily, but one thing remains the same: retailers are prime targets for a cyber attack. This is such a widespread issue that according to Alert Logic’s  cybersecurity report (opens in new tab)Critical Watch (opens in new tab) Report: The State of Threat Detection 2018,” this industry topped the entire list out of eight different types of organisations (4,000 organisations in total). Given this information, along with the sheer volume of cyber attacks that occur daily, it’s vital that retailers step up their IT security game when it comes to protecting their customers’ personal information. Understanding the risks involved, along with the steps that can be taken to mitigate them, will help retailers both large and small.

The cloud conundrum

When it comes to retail, cloud adoption (opens in new tab) is a double-edged sword; on one hand a modern step forward and on the other infinite opportunity for malicious actors. Retail knows e-commerce is already a main target for cyber-attacks because of the rich-pickings of consumers’ personally identifiable information (PII) required to complete transactions. This information gets stored as data for future use or targeted marketing – we all know the story by now. When a retailer is hacked this results in potentially millions of individuals falling victim to the hacker and having their information stored and sold on the dark web, ready to be merged with other data sets to build up useful profiles for the general public.

This isn’t just bad on a personal level for each affected customer but it will also severely damage brand reputation, sometimes irretrievably.

Web application attacks can be wicked

It doesn’t matter how large or small the company, cyber attacks have become so sophisticated at this point that no business is immune. Retail, hospitality and accommodation topped the list for most targeted industries out of the 4,000+ organisations analysed in Alert Logic’s cybersecurity report (opens in new tab) but the margins for their “victory” were slight due to attack spray-and-pray automation. Web application attacks (opens in new tab) continued to dominate across all industries with retail, hospitality and accommodation taking the top prize with a whopping 85 per cent. This represents a five per cent increase of web application attacks in retail since 2017 cementing them as the attack of choice on the public network.

Retailers running e-commerce platforms should be aware that they are more likely to suffer with older IT security features and need to augment them with security processes and review them much more often. Even the newer systems may not be fully resistant to all application attack techniques. Attackers are increasingly launching multiple automated probes against systems, searching for weaknesses that can be exploited to gain access. Access to systems serves as a point of ingress for further attacks, giving attackers a means of stealing financial information, or to obtain goods without payment.

Furthermore, the public-facing nature of the retail industry means that cybercriminals can exploit the public’s general shopping trends, using them as opportunities to launch cyber attacks at particularly busy periods and co-opt retailer’s own campaigns to sneak into a user’s awareness or site browsing. This means taking advantage of popular shopping times when retailers are all attempting a sales push (Black Friday, Golden Quarter or post-Christmas January sales) - cybercriminals do exploit this increased traffic as cover for cyber attacks.

Developing and running e-commerce applications is pure economics; the security of the application is often a low priority compared to delivering a positive customer experience. This lack of attention to security measures coupled with an increase in investment by attackers means that application attacks are likely to remain a significant risk for the retail industry now and in the future.

An evolving and challenging cyber threat landscape

Cryptojacking attacks (opens in new tab) are also on the rise. This is a cyber attack in which the hacker hijacks the target’s systems to leverage their processing power, then uses it to mine cryptocurrency. Although nominally similar to ransomware these attacks are much more dangerous as the payoff is made by not being spotted so where ransomware could be clunky and half finished and still get the job done; increased sophistication in cryptojacking pays off.

The result to businesses is slower performing websites and increasing infrastructure hosting costs, again something that is easy to overlook with the apparently infinite elastic resources in the cloud.

To mitigate this risk, retailers must look to system hardening and regular patching, as these practices make it harder for adversaries to gain access to systems and limit the ability to place cryptominers on systems. It’s also important to note that as hacker techniques become more widespread and sophisticated, organisations must have a comprehensive cybersecurity strategy in place. The impact of these data breaches can be catastrophic, especially in retail where brand reputation and loyalty are the keys to success. 

Ready, set, regulation

Retailers collect so much of their customer’s personal data that it’s critical to understand the protection methods involved in keeping that information safe and secure. It’s no secret that the retail space is rife with risk, especially since the majority of retailers now operate online and take advantage of many modern tools and technologies, including the cloud.

With record-breaking data breaches hitting the news daily, retailers both big and small must take action to ensure that their security policies are aligned not only with payment and privacy regulations, but also with their customers’ expectations. Credit and debit card information is one of the personal items that’s regularly traded online of course, but with the diverse set of personal data used to prove identity all data tied to an individual is valuable.

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organisations that handle credit cards. PCI compliance (opens in new tab) demonstrates retailers have control over the credit card information in their possession and that they can take steps to prevent data theft and fraud. It is required by law, which means any retailer that isn’t currently in line with PCI needs to take immediate steps to do so. The penalties for non-compliance are as high as $100,000 every month or $500,000 per security incident.

There are different levels of PCI compliance and any organisation who takes payments for goods or services on the internet, even if that actual transaction is outsourced, must go through some level of assessment.

How retailers can achieve high levels of cybersecurity

It sounds daunting and never-ending, but it is required and depending on your requirements can be simplified through the appropriate application of business processes and security tools and services. Maintaining a good IT security posture is an ongoing task that requires action on the retail’s part, and it can be largely automated. A modern IT security team of cybersecurity experts (opens in new tab) will consist of threat hunters and data analysts to predict how the most valuable data could be stolen and constantly look for signs that an intruder has gained access to the network. These expert cybersecurity skills are hard to find, and expensive to hire. So, unless retailers are in the desirable position of being able to run a fully comprehensive cyber security system (opens in new tab), with all the tools, technologies, threat intelligence and people that can keep customers and their data safe, they must establish priorities and best practices.

Dan Pitman, principal security architect, Alert Logic (opens in new tab)
Image Credit: Sergey Nivens / Shutterstock

Dan Pitman is Principal Security Architect at Alert Logic, who provides visibility, assessment, threat detection & response and web application security wrapped in a global SOC service to organisations around the world.