Susan Bowen, Vice President and General Manager EMEA, Cogeco Peer 1 outlines the threats retailers face from cyber-attacks and the steps that can be taken to prevent them.
When it comes to cyber threats retailers are high on the target index, typically ranking just behind financial services, financial tech and media companies. This is because they hold a near unrivalled breadth and width of customer data that can be used in identity theft.
There’s a thriving underground market on the dark web for ID data with numerous sites and forums offering stolen credit card information, names, addresses, email details, driving license data, passport numbers, in fact anything that relates to someone’s personal information.
Retailers are a goldmine
From an attackers’ point of view retailers are a goldmine because they hold so much personal customer information. And this is increasing as retailers amass ever more customer data via online shopping, digital marketing and loyalty schemes.
According to the Cisco 2017 Annual Cybersecurity Report, nearly one in three retailers have suffered revenue losses as a result of a cyberattack. Research from Zynstra, an enterprise software company, canvassed both US and UK retailers and revealed that 16 percent of retailers said they experienced an attack or attempted attack every day.
The research also revealed that 11 percent of retailers said they responded two or three times a week to attacks and 64 percent said they dealt with cyber-attacks once a month.
The attack on US retailer Target four years ago was a watershed event for the industry. It ranks as one of the most high-profile attacks on a stock exchange listed retailer to date. It took a heavy toll on Target’s reputation among shoppers as well as leading to a plunging share price and sales and the company's chief executive falling on his sword.
It also sent shivers through retail boardrooms across both the US and Europe. Since then retailers have largely taken cyber security seriously and elevated its importance. This led to the introduction of measures such as separating cardholder data from the rest of a computer network and introducing password rotation policies and two-factor authentication.
These are all good steps but in some senses only treat the symptoms rather than the causes. Not only retailers, but many organisations, have about 25 security products from different vendors protecting different aspects of their operations whether its back-office database processing or front-end web operations.
Fraught with difficulties
This is incredibly difficult to manage properly. It’s a labour intensive process and for a small cybersecurity team is fraught with difficulties and can easily lead to oversights and vulnerabilities.
What is required is an almost back to basics approach in products are consolidated and a holistic security policy is developed covering three key risk management areas; protection, detection and correction.
If these three dynamics are used to inform the development of a security policy, that also incorporates physical security, it streamlines security management and makes cybersecurity easier and much less fraught.
Smart device compromise
A case in point is a recent event at a US retailer. Security guards responsible for physical security installed smart cameras connected to the internet. From their perspective, it gave them greater flexibility and enhanced physical security.
Or so they thought. An attacker identified the security cameras and hacked them. The attacker wasn’t interested in the cameras, rather that they provided back door entry to the company’s internal network. You can guess the rest.
If the security guards had a security policy for guidance they would have realised the smart cameras were potentially vulnerable to attack.
Managing the supply chain
It’s often the case that attackers actually hit their target by compromising providers in the supply chain and then working their way into a retailer’s systems.
To counter this, retailers need relationships with third parties that allow a certain degree of oversight to ensure that all the good security criteria such as audits, compliance requirements and security certifications are in place.
This helps establish all important trust in the supply chain. Retailers need to also revisit these relationships at regular intervals to ensure standards are being kept and new requirements incorporated.
A case in point is the introduction of the European Union’s General Data Protection Regulations (GDPR) that comes into effect in May, 2018. If customer data is leaked or lost in a hack a retailer faces a fine of up to £20 million or 4% of global turnover, whichever is the greatest.
Response to incidents
Implicit within a security policy and explicitly with GDPR is the need for an incident management process. This is a response plan for incidents that provides guidance on how to respond to attacks or the loss of data.
Retailers should have one in place as a matter of course but with GDPR the imperative is now much greater, given that an organisation only has two weeks from the point of discovering data loss to notifying customers. In the case of the Target attack this took nine months which gave cyber fraudsters more than enough time to exploit the stolen information.
Retailers will be compromised at some point, this is inevitable, but it’s a question of degree and the steps that can be taken to mitigate the impact. That is, the attack is identified in near real-time and steps taken to stop it.
Threats from phishing
One area where retailers particularly need to be on guard both in the present and future are phishing emails. These are becoming increasingly sophisticated, targeting specific individuals within a company and often purporting to come from someone within the organisation. However, they can be defended against by introducing techniques such as sandboxing for emails that isolates malware.
In summary, a retailer can both simplify and tighten cybersecurity by developing a risk management approach to all aspects of security which focuses on protection, detection and correction. This enables product consolidation and can also include outsourcing in areas such as infrastructure hosting. Taken together this dramatically reduces complexity, makes management much easier and ensures leading edge cybersecurity.
Susan Bowen Vice President and General Manager, EMEA at Cogeco Peer 1
Image Credit: Wavebreakmedia / Shutterstock