Retail cybersecurity is increasingly essential
Where in the past crime in the retail industry involved the theft of merchandise and money, it now focuses on the theft of data, particularly credit card information that retailers hold in large quantities.
Trustwave reports that in addition to the theft of credit card data, cybercriminals also have back-office systems in their sights, citing payroll and HR for direct access to company financial accounts and broader identity theft operations.
Furthermore, mobile apps and cloud storage increase retailers’ web presence, providing additional opportunities for cybercriminals seeking sensitive data to steal and sell, or encrypt and use in ransomware attacks.
These attacks join insider threats such copying data to portable media, or exploitation of vulnerabilities in the retailers’ IT infrastructure. As some retailers’ infrastructures have similar characteristics, a successful attack on one can be leveraged to successfully attack others.
Deloitte identifies the following reasons behind cybercriminals’ increased attacks against the retailer sector:
- Retailers possess large databases of credit card data.
- They increasingly rely more on data-driven technologies, such as big data and sophisticated warehouse models, to improve efficiency and increase sales.
- Many retailers are becoming active in the healthcare and pharmacy businesses, and therefore possess more sensitive data.
- Buyers in developing countries are shifting from cash payments to electronic card payments.
Deloitte also identifies rising insider threats, due to:
- High employee turnover rates, including seasonal employees.
- Many stores and distribution centers.
- Business outsourcing to third parties.
Some experts also identify social engineering as a contributing factor which can lead to successful cyberattacks against retailers.
These threats highlight the importance of a well-planned data access control policy, ensuring that access to data is authorized only to those requiring it to execute their tasks.
Retail cybersecurity is of particular importance in the holiday season
A particularly sensitive time of year for retailers is the holiday season (defined as October 1 to December 31), when sales skyrocket, and which cybercriminals often exploit.
The Holiday Season Cyber Threat Trends report issued in November 2022 by the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC), examines the threat landscape facing the retail and hospitality sector during the holiday season.
The retailers shared that they were most worried about recurrent threats, with nearly 20% of those surveyed identifying phishing in particular as a threat not only in the holiday season, but year-round. However, of even greater concern was the effect of the hostile activity, with credential harvesting listed as the most shared threat among the retail members exchange – at a rate of 42% in 2020, and 37% in 2021.
The RH-ISAC Holiday Season Cyber Threat Trends report also indicated that fraud using loyalty cards, and even more so, gift cards, was a concern, as these allow the perpetrators to remain anonymous.
Examining changes between 2020 and 2021, the report highlighted how quickly the threat landscape of the retail industry can evolve, with reference to malware, bots and vulnerabilities: Some of the threats, such as QakBot, Emotet, Agent Tesla, and Dridex remain a constant worry, while others, such as Log4Shell, emerge quickly and predictably.
Attacks in the retail sector, regardless of their origin or type, can cause severe harm to companies. Successful attacks, such as when large amounts of data are compromised, gain widespread negative publicity and damage the brand. Sales decrease, in the case of publicly traded companies – share prices drop for at least several months, and the loss of reputation also affects customer loyalty. Furthermore, additional costs may be incurred, for example, covering credit monitoring to affected customers (in some cases – millions), free of charge.
An additional cost that retailers risk incurring may result from non-compliance with the Payment Card Industry Data Security Standard (PCI DSS) standards issued by the PCI Security Standards Council (PCI SSC) to support safe payments worldwide. Retailers failing to adhere to these standards are at increased risk of suffering a successful cyberattack, but also risk fines from governments that require PCI DSS compliance.
Ransomware statistics demonstrating the need for retail cybersecurity
Verizon’s 2021 Data Breach Investigations Report is based on a survey of 435 IT decisionmakers in the retail industry, and focuses primarily on ransomware attacks. It identifies retail as the sector that suffered the most ransomware attacks in 2020 (with the same percentage of attacks in the education sector).
The Sophos report titled State of Ransomware in Retail 2021 stated that 44% of retailers suffered a ransomware attack in 2020, with their data encrypted in more than half the cases.
The 34% who did not experience a ransomware attack in 2020 expected to experience one the following year.
The report reveals that 99% of the 165 incidents of data disclosure in the retail sector were driven by a financial motive, with payment data involved in many of the breaches, and personal data in 40% of them. The focus of the cybercriminals in 33% of the cases was credentials.
44% of retailers sustained a ransomware attack in 2020
Only 9% of retailers who paid the ransom gained access to their encrypted data
Retailers who paid ransom only gained access to 67% of their stolen data
Rectifying the harm caused by a ransomware attack was $1.97M on average