The retail sector is the most vulnerable and most targeted sector when it comes to cyberattacks. In fact, Trustwave’s 2018 Global Security Report found that 17% of all cyberattacks were targeted at retailers.
UK retailers aren’t targeted as heavily as their American counterparts, but major British retailers including Superdrug, Dixons Carphone, Cash Converters, Three and Vision Direct have all been breached over the past few years.
Cyber risks are increasing across all sectors, but retailers around the world consistently find themselves the unwanted recipient of threat actors’ attention. So why is retail such a popular target? And what can the industry do to protect itself?
Why is retail at risk?
Retailers are very appealing targets for cybercriminals.
The rise of ecommerce means that retailers now hold more customer data than ever before. Most major retailers will have online stores where customers create accounts in order to purchase products. Gaining access to these accounts can give access to Personally Identifiable Information and even bank details. Hackers who manage to access this customer data can then sell it on the ‘dark web’ in a practice known among cybersecurity professionals as ‘carding’.
To make matters worse, criminals who buy customer data will often use it to fraudulently buy products from online retailers. Knowing that customers will often reuse login credentials across multiple online domains, they will also take the credentials from one retailer and make automated login attempts across many different sites at once. This is known as ‘credential stuffing’. One team of security analysts found that 90% of retail login attempts were from hackers attempting to access other people’s accounts in this way.
- You may like: Key cybersecurity threats in the public sector
Unsurprisingly, in-store and online payment processes are a common attack vector. Retailers are embracing technology such as a mobile point-of-sale devices to make it easier for shoppers to pay in whatever way they please. But, researchers warn, the technology is being embraced faster than security standards can be updated and applied.
Finally, retailers often hire young and inexperienced staff who may not have had any cybersecurity training. This leaves them wide open to common ‘social engineering’ attacks such as ‘phishing’. This is when hackers contact staff directly to trick them into installing malware (usually by clicking on a link or attempting to open an attachment) or providing sensitive information (usually by pretending to be someone they’re not).
What should retailers do?
The first and most obvious thing is to hire an internal or external cybersecurity team to help create a cybersecurity policy that can cover the digital and physical assets you’re trying to protect. Large retailers will have internal networks for employees, public-facing domains for customers, internal offices for employees and public stores for customers.
Retail cybersecurity is complex, there are countless attack vectors to consider. The types of questions that will need to be answered are:
-
What assets are we trying to protect?
-
What are the threats against those assets, within our organisation and via our suppliers’?
-
What policy is required in order to prevent these threats from becoming security incidents?
-
How can we encourage our customers to maintain good cybersecurity (such as not reusing passwords)?
Coming up with sufficient answers to all of these questions requires deep expertise and plenty of time. So investment in cybersecurity talent is essential.
Compliance with the Payment Card Industry Security Council’s Data Security Standard (PCI DSS) and GDPR are both mandatory for all UK businesses that process payments or store consumer data. Failure to comply with either can result in serious penalties, as British Airways recently discovered. Failure to comply with PCI can also result in a permanent revocation of your license to accept card payments, effectively terminating your business overnight. However, it’s worth noting that all of the major retailers who have been breached were compliant. Adhering to regulations is no guarantee of security. Regulations can form the baseline of your policy but you also need to take proactive in how you identify and mitigate risks.
“Cybercriminals’ methods become more sophisticated with each passing year.”
Providing cybersecurity training is also important. This will ensure that all employees are aware of the threats, know how to deal with them and know what to do if they suspect an incident has or could occur. Cybercriminals’ methods become more sophisticated with each passing year – gift card hacking and refund fraud are two emerging examples for retail – but social engineering attacks are still among the most common because they are so effective. It’s easier to fool a human than it is a piece of hardware or software. Humans make mistakes, we let our guard down.
The risk for retailers that don’t invest in improving their cybersecurity posture is three-fold. Firstly, there is a reputational risk. Consumers are more aware than ever about their privacy and the use of their data. Retailers who cause their data to be lost and misused risk losing the trust of their customers. Once lost, this can be hard to recover. Second, there are the regulators. The ICO has proven that it is willing to enforce regulatory compliance through massive fines. Retailers that don’t comply or are found to have lax cybersecurity policies can be punished. Finally, there are the direct costs associated with the breach itself. One study found that the average cost of a data breach will exceed $150 million by 2020.
Hackers do their homework. They investigate targets before they strike. Retailers who don’t take cybersecurity seriously will be hit first and hit the hardest. As discussed, the best way to protect your organisation is by hiring cybersecurity experts who can help you create a robust cybersecurity policy and ensure that you comply with all necessary regulations.
Click here to see how we can help you find the right talent for your organisation.
