Retail companies, which typically collect and store large amounts of sensitive customer information, including credit card numbers, personal addresses, and other financial data, are particularly juicy targets for cyber criminals. Phishing, ransomware, and misconfigurations are common attacks we see against retail establishments.
In this analysis, I’m going to break down common threats, how to defend against each of them, and then provide insights into ways that retailers can improve cybersecurity resilience overall.
How to Defend Against 3 Common Retail Vulnerabilities
Due to their customer service orientation and the need for multiple connections to suppliers, many retailers struggle to implement effective cybersecurity measures and also often lack the resources or expertise to adequately protect their networks and data. The retail industry continues to be a prime target for cybercriminals looking to steal sensitive information and financial data. Let’s take a look at some of the common vulnerabilities seen in the retail industry and some ways to mitigate them.
Phishing
Phishing is an attack that involves the use of emails to trick individuals into clicking on a malicious link or providing information such as passwords or credit card numbers. Phishing comes in many forms, such as spoofed emails from a bank, or fake social media or online shopping websites. Phishing attacks are difficult to detect, as they often use sophisticated tactics to trick individuals into giving away their sensitive information. Retail companies often put an emphasis on customer service and communication with customers, which makes them particularly vulnerable to this type of attack.
Some of the steps retail companies can take to protect themselves from phishing attacks include educating employees about the risks of phishing, as well as use anti-phishing software and other security measures, such as multi-factor authentication, to protect sensitive data.
Ransomware
Ransomware is a growing type of attack that occurs when cybercriminals encrypt a company’s data and demand payment, or ransom, in exchange for the decryption key. These attacks cause significant disruptions to the retail company’s operations, as they are often unable to access their own data, which can lead to financial losses.
Ransomware attacks can be delivered through various means such as email attachments, infected websites, and software vulnerabilities. Once the malware is executed, it encrypts all the files on the infected computer and on any network shares that the computer has access to, making it impossible for the company to access its own data. The attackers then demand a ransom payment to provide the decryption key.
Retailers must be vigilant against ransomware attacks by executing regular backups, security updates and software patching, employee training, and incident response plans. Additionally, retailers should consider implementing anti-ransomware software that can detect and prevent malware from encrypting files in the first place.
Misconfiguration
One of the more common threats we see does not come from an outside attacker at all. Instead, it comes internally, from the information technology (IT) department. Misconfiguration of resources can pose a significant threat to retail companies. Misconfiguration can happen when IT staff or third-party vendors accidentally or unknowingly configure a system or network in a way that leaves it vulnerable to attack. For example, an improperly configured cloud storage container can create a vulnerability that can easily be exploited by an attacker, allowing unauthorized access to and theft of sensitive data.
Misconfigurations can also occur when the IT staff or third-party vendors fail to configure the necessary security settings after new software or updates are installed, leading to sensitive customer data and financial information being exposed or stolen.
Misconfigurations are hard to detect and often go unnoticed for long periods of time. To detect and prevent them, retail businesses must implement measures such as regular security assessments, vulnerability scanning, and incident response plans.
4 Ways to Increase Retail Security Resilience
There are some basic steps that retail companies can take that will increase their resilience against cyber attacks. Let’s take a look at some relatively easy ways that they can make themselves a less attractive target by hardening their infrastructure.
Multi-Factor Authentication
Multi-factor authentication (MFA) adds a powerful extra layer of protection to help deal with cyber threats. Multi-factor authentication requires users to provide multiple forms of identification before they can access sensitive information or systems. MFA typically involves two or more of the following:
- something the user knows, with a password being a prime example
- something the user has, such as a mobile phone or a security token
- something the user is, such as a fingerprint or facial recognition.
If we think back to the high-profile breach of Target’s systems in 2013, stolen vendor credentials were used to gain access to the retailer’s systems. MFA can go a long way toward preventing this type of attack. Passwords are easily guessed, are often very weak, and can be stolen from our systems or from a third-party system.
MFA makes it much more difficult for attackers to gain unauthorized access, as they would need to have access to multiple forms of identification. Using MFA makes it much more difficult for attackers to gain access to an organization’s most sensitive data, providing another layer of security for customer and financial data.
Security Updates
Security updates are another essential part of maintaining the security of retail companies’ networks and systems. These updates fix known vulnerabilities that can be easily exploited by attackers. Since these vulnerabilities are typically public knowledge, failing to apply security updates in a timely manner can leave an organization open to cyber attacks.
For example, in May 2017, the WannaCry ransomware attack rocked the cybersecurity world. Government agencies across the globe, as well as businesses such as Telefonica, FedEx, and Renault, were affected by this attack. A patch to prevent exploitation of this vulnerability was released by Microsoft nearly two months prior to the attacks taking place.
Solid policy and process are required to ensure that all software is kept up to date. Depending on the maturity of the environment and the criticality of the systems, this can be accomplished through automated updates or by having staff responsible for managing the update process.
It’s also important to keep in mind that in addition to keeping software and systems updated, the company should maintain an inventory of all software and hardware in use so their vulnerabilities and the potential impact of an attack can be evaluated. By staying staying current with security updates, retail companies can reduce the risk of successful cyber attacks and better protect sensitive customer data and financial information.
Employee Training
Employee training is also important for maintaining the security of retail companies’ networks and systems. Educating employees about the risks and consequences of cyber threats, as well as how to spot and avoid them, is critical to protecting sensitive customer data and financial information.
Employee training programs should cover topics such as phishing, social engineering, and password security, as well as the company’s security policies and procedures. Regular training and reminders can help employees stay aware of the latest threats and how to respond to them. Additionally, it’s important to train employees on how to report an incident, so they know what to do if they suspect a breach has occurred. This can help to minimize the damage caused by an attack and speed up the recovery process.
One important note: we are not trying to make all our staff cybersecurity experts. We are looking to provide employees with the knowledge and skills they need to identify and respond to cyber threats.
Zero Trust
For more mature organizations that are looking to take the next step in their cybersecurity journey, zero trust architecture may be for you. Zero trust is a security model that assumes that all users, devices, and networks are untrusted by default and must be verified before being granted access to sensitive data and systems. The zero trust model focuses on continuous verification of identity, device, and network security posture, as well as user behavior, to ensure that only authorized access is granted.
Retailers can implement zero trust by using technologies such as multi-factor authentication, network segmentation, device management, and security information and event management (SIEM). This approach also helps reduce the risk of successful cyber attacks by limiting their scope, and making it more difficult for attackers to move laterally within the network.
Conclusion
The large amounts of sensitive customer and financial data that characterizes the retail business make this industry particularly vulnerable to cyber threats and attacks, and the fallout can be massive when a breach does occur because it can affect so many consumers — not to mention business partners.
Retailers should be vigilant against misconfigurations and other common vulnerabilities, which can leave the company vulnerable to cyber attacks. In addition, multi-factor authentication, regular security updates, and employee training should be considered low-hanging fruit to immediately increase security resiliency.
Which companies are the most important vendors in cybersecurity? Click here to see the Acceleration Economy Top 10 Cybersecurity Shortlist, as selected by our expert team of practitioner-analysts.