Retail Cybersecurity: Threats, Statistics and Best Practices

 In 2020, U.S. consumers spent $861.12 billion on online retail transactions – 44% more than 2019. Clearly, consumers want to shop “differently.” To keep up with these expectations, many retailers have launched or revamped their e-commerce stores, offering services such as curbside pickup, to help meet the growing demand.   While these trends create great opportunities, they also generate new retail cybersecurity threats.

Retail Cybersecurity Statistics

Retailers have always been attractive targets for cyber attackers and data thieves. But now, cybersecurity issues in retail have become an even bigger concern. Consider these recent (2020) retail cybersecurity statistics: 

• 24% of cyberattacks targeted retailers, more than any other industry (Trustwave);
• 34% of retailers said cybersecurity worries were their primary hindrance in moving to e-commerce (BDO);
• 34% also said that cyber attacks or privacy breaches were their most serious digital threat (BDO);
• Financial motives drove cyber attackers in 99% of retail cyber attacks (Verizon 2020);
• When data is compromised in an attack, 42% is payment information and 41% is personally identifiable data (Verizon 2020).

Why Retail Cybersecurity Threats Happen

Retailers collect, process and store increasingly large amounts of customer data, including PII and credit card numbers. But this goldmine has a downside: bad actors who are looking to profit from selling it on the dark web. Furthermore, cloud-based storage and mobile apps are leaving a larger data presence on the web, leading to new threat vectors. 

Many retail businesses are a hybrid of brick-and-mortar and e-commerce. To manage this ecosystem, they use a mix of technologies (e.g. PoS in stores and cloud-based systems for e-commerce). However, this hybridisation also creates numerous e-commerce cybersecurity risks.

Other cybersecurity issues in retail are created by:
 

• Cloud-based botnets;
• Use of Near Field Communications (NFC) for payments;
• Software vulnerabilities;
• Lack of point-to-point encryption (P2PE) in PoS systems;
• Use of insecure third-party plugins.

To protect themselves and their customers, retailers must be aware of these threats. They must also have a good security team who can understand and think like threat actors, in order to anticipate possible attacks.

Retail Cybersecurity CHALLENGES TO LOOK OUT FOR

As the retail industry continues to move towards digitization and e-commerce, the need for a robust cybersecurity strategy is critical now more than ever. In this section we're taking a look at the top cybersecurity challenges in the retail industry and how companies can address them.

RISING THREATS

With the growth of e-commerce and digital marketing, the retail industry has seen an increase in threats against their businesses. One of the major challenges for the retail industry is the rise of automated threats. The 2022 Holiday Bad Bot Research found a 50% increase in bad bot traffic during the holiday shopping season. Other automated threats include credential stuffing, account takeover, gift card cracking, web and API scraping, fake account creation and inventory scalping. Third-party risk, insider threats, and social engineering attacks remain among the top threats in the retail industry. In addition, the threat of ransomware continues to be a cause for concern for retailers. In 2021, retail was the 2nd most targeted industry for ransomware attacks with 77% of organizations surveyed globally experiencing a ransomware attack. 

The retail industry is also increasingly relying on IoT devices to improve the customer experience and offer new features to shoppers. With the growth of the IoT, comes the risk of new threats. Approximately 84 percent of enterprises use IoT devices. Unfortunately, less than half have implemented the cyber-security measures to protect them. Hackers can access cutomers' purchase history, and track their movements through these devices. 

The most common cyber threats facing retailers today include: social engineering, web application attacks, and system intrusions, as per the 2022 Verizon DBIR.

PROTECTING SENSITIVE DATA

Retailers have access to a vast amount of customer data, including personal information, credit card details, and purchasing history. Today, retailers store more personal information than ever before, creating a significant security risk. Protecting this data from unauthorized access or theft is critical to maintaining customer trust. Cybercriminals see this data as a valuable target, and a data breach can have serious consequences for both the retailer and the customers.

According to Verizon's 2022 Data Breach Investigations Report, the retail industry experienced 629 incidents in 2022 out of which 241 confirmed data breaches. And the main motive of these incidents was to steal customer data for financial gain. Some of the strategies businesses can implement to protect sensitive data include data encryption, network segmentation, identity and access management, zero trust, and integrating automation into their security programs. 

BALANCING SECURITY WITH OPERATIONAL EFFICIENCY

Balancing security with operational efficiency is also a significant challenge for retailers. Retailers must ensure that their security measures do not impede day-to-day operations or cause unnecessary disruptions to customer experiences. Retailers must strike a delicate balance between robust security measures and operational efficiency. This can be achieved by implementing security solutions that are designed to integrate seamlessly with existing operations and workflows, and by providing comprehensive training to employees to ensure that they understand and can comply with security policies and protocols.

Types of Retail Cybersecurity Threats

PHISHING SCAMS

In a phishing attack, a threat actor sends fake emails that mimic emails from legitimate sources. If a victim clicks on the malicious link or attachment within the email, the attacker can steal their information, or install malware on their system to cause further damage.

RANSOMWARE

Threat actors actively exploit vulnerabilities in retailer networks to install ransomware . This allows them to encrypt systems and bring transactions to a standstill, until the retailer pays a ransom. This can lead to huge financial losses, and also damage the retailer’s reputation.

DATA BREACHES

Customer information, particularly payment card data and PII, are big-ticket items that hackers sell in underground markets for huge payouts. To steal this data, they often use stolen credentials to disguise themselves as legitimate users.

ATTACKS ON IOT DEVICES, PAYMENT SYSTEMS AND MACHINE LEARNING SYSTEMS

In the post-COVID environment, many online retailers are investing in contactless transaction technologies that use IoT to process payments. These technologies help to protect human health, but they also introduce new cyber risks. In 2020, 9 of the top 10 exploits targeted IoT devices. (Fortinet)

 Machine Learning- and Artificial Intelligence-based systems also create cybersecurity risks. Attackers deploy intricate systems of bots to harvest data like credit card information or credentials.

ADVANCED PERSISTENT THREATS (APT)

Many retailers are now increasing their digital footprint, adopting more cloud-based services, deploying more complex IT stacks and managing large, geographically distributed networks.

These factors widen their attack surface and make it more likely that APTs will persevere in their systems for longer. APT groups will even frequently distribute malware via email to move laterally across networks.

Retail Cybersecurity Best Practices

The retail industry is subject to a variety of regulations that govern the collection, use, and protection of personal information. Compliance with these regulations is crucial for retail stores to maintain their customers' trust and avoid potential legal and financial consequences. In this section, we will discuss some of the key regulations that apply to the retail industry and why compliance is important.

Payment Card Industry Data Security Standard (PCI DSS) PCI DSS is a set of security standards that govern the processing, storage, and transmission of payment card data. All retail stores that accept payment cards, including credit and debit cards, must comply with these standards. Failure to comply can result in fines, legal action, and damage to the store's reputation. PCI DSS compliance helps ensure that payment card data is protected from theft, fraud, and unauthorised access.  The latest version of PCI DSS, v4.0 has important changes that affect retailers. Check out our PCI DSS v4.0 blog post for more information. 

General Data Protection Regulation (GDPR): GDPR is a European Union regulation that sets strict rules on the collection, processing, and storage of personal data. Any retail store that processes personal data of EU residents must comply with this regulation, regardless of their location. Failure to comply with GDPR can result in fines of up to 4% of the store's global annual revenue. GDPR compliance is important to protect customers' personal data and maintain their trust.

California Consumer Privacy Act (CCPA): CCPA is a California state law that gives consumers more control over their personal information. Any retail store that sells goods or services to California residents and meets certain criteria must comply with this law. Failure to comply can result in fines, legal action, and damage to the store's reputation. CCPA compliance helps ensure that consumers' personal information is protected and that they have control over how it is used.

Health Insurance Portability and Accountability Act (HIPAA): HIPAA is a federal law that governs the collection, use, and protection of individuals' health information. Retail stores that sell health-related products or services, such as pharmacies and medical supply stores, must comply with HIPAA if they collect, store, or transmit individuals' health information. Failure to comply can result in fines, legal action, and damage to the store's reputation. HIPAA compliance helps ensure that individuals' health information is protected from unauthorised access and disclosure.

Additionally, retail business can also utilize frameworks such as NIST and ISO 27001 to understand their security posture and implement improvements. These frameworks provide the necessary guidelines that businesses can follow to achieve and maintain compliance.

Retail Cybersecurity Best Practices

 E-commerce companies work with numerous vendors to support different aspects of their operations. A single vulnerable access point at one vendor could lead to a supply chain attack, jeopardizing the retailer’s cybersecurity posture.  If you want to know more about Supply Chain Attacks, download our guide here.

ENCRYPT ALL SENSITIVE DATA

Ideally, sensitive data (e.g. credit card numbers) should not be retained. However, if retention is a must, then all data must be encrypted, whether at rest or in transit. To balance the need for privacy with ease of use, homomorphic encryption (which allows calculations to be executed on encrypted data) is often employed.

SEGMENT THE RETAIL NETWORK

Network segmentation can keep POS details, PII and customer financial information safe. Network monitoring tools should monitor each segment for signs of lateral movement, APTs, and breach attempts.

PERFORM REGULAR DATA BACKUPS

To minimize the potential for data loss following a ransomware or phishing attack, it’s critical to regularly back up all data from the e-commerce website, POS systems, and other applications. The backup process can be automated with the help of a Managed Service Provider (MSP).

DEPLOY POS MALWARE

An anti-malware solution must be implemented on the entire retail network, especially on POS systems. Timely security patches must also be implemented on all software and applications used by the company.

IMPLEMENT MULTI-FACTOR AUTHENTICATION (MFA)

To keep customer data safe from phishing attacks or account takeovers, MFA must be implemented. It’s also important to select an e-commerce platform that complies with the Payment Card Industry Data Security Standard (PCI-DSS).

IMPLEMENT ZERO-TRUST ACCESS (ZTA)

The ZTA approach controls user and device identity and access. Its “trust no one” philosophy can boost cybersecurity effectiveness for retailers.

SECURITY TRAINING

Over the past 2 years, insider threats in the retail industry have grown by 38% (IBM). Moreover, 81% of malicious breaches start with compromised passwords. This is why training employees on cybersecurity best practices (including password hygiene) is essential.

E-COMMERCE CYBERSECURITY

BIGGEST SECURITY THREATS FOR THE E-COMMERCE INDUSTRY

While e-retailing refers to the activities associated with selling retail products and services over the internet, e-commerce encompasses a wider range of activities such as online transactions, supply chain management, mobile commerce and much more.

The threat landscape for e-commerce is changing fast and constantly. It continues to be the industry that is most vulnerable to cyberattacks, experiencing 32.4% attacks in different forms. While more than half (54%) of the companies in the industry have suffered at least one or more successful cyberattacks, only 38% of them were able to handle the attacks successfully.

Listed below are few of the many threats that continue to torment the e-commerce industry:

FINANCIAL FRAUDS

Financial frauds are a prevalent e-commerce threat. The two most common types of financial frauds are credit card frauds and return and refund frauds. When an attacker uses stolen credit card information to make a purchase on your website, it is known as a credit card fraud. Another type of credit card fraud is when the scammer steals your personal information in order to get a new credit card. Hackers will also sometimes submit false return requests in an attempt to get a refund.

BOTS

Sometimes, hackers will create special bots that are designed to scrape your website for merchandise and price data. Such hackers are usually competitors of your business or retailers who use this information to sell the same products at a different price to customers. For instance, sneaker bots are used to scrape websites and purchase limited edition inventory quickly. This stock is then resold at much higher prices to consumers, which eventually leads to loss of trust in the original seller, and a damaged brand reputation.

DDOS ATTACKS

DDoS attacks have caused severe damages to e-commerce businesses, resulting in disruptions in total sales and in their website performance. During such attacks, your website typically receives a massive influx of requests from several untraceable IP addresses, causing the website to crash and eventually become unavailable to your customers.

SECURITY SOLUTIONS TO SECURE YOUR E-COMMERCE WEBSITE

HTTPS AND SSL CERTIFICATES

In addition to securing your customers’ personal and sensitive information online, HTTPS protocols also help in improving your website’s ranking on Google’s search results. They accomplish this by protecting the data transferred between the user’s device and the servers from any interception by bad actors. Additionally, digital certificates like the Secure Sockets Layer (SSL) validate the identity of the website and allow for an encrypted connection between the web browser and web server.

SECURE SERVER AND ADMIN PANEL

Always make sure to secure server connections. An SSL certificate helps to do this. Additionally, you can establish strong password rules and a strict access control policy. On the admin panel, each user should only perform the tasks assigned to them. Further, enable notifications to keep track of who’s trying to access it and from where. 

SECURE PAYMENT GATEWAY

If your business stores or collects cardholder data, you need to do everything possible to protect this information. Ensure that you are PCI DSS compliant in order to minimize the risk of payment data frauds, and maintain the latest data security standards.

Conclusion

For the most part, the shift to e-commerce is a welcome move for retailers. However, this pivot is also endangering e-commerce cybersecurity. Fortunately, there are ways to stay ahead of such cybersecurity challenges in retail. In the increasingly digitalised post-COVID world, retailers must improve their awareness of both risks and safeguards.