In 2020, U.S. consumers spent $861.12 billion on online retail transactions – 44% more than 2019. Clearly, consumers want to shop “differently.” To keep up with these expectations, many retailers have launched or revamped their e-commerce stores, offering services such as curbside pickup, to help meet the growing demand.
While these trends create great opportunities, they also generate new retail cybersecurity threats.
Retail Cybersecurity Statistics
Retailers have always been attractive targets for cyber attackers and data thieves. But now, cybersecurity issues in retail have become an even bigger concern. Consider these recent (2020) retail cybersecurity statistics:
- 24% of cyberattacks targeted retailers, more than any other industry (Trustwave)
- 34% of retailers said cybersecurity worries were their primary hindrance in moving to e-commerce (BDO)
- 34% also said that cyber attacks or privacy breaches were their most serious digital threat (BDO)
- Financial motives drove cyber attackers in 99% of retail cyber attacks (Verizon 2020)
- When data is compromised in an attack, 42% is payment information and 41% is personally identifiable data (Verizon 2020)
Why Retail Cybersecurity Threats Happen
Retailers collect, process and store increasingly large amounts of customer data, including PII and credit card numbers. But this goldmine has a downside: bad actors who are looking to profit from selling it on the dark web. Furthermore, cloud-based storage and mobile apps are leaving a larger data presence on the web, leading to new threat vectors.
Many retail businesses are a hybrid of brick-and-mortar and e-commerce. To manage this ecosystem, they use a mix of technologies (e.g. PoS in stores and cloud-based systems for e-commerce). However, this hybridization also creates numerous e-commerce cybersecurity risks.
Other cybersecurity issues in retail are created by:
- Cloud-based botnets
- Use of Near Field Communications (NFC) for payments
- Software vulnerabilities
- Lack of point-to-point encryption (P2PE) in PoS systems
- Use of insecure third-party plugins
To protect themselves and their customers, retailers must be aware of these threats. They must also have a good security team who can understand and think like threat actors, in order to anticipate possible attacks. Let’s take a look at a few of the most common types.
Types of Retail Cybersecurity Threats
In a phishing attack, a threat actor sends fake emails that mimic emails from legitimate sources. If a victim clicks on the malicious link or attachment within the email, the attacker can steal their information, or install malware on their system to cause further damage.
Threat actors actively exploit vulnerabilities in retailer networks to install ransomware. This allows them to encrypt systems and bring transactions to a standstill, until the retailer pays a ransom. This can lead to huge financial losses, and also damage the retailer’s reputation.
Customer information, particularly payment card data and PII, are big-ticket items that hackers sell in underground markets for huge payouts. To steal this data, they often use stolen credentials to disguise themselves as legitimate users.
Attacks on IoT Devices, Payment Systems and Machine Learning Systems
In the post-COVID environment, many online retailers are investing in contactless transaction technologies that use IoT to process payments. These technologies help to protect human health, but they also introduce new cyber risks. In 2020, 9 of the top 10 exploits targeted IoT devices. (Fortinet)
Machine Learning- and Artificial Intelligence-based systems also create cybersecurity risks. Attackers deploy intricate systems of bots to harvest data like credit card information or credentials.
Advanced Persistent Threats (APT)
Many retailers are now:
- Increasing their digital footprint
- Adopting more cloud-based services
- Deploying more complex IT stacks
- Managing large, geographically distributed networks
These factors widen their attack surface and make it more likely that APTs will persevere in their systems for longer. APT groups will even frequently distribute malware via email to move laterally across networks.
Supply Chain Attacks
E-commerce companies work with numerous vendors to support different aspects of their operations. A single vulnerable access point at one vendor could lead to a supply chain attack, jeopardizing the retailer’s cybersecurity posture.
If you want to know more about Supply Chain Attacks, watch our webinar below:
Retail Cybersecurity Best Practices
Here are some ways to address cybersecurity issues in retail, or at least mitigate their impact:
Encrypt all Sensitive Data
Ideally, sensitive data (e.g. credit card numbers) should not be retained. However, if retention is a must, then all data must be encrypted, whether at rest or in transit. To balance the need for privacy with ease of use, homomorphic encryption (which allows calculations to be executed on encrypted data) is often employed.
Segment the Retail Network
Network segmentation can keep POS details, PII and customer financial information safe. Network monitoring tools should monitor each segment for signs of lateral movement, APTs, and breach attempts.
Perform Regular Data Backups
To minimize the potential for data loss following a ransomware or phishing attack, it’s critical to regularly back up all data from the e-commerce website, POS systems, and other applications. The backup process can be automated with the help of a Managed Service Provider (MSP).
Deploy POS Malware
An anti-malware solution must be implemented on the entire retail network, especially on POS systems. Timely security patches must also be implemented on all software and applications used by the company.
Implement Multi-factor Authentication (MFA)
To keep customer data safe from phishing attacks or account takeovers, MFA must be implemented. It’s also important to select an e-commerce platform that complies with the Payment Card Industry Data Security Standard (PCI-DSS).
Implement Zero-Trust Access (ZTA)
The ZTA approach controls user and device identity and access. Its “trust no one” philosophy can boost cybersecurity effectiveness for retailers.
Over the past 2 years, insider threats in the retail industry have grown by 38% (IBM). Moreover, 81% of malicious breaches start with compromised passwords. This is why training employees on cybersecurity best practices (including password hygiene) is essential.
For the most part, the shift to e-commerce is a welcome move for retailers. However, this pivot is also endangering e-commerce cybersecurity. Fortunately, there are ways to stay ahead of such cybersecurity challenges in retail. In the increasingly-digitized post-COVID world, retailers must improve their awareness of both risks and safeguards.
Evolve’s threat intelligence tools provide a strong bulwark against retail cybersecurity threats. Click here to know more.