Cybersecurity Challenges in the Retail Industry
Retailers handle valuable information, specifically customer data (including personally identifiable information or PII) and credit card numbers. As a result, they are prime targets for cybercriminals, who then sell this valuable information on the dark web.
To protect themselves and their customers, it is vital that retailers consider the risks associated with a cyber attack and take measures to mitigate them or at least minimize any damage that might result from an attack.
How do bad actors get access?
One common form of attack is phishing, a type of social engineering using electronic communications such as email or text to fool employees into surrendering their network logins voluntarily. Phishing usually contains an element of fear to urge the victim to act quickly before thinking things through. For example, a text message from someone posing as a high-ranking company executive might state that there is a severe problem with one of the servers and furnish them with access credentials “right away.”
But phishing is just one method of infiltrating a company’s network. Another technique exploits known hardware and software vulnerabilities of commonly used business applications. With many different kinds of business applications and devices operating in a retail store and many connected to the internet, there is a good chance a knowledgeable hacker could find a weak spot in one of the devices. Even if the manufacturer has corrected the vulnerability, the business is still at risk until the fix has been installed on their equipment.
Brute force attacks leverage frequently used passwords and stolen usernames in different combinations to crack into the victim’s accounts. Hackers also use credential stuffing, a type of brute force technique that uses stolen username/password combinations on multiple sites, based on the theory that many people reuse the same login credentials for all their accounts, financial or otherwise.
Sadly, internal threats exist as well. Employees, contractors, vendors—even executive management— with access to sensitive information can be a source of a data breach. Conditional access policies, segregation of duties, and periodic access reviews can help reduce incidents of internal threats.
According to Verizon’s 2023 Data Breach Investigations Report, 88% of the cyberattacks against retailers were from system intrusion, social engineering, or basic web application attacks, and nearly 100% of the attacks against retailers were motivated by financial gain. In addition, 74% of all breaches included the human element through error, privilege misuse, use of stolen credentials, or social engineering.
What do bad actors do once they have access?
Cybercriminals use various techniques to steal information or disrupt operations for businesses. Some of the more common attacks are:
- Information theft – Most cybercriminals want to steal PII and credit card information to sell.
- Malware/Virus – Cybercriminals use malware and viruses to delete or corrupt company data to disrupt operations.
- Ransomware – Cybercriminals corrupt the company’s information and force them to pay a specified ransom to regain their original, uncorrupted data.
Threats to eCommerce merchants
As the eCommerce industry booms, so do the threats by cybercriminals. Here are some of the common threats for eCommerce:
- Fraudulent credit – Bad actors use stolen credit cards to make purchases from online businesses. Another technique is to leverage stolen PII to acquire a credit card.
- Falsified returns – Hackers will submit fraudulent product return requests to get the company to provide a refund.
- Distributed Denial of Service (DDOS) attacks – DDOS attacks result from many computers and digital devices with malware that an attacker can control. The attacker can then direct these devices to send repeated requests to a target server on the internet. The target server becomes so burdened with answering these requests that it denies service to legitimate users. This attack often brings down a company’s website or eCommerce platform.
- Bot attacks – Automated bots can emulate a human being interacting with an eCommerce site (including mouse actions) to hijack a victim’s account and begin making fraudulent purchases using that account.
How can you protect yourself from cyberattacks?
Generally, every company will be a cyberattack victim at some point. The goal is to be prepared and minimize the impact of an attack should one occur. Here are some techniques to help bolster your network security:
- Encrypt sensitive data – In a data breach, data encryption dramatically reduces the chance that cybercriminals can use the data.
- Segment the network – Setting up separate networks isolates an intruder to only one part of the network rather than all the devices in the company.
- Backup your data frequently and test your backups – Frequent backups ensure that, in the event of a malware or ransomware attack, the company can restore its system to a recent state with minimal interruption to operations. Hackers often plant a virus and then wait weeks or months to activate it. Your backups should be kept for an extended period of time to a point before the intrusion occurs. Another important point is to practice restoring your system from your backups.
- Use multi-factor authentication – Multi-factor authentication (MFA) uses multiple login methods to authenticate a user. One of the most common forms of MFA is accepting a username and password as a login and then sending the user an email or text message with a code to verify the login.
- Implement zero-trust measures – Zero trust assumes every attempt to access a device is a potential threat. It enforces logins for everyone whenever they attempt to access a network or a device.
- Cybersecurity awareness training for all employees – As cybercriminals become more sophisticated at phishing-type fraud to gain access within your network, training your employees to spot fraudulent attacks is critical. Cybersecurity training is one of the most cost-effective way to minimize cyberattacks against the company.
- Hold regular access reviews – Cyber criminals often target individuals with privileged access (“the keys to the kingdom”) to move freely among the company’s systems. Companies should hold regular access reviews and turn off privileges for employees, vendors, and contractors who no longer need them.
To guide to help retailers in cybersecurity and fraud prevention on cybersecurity for retailers, the National Retail Federation (NRF) has established the Center for Digital Risk and Innovation.
Find out more
To learn more about cybersecurity threats and ways to combat them, download our eBook, Cybersecurity and Countermeasures: Protecting your company from external and internal threats. Contact us to learn more about how ArcherPoint’s Managed IT services can help you keep your network secure.