The holiday shopping season has begun in earnest. While retailers are focused on jockeying for an estimated $1.5 trillion in sales this year (and that’s just for the US), their hard work may come to naught it not enough attention is paid to cybersecurity.
Why? Because this is the best of times and the worst of times for retail IT teams. The busiest time of the year for customers is also a magnet for cybercriminals. And while it might be too late at this stage to introduce wholesale changes to your security policies, it doesn’t hurt to take a fresh look at where the biggest threats are, and which best practices can help neutralize them.
Why retail, why now?
Retailers have long been singled out for special treatment by cybercriminals. And the busiest shopping period of the year has long represented a golden opportunity to strike. But why?
- Retailers hold highly monetizable personal and financial information on their customers. Just think of all those card details. It’s no surprise that all (100%) of the retail data breaches analyzed by Verizon over the past year were driven by a financial motive.
- The holiday shopping season is the most important time of the year for retailers from a revenue perspective. But this means they’re more exposed to cyberthreats like ransomware or distributed denial-of-service (DDoS) designed to extort money by denying service. Alternatively, competitors might launch DDoS attacks to deny their rivals vital custom and revenue.
- Being the busiest time of the year means that employees, especially stretched IT teams, are more focused on supporting the business make as much revenue as possible than looking out for cyberthreats. They might even tweak internal fraud filters to allow larger purchases to be approved without scrutiny.
- Retailers increasingly rely on digital systems to build out omni-channel commerce experiences, including cloud-based business software, in-store IoT devices and customer-facing mobile applications. In so doing, they are (often unwittingly) expanding the potential attack surface.
Let’s not forget that one of the world’s biggest ever recorded data breaches took place and was announced during the holiday season in 2013, when hackers stole 110 million customer records from US retailer Target.
What are the biggest cyberthreats to retailers this holiday season?
Not only do retailers have to defend a larger attack surface, they must also contend with an increasingly large variety of tactics, techniques and procedures (TTPs) from a determined set of adversaries. The attackers’ goals are either to steal customer and employee data, extort/disrupt your business through DDoS, commit fraud, or use bots to gain a competitive advantage. Here are some of the main retail cyberthreats:
- Data breaches could stem from stolen/cracked/phished employee credentials or vulnerability exploitation, especially in web applications. The result is major financial and reputational damage which may derail growth plans and revenue.
- Digital skimming (i.e., Magecart attacks) occurs when threat actors exploit vulnerabilities to insert skimming code directly on your payment pages or via a third-party software supplier/widget. Such attacks are often hard to spot, meaning they could do untold damage to reputation. These accounted for 18% of retail data breaches last year, according to Verizon.
- Ransomware is one of the top threats for retailers, and during this busy season threat actors may up their attacks in the hope more businesses are prepared to pay to get their data back and decrypted. SMBs in particular are in the crosshairs, as their security controls may be less effective.
- DDoS remains a popular way to extort and/or disrupt retailers. Last year, the sector was on the receiving end of nearly a fifth (17%) of these attacks – a 53% year-on-year (YoY) rise, with peaks spotted during Black Friday.
- Supply chain attacks might be targeted at a digital supplier such as a software company or even an open source repository. Or they may be aimed at more traditional businesses in professional or even cleaning services. The Target breach was made possible when hackers stole network credentials from an HVAC supplier.
- Account takeovers (ATOs) are typically enabled by stolen, phished or cracked credentials. It could be the start of a major data breach attempt, or it could be aimed at customers, in credential stuffing or other brute force campaigns. Typically, malicious bots are used here.
- Other bad bot attacks include scalping (where rivals buy up in-demand goods for resale at a higher price), payment/gift card fraud, and price scraping (enabling competitors to undercut your prices). Malicious bots comprise around 30% of all internet traffic today, with two-thirds of UK websites unable to block even simple attacks. There was an estimated 50% increase in bad bot traffic in the 2022 holiday season.
- APIs (Application Programming Interface) are at the heart of retail digital transformation, enabling more connected and seamless customer experiences. But vulnerabilities and misconfigurations can also provide an easy route for hackers to customer data.
How retailers can defend themselves against cyber risks
In response, retailers need to balance security with employee productivity and business growth. That’s not always an easy calculation, especially with the high cost of living putting an ever-greater pressure on profit-seeking. But it can be done. Here are 10 best practices to consider:
- Regular staff training: This should go without saying. Ensure your employees can spot even sophisticated phishing attacks and you’ll have a handy last line of defense in place.
- Data audit: Understand what you have, where it’s stored, where it flows and how it’s protected. This should be done in any case as part of GDPR compliance.
- Strong data encryption: Once you’ve discovered and classified your data, apply strong encryption to the most sensitive information. This should be done on a continuous basis.
- Risk-based patch management: The importance of software patching can’t be understated. But the sheer number of new vulnerabilities published each year can be overwhelming. Automated risk-based systems should help to streamline the process and prioritize the most important systems and vulnerabilities.
- Multi-layered protective security: Consider anti-malware and other capabilities at a server, endpoint, email network and cloud layer, as a preventative barrier to cyberthreats.
- XDR: For threats that manage to circumvent preventative controls, ensure there’s strong extended detection and response (XDR) working across multiple layers, including to support threat hunting and incident response.
- Supply chain security: Audit all suppliers, including digital partners and software vendors, to ensure their security posture is in line with your risk appetite.
- Strong access controls: Password managers for strong, unique passwords and multi-factor authentication are a must for all sensitive accounts. Along with XDR, encryption, network segregation and preventative controls they form the basis of a Zero Trust security approach.
- Disaster recovery/business continuity planning: Reviewing plans will help to ensure the right business processes and technology tooling is in place.
- Incident response planning: Ensure your plans are watertight and regularly tested, so every stakeholder knows what to do in a worst-case scenario and no time is wasted in responding to and containing a threat.
For the vast majority, if not all, retailers, PCI DSS compliance will also be an essential requirement for business. Consider this an opportunity rather than a burden. Its detailed requirements will help you build a more mature security posture, and minimize risk exposure. Technologies like strong encryption can also help to reduce the cost and administrative burden of compliance. Happy holidays.