The hot currency for cyber-criminals and hackers is credit card data, and retailers possess a great deal of it. This means that the retail industry is often targeted by cyber attacks attempting to obtain consumer’s financial information. With more retailers developing their online presence, the steady shift to electronic payment options, and harnessing data-driven technologies, the retail industry’s attack surface is spreading. With industry giants, like Macy’s, Best Buy and Tim Horton’s, in the news for point-of-sale (POS) attacks, the retail industry needs to ensure its cyber offence and defence are at the top of their game.
Cyber Attacks are Bad for Business
According to a study by KPMG, 19 percent of consumers would stop shopping at a retailer after a data breach, and 33 percent would take a break from shopping at that store for an extended period. Many retail breaches are caused by either insider threats or flaws in POS systems that are then taken advantage of by threat actors.
Insider Threats
With a high rate of employee turnover and dependence on short-term seasonal staff, insider threats in the retail industry are on the rise.
Be sure to carefully plan and monitor employee and third-party contractor’s system access. Ensure that their access is limited, tied only to their job functions. Accessing various data fields must be carefully planned due to potential data aggregation. Data aggregation is piecing together what seems like unimportant data from multiple sources to create sensitive data.
The World of POS Malware
The recent Verizon Data Breach Investigations Report shows that POS terminals were the second most-attacked network asset behind database servers. The report also showed financial gains motivated 97 percent of threat actors targeting the retail industry.
One of the newest threats is POS malware DMSniff, which has been lurking in the cyber-wilderness since 2016 but was only recently recognized. DMSniff is hard to detect malware that targets small to medium-sized companies that rely on card present transactions (retail, restaurants). One of DMSniff’s features is that it uses a Domain Generation Algorithm to create command and control domains spontaneously, which makes it resistant to blocking and takedowns.
The goal for hackers deploying DMSniff is to siphon off credit card numbers and other payment information. It appears that DMSniff gains an initial foothold on devices by either scanning for, and then exploiting vulnerabilities, or brute-force SSH connection attacks.
Cybersecurity is Good for Business
Cybersecurity is a new competitive advantage in the retail industry; yet, very few retailers are leveraging this opportunity. A 2018 study, of 6,120 consumers in nine countries, reported: “The traditional perspective that cybersecurity and data protection is an overhead cost needs to change.” In fact, the report goes on to state, “it is an effective means to gain competitive advantage for retailers since it plays an important role in consumers’ minds when they choose their retailers. Cybersecurity and data protection also drive satisfaction and win consumers’ trust. As a result, it can make a positive impact on top-line revenue for retailers.”
The study showed that 77 percent of respondents saw cybersecurity as the third most important factor when selecting retailers, “even outranking attributes such as discounts and brand reputation.” The same survey showed that the number of satisfied retail customers more than doubled when they knew their primary retailer had implemented sound cybersecurity measures and that their privacy was protected.
Also, almost 40 percent of customers would be willing to spend 20 percent or more online if the retailer built-up consumer trust by giving them cybersecurity assurances. Revenue uplift could be as significant as 5.4 percent annually, with enhanced data protection and cybersecurity.
According to the survey, the top five cybersecurity capabilities that are linked to consumer satisfaction are:
Encryption of stored data
A clear and transparent data privacy policy
Use of advanced anti-malware tools for online shopping
Control on what customer data the retailer can store and for how long
Advanced encryption on web sites and apps
“Today’s consumers are confident online shoppers and savvy about their consumer rights. They value cybersecurity highly, and they want to shop with retailers they can trust,” stated Geert van der Linden, Cybersecurity Business Lead, Capgemini. “It’s the right time for retailers to consider cybersecurity as a business priority at executive leadership level.”
Making Retail Cyber-Resilient
It is essential to understand that any device that connects to the Internet can be hacked: If it’s connected, it’s vulnerable, even if it’s as seemingly innocent as a seasonal employee’s smartphone. Any organization, across any sector, is susceptible to a cyber attack. For a skilled cybercriminal, all it takes to jeopardize an entire system or access POS technology is access to a single device or individual.
Recommendations for how to make your retail organization cyber-resilient include:
Educate. All companies need to prioritize cybersecurity education in their cybersecurity strategy; including cybersecurity awareness programs, cyberliteracy programs and cyber hygiene training. Make it mandatory, even for seasonal employees. As the Canadian Institute for Cybersecurity, University of New Brunswick stated, “Cybersecurity and privacy, once issues only for technology experts have become widespread concerns in business and society. Cybersecurity is no longer just an IT problem. It is a business problem; it is everyone’s problem. The weakest link in cybersecurity is now people, not devices. As such, the human factor is considered the biggest threat to cyber safety.”
Culture. Create a culture of cybersecurity in your organization – making cybersecurity a priority for employees at all levels.
Secure funding. Ask for additional cybersecurity funding or allocate more funding for cybersecurity.
Ask a specialist. Partner and communicate with a cybersecurity specialist.
Assess. Conduct a vulnerability assessment.
Strategize. Develop and follow a cybersecurity incident response plan.
Practice. Conduct organization-wide cybersecurity exercises to keep staff sharp.
Stay alert and adapt. Stay current on the changing threat landscape and adjust your incident response plan accordingly.
Protecting retail stores, and the customers who shop there is of vital importance with cyber attacks increasingly targeting POS systems. Both online and brick and mortar retailers, of every size, need to respond with network fortification measures and retail-specific incident response plans.
Talk to the cybersecurity solutions specialists at ISA, who have over 27-years of demonstrated industry excellence, about how to protect your company from a cyber attack.