Cybersecurity needs to be a priority for retailers, now more than ever. While some retailers were among the early adopters in the evolution of e-commerce in the 2000s, the pandemic accelerated digital transformation right across the board in the retail industry. According to a Retail Data Threat Report by Thales, over 70% of U.S. retailers accepted payment online in 2022, in contrast to just 57.6% in 2019. This evolution did not go unnoticed by threat actors: the report also suggested that 45% of retailers reported an increase in the volume, severity and/or scope of cyberattacks in 2021/22, and nearly a third (32%) of respondents had experienced a security breach in the same timeframe.
Now that retailers have built a digital infrastructure, customers are expecting online services: there is no going back. Statistics Canada data suggest that e-commerce represented about 3.6% of the total Canadian retail market (seasonally adjusted) heading into the pandemic. This proportion rose sharply to a peak of 11.4% in April 2020, and has stayed up at an average of 5.7% throughout 2022. That’s an average of C$3.54B online per month in 2022 in Canada alone.
In this guide, we’ve listed many of the challenges that retailers are facing, the consequences of a breach, and provided 10 key cybersecurity fundamentals for retailers to follow.
Retail companies are high-profile and can maintain a significant amount of personal and financial customer information. While a successful data breach at a retailer may not have the immediate impact to that of a similar disruption to critical infrastructure or healthcare, there are still significant damaging effects. Outages of a significant length of time can be devastating to the merchant, particularly at key times of year (consider a cyber attack on a floral delivery service around Valentine’s Day!). And a breach can have serious consequences to customers in terms of financial impact and risk of identity theft.
How are retailers being attacked?
According to Verizon’s 2022 Data Breach Investigations Report, social attacks are a growing threat. Roughly split between phishing (53%) and pretexting (47%), social attacks have more than doubled in the last four years, from 13% in 2018 to 29% in 2022. Verizon reports that credential theft is the top attack vector in the retail space, used nearly half the time to deploy ransomware on victimized merchants.
Web applications are also a major concern for retailers. The e-commerce engines that digital sellers rely upon are a constant threat target. Without strong security measures in place, data capture software like MageCart and other screen scraping malware can create a significant risk. According to Verizon, the instances of malware targeting the payment card data, passwords, and other personal information collected on retailer websites was a dramatic seven times higher than that of other industry sectors. Other vulnerabilities like SQL injection attacks and Cross-Site Scripting (XSS) attacks can also expose customer data to threat actors attempting to exploit vulnerabilities on e-commerce portals.
Supply chain and third-party risks are particularly acute for retailers, who rely on smooth and timely fulfillment. In a highly competitive marketplace – both in-house and online – customers have little patience for stock limitations: they will simply move on. E-commerce websites often rely on third-party components such as virtual shopping carts, payment gateways, and analytics tools. If these components are not properly secured, they can provide a door for attackers to gain access to a retailer’s corporate network. The elaborate interdependencies in today’s digital markets mean that security is only as strong as the weakest link.
Malicious insider attacks in retail are also a constant concern. Employee turnover is often high, and the typical retailer has many points of insider vulnerability, including part-time, seasonal, and full-time permanent staff on the floor and behind the scenes. Disgruntled employees or contractors with over-provisioned access to the merchant’s systems can deliberately steal sensitive information or damage network infrastructure.
Finally, retailers are exposed to growing IoT risk. Connectivity through IoT devices is becoming increasingly prevalent in retail via self-checkouts, distributed price scanners and kiosks, smart shelves and displays, sensors, POS devices, etc. Many businesses rely on IoT systems, but they lack the security measures necessary to stay current and defend against cyber attacks. Vulnerabilities and insecure configurations may leave IoT device at risk: several of the highest profile data breaches at retailers have involved “skimming” at the register, where payment card information was stolen right from compromised POS devices.
What’s at Stake?
The costs and impacts of a successful data breach are huge. According to IBM’s Cost of a Data Breach Report 2022, there’s good news and bad: while the retail sector only ranked 14th among sectors analyzed, that still represented a significant US$3.28M average cost for managing a data breach in 2022 (slightly up from U$3.27M in 2021).
Compliance is a key issue for retailers. Virtually every organization will be subject to PCI-DSS compliance requirements; any company doing business in Europe is responsible for complying with GDPR requirements, and appropriate cyber posture is required for successful audit and cybersecurity insurability. Inadequate cybersecurity measures can expose the business to fines, higher costs, and market limitations.
And of course, it’s all about the customers. A May 2022 U.S. survey by PYMNTS suggests that 41% of online customers are “very” or “extremely” likely to switch to a new merchant if they believe the merchant is not trustworthy. Furthermore, 47% of consumers surveyed said that fears regarding the theft of personal data due to fraud could hurt their trust in digital merchants, and 23% cite the possible theft of personal information as their greatest concern in transacting with a retailer. As the report puts it: “These findings underscore how crucial it is for merchants to sustain customer trust once they have established it.” A data breach can have a lasting impact on a retailer’s reputation.
Lessons Not Learned… and the Three Cs of Avoidance
Clearly there are ample threats and compelling reasons for retailers to secure themselves. So why do we still see headlines about successful cyber attacks and data breaches in the sector? Why have we not learned the lessons from Target in 2013 (40 million credit and debit card numbers were stolen, along with the personal information of 70 million customers), Home Depot in 2014 (56 million payment card numbers and 53 million email addresses disclosed), Saks Fifth Avenue in 2018 (over 5 million payment card numbers stolen), and Neiman Marcus in 2021 (personal and financial data for 4.6 million customers exposed)? There are three key inhibitors:
Implementing and maintaining strong cybersecurity measures can be expensive, and some smaller retailers may not have the resources to invest in these technologies. Some retailers may prioritize short-term goals and profits over longer-term investments in cybersecurity, which can be seen as a cost rather than a benefit. Successful retailers recognize that cyber can be viewed as a differentiator and a business enabler, not just an expense. And, frankly, the direct and indirect costs of inadequate cybersecurity surely outstrip strategic cyber investment.
Some retailers may feel that they are too small to be targeted, or already have traditional safeguards in place. In many cases, retailers were among the first wave of adoption of e-commerce. Having considered cybersecurity over a longer window than many other sectors, technical debt and accumulated complexity may create inefficiencies or ineffective cyber defences, or over-confidence in systems that were adequate in the past, but may not be up to the sophistication and speed of modern cyber attackers. Cybersecurity is a journey – not a destination. Cyber criminals are indiscriminate in the size of business they attack, and will scan for – and exploit – vulnerabilities as they find them. In this case, size emphatically does not matter. A robust cyber program needs to evolve and adapt to the constantly changing threat landscape.
The technology and threat landscape of cybersecurity is undeniably complex, making it challenging for retailers to keep up with the latest threats, the increasing sophistication of threat actors, and the panoply of overlapping cyber solutions. Trying to plug holes without an over-arching plan only contributes to the chaos. Developing a cohesive, practical cyber program including appropriate policies and procedures can be a daunting task for an enterprise, resulting in inaction. But it’s the only way to manage risk efficiently and cost-effectively.
Finding a Way Forward: 10 Tips for Retailers
So, what should retailers be focusing on? Here are ten of the key cybersecurity fundamentals that retailers – in fact, any organizations in any sector – should prioritize:
- Security awareness training: As a first line of defense in-store and in the back office, it is essential that all staff receive regular training to prepare them to recognize and avoid phishing scams, social engineering attacks, and other security threats that are so common in the retail sector.
- Password management and MFA: “Long and strong” passwords, backstopped by multi-factor authentication are a basic yet vital method of defending against cyber attack. This seems like a given by now, yet according to a Thales report conducted in 2022, MFA is only used by 59% of retail organizations. This has to change.
- Conduct regular security assessments: Regular security assessments, penetration testing, and ethical hacking exercises can help identify vulnerabilities in systems and processes and allow retailers to prioritize and address them before they are exploited by cyber criminals.
- Patching: A robust program of updating systems to address vulnerabilities is essential. A vulnerability management program will help identify, prioritize, and implement changes that can protect a business from cyber threat. This is more than just software patches: operating systems, network hardware, IoT devices all need to be inventoried and monitored for any new vulnerabilities.
- Limit Access to Sensitive Data: Retailers can hold a significant amount of personal and financial data. By the nature of their operations, they can also have extensive part-time, occasional, or seasonal staff – not all of whom need access to all resources. A mature data security architecture and effective cybersecurity practices are crucial to help protect the network and the customer information residing therein. Following the fundamentals of “least privilege” – restricting data access only to when/where/why/who needs the information – is important to protecting customer data.
- Endpoint protection: Add networks, servers, PCs, laptops, and mobile devices to an ever-growing fleet of smart, connected IoT devices in the retail space, and the potential threat becomes both clear and seemingly daunting. Modern endpoint defense solutions will detect and respond to threats, providing faster response and containing potential attack.
- Monitor for suspicious activity: Use security tools such as intrusion detection and prevention systems to monitor for suspicious activity on your network. A SIEM solution can give your IT staff the early warning signals that a potential attack is underway. In a cyber incident, seconds count: a SIEM not only identifies problem areas quickly, it can give your team the insights to be able to respond and react more quickly as well.
- Incident response planning: Retailers must have a plan in place for responding to a cyber attack, including processes for containing the damage, communicating with customers and stakeholders, and recovering quickly and gracefully from the incident.
- Third party/Supply Chain Management: Retailers must also assess the security posture of third-party vendors, as these vendors may have access to sensitive information and systems, and may be a weak link in the overall security chain.
- Backups and archives: When determining a backup strategy, there are two main criteria to consider: your recovery time objective (RTO) and your recovery point objective (RPO). RTO refers to how much time it will take to recover your data, while RPO refers to how much data you can tolerate losing by going to a backup. Every system and database has its own specific values: a criticality assessment can help you determine them in your environment. A criticality assessment is not just a great way to help understand your cybersecurity priorities, but it can help you map out your backup strategy, from frequency to type of archive.
The Retail Council of Canada is launching an exciting campaign that will provide essential resources to inform how retailers can fortify their systems and train their staff on the best practices in preventing cybercrime.
Visa’s Biannual Threats Report (which, despite its name, is issued semi-annually) is an excellent resource. The report identifies current cyber threats in the digital marketplace, along with best practices to mitigate, prevent and disrupt those threats.
The team at ISA Cybersecurity is also here to help retailers protect themselves and their customers from cyber threats. We have helped many Canadian companies in the private sector improve their security posture and defend against cyber threats: contact us today to learn how we can help you too. You’ll discover how we provide services and people you can trust.