The retail sector continues to grow rapidly, particularly following the COVID-19 pandemic, as more and more people shop online. The convenience and ease of use through a transition to online shopping are aimed at providing robust customer experiences and meeting customer demands. However, a complete digital transition also means that retail businesses are increasing their attack surfaces — the paths, methods, and vulnerabilities that cybercriminals can use for cyber attacks.
Currently, over 9 million online retailers operate around the world. Some estimates suggest more than 25 million e-commerce sites are operating globally. Many of these online businesses also have brick-and-mortar stores with staff, cashiers with physical point-of-sale (POS) systems, and an extensive, geographically distributed network of payment systems.
The retail sector attracts cybercriminals because it processes and handles large amounts of personal data and financial information. The complexity of physical stores with e-commerce sites creates opportunities for cybercriminals due to the mix of technologies, including cloud-based services.
This post looks at the main security challenges the retail industry faces, and how strong cybersecurity practices and modern security solutions can protect retail businesses, staff, and customers from existing and emerging cybersecurity risks.
Cybersecurity Challenges in the Retail Sector
The retail industry processes increasing amounts of customer data, attracting unwanted attention from hackers and cybercriminals that wish to profit from the theft and sale of personally identifiable information (PII).
Maintaining functional businesses while providing adequate levels of cybersecurity to protect their customers is a significant challenge. Many online and offline retailers solicit help from external security teams to develop effective cybersecurity strategies to improve network security.
Social engineering is one of the primary attack vectors affecting the retail sector, especially phishing, where cybercriminals use various means to trick customers into divulging financial information and access credentials.
Phishing attacks affect businesses of all sizes and can be extremely damaging when successful. One of the dangers of phishing is that a successful attack can lead to further cyber attacks on the target organization or individuals and businesses linked to the compromised data.
Phishing frequently results in an attempted ransomware attack. Once a cybercriminal gains access to a network, they can infect the network with malware, including ransomware, which encrypts a system’s data, rendering it useless without the decryption key.
Almost 80% of organizations surveyed had experienced a ransomware attack, making retail the second most targeted industry for malware.
Near Field Communications (NFC) Payment Systems
NFC technology has streamlined payment processing by allowing retailers and customers alike by allowing merchants to accept contactless payments via smartphones or NFC-enabled cards. However, NFC payment systems entail several data security risks:
- Although the NFC transmission zone is very small, it requires wireless technology, which can be vulnerable to hackers.
- The system works without passwords or other access credentials.
- Hackers can potentially access sensitive data stored on NFC payment terminals if they use an unsecured connection.
With large, geographically distributed networks and reliance on third-party services, server misconfiguration, and software vulnerabilities are common in retail. The most common vulnerabilities include the following:
- SQL injection
- URL redirection to untrusted websites
- Missing authentication
- Missing data encryption
- Infected software
- Weak passwords
Automation and Botnets
Automation is excellent for retail businesses as it can facilitate billing, responses to customer queries, email marketing campaigns, inventory tracking, POS systems, and checkouts. Unfortunately, cybercriminals can also use automation to perpetrate more frequent and penetrating cyber attacks.
With botnets, for example — networks of private, malware-infected computers controlled by one device — cybercriminals can launch attacks on other networks. The most common attacks involving botnets are the following:
A subset of a brute force attack, cybercriminals use automation software to try stolen access credentials against multiple sites. Users often re-use passwords, so stolen access credentials can unlock many user accounts for cybercriminals.
A successful account takeover can allow cybercriminals to make fraudulent purchases, steal confidential customer information, such as credit card details, or commit phishing or spearphishing attacks.
When cybercriminals do not know the usernames and/or passwords, they can use automation to guess or try random values to find valid access credentials.
One in five account registrations is a fake account. Cybercriminals use bots to create fake accounts with which to commit fraud, distribute malware, steal identities, spread false information, and engage in false communications. A competitor might use such an attack to discredit the target organization and post harmful, negative product reviews.
Web scraping refers to using bots to take content and data from websites, including the HTML source code and data stored in databases. An individual can then recreate or repurpose this data.
While web scraping is not inherently illegal — it’s frequently used for collecting web information, such as market statistics, real estate listings, and weather data, for example — cybercriminals can use bots to scrape open-source intelligence or track for data leaks.
Distributed Denial of Service (DDoS) attacks
Cybercriminals can use botnets to bombard networks with requests to disrupt or disable the associated organizations. DDoS attacks can distract and divert an organization’s IT resources, making the company vulnerable to a second attack. The disruption, which can include the complete unavailability of a website, can cause a significant loss of revenue and trust.
This refers to any risk to an organization from its supply chain or other external parties, such as business partners, service providers, and contractors. Many retail businesses rely on multiple third parties, including cloud-service providers, POS system providers, and third-party apps used on e-commerce sites.
Vulnerabilities exist when businesses transfer confidential data to their third-party providers. Furthermore, the third-party providers may have inherent security weaknesses, including but not limited to a lack of information security policies, encryption, or web application firewalls (WAFs).
An organization’s attack surface increases with every third party it uses. Yet many businesses are unaware of how many third parties are involved in their product or service lifecycle and lack a way to perform third-party risk assessments to make meaningful decisions about potential cyber threats.
Lack of Encryption
Encryption is essential for retail stores, which process, store, and transmit financial information daily. Without encryption, internet transmissions are easily visible to cybercriminals and it would take little effort for a hacker to intercept communications, making both the sender and the recipient vulnerable.
In a man-in-the-middle (MITM) attack, a hacker intercepts a transmission, modifies it, and then relays it to the recipient without anyone knowing the intervention took place. This allows the hacker to commit fraud, such as inserting their own payment information to receive money or stealing card data for phishing or sale on the dark web.
In addition to the multitude of external threats to a retail organization, it’s imperative to remember the risk of insider threats. Staff and third-party contractors sometimes use their proximity, insider knowledge, and authorized access to commit fraud against the organizations for which they work.
Insider threats can also be unintentional. Insiders may harm businesses by their complacency or negligence, damaging the integrity, functionality, and confidentiality of information systems.
Internet of Things (IoT)
While integrating IoT solutions can drive efficiency by enhancing data gathering, supply chain optimization, manufacturing precision, inventory management, customer experience, delivery, and more aspects of business operations, it also poses significant threats to retail security.
IoT has a massive impact on the security posture of any retail business. Every connected device dramatically increases the organization’s attack surface.
- While IoT devices come with security software, this is often woefully lacking due to low-end manufacturers attempting to keep production costs low.
- Many users fail to update the default password setting with which new devices are shipped.
- Users often implement IoT devices without performing required updates to ensure their software is patched.
- Many IoT devices are connected to retail networks via unsecured connections.
In many cases, hackers can easily exploit the many vulnerabilities of IoT devices to breach retail security systems and gain unauthorized access to networks and their confidential information.
Retail Cybersecurity Solutions
While the retail sector attracts attention from many cybercriminals, and there are many access points they can test for weaknesses, retail businesses can follow best practices to improve information security and prevent cybersecurity attacks.
A clearly-defined cybersecurity strategy is key to improving cybersecurity for retail businesses. An enterprise requires a Chief Information Security Officer (CISO) or an equivalent role to determine its information security policy.
The cybersecurity strategy needs to be based on a thorough risk management process. By identifying and assessing the potential impact of a retail business's cyber risks, it’s possible to develop a cybersecurity strategy appropriate to the business’s size, sector, and objectives.
The CISO must embody the cybersecurity strategy and be a key figure in developing a corporate cybersecurity culture. This is essential to educate and engage retail staff enough to provide a strong defense against cyberattacks.
Follow Cybersecurity Frameworks & Regulations
Many security frameworks and regulations are designed to help certain industries build stronger IT programs and data security practices. Some of the biggest ones that may affect the retail industry are:
General Data Protection Regulation (GDPR)
GDPR is the EU’s primary data protection law. With hundreds of pages of data protection requirements, more than a thousand fines issued, and billions of dollars taken in financial penalties, it has earned its description as “the world’s toughest privacy and security law.”
While GDPR only applies to businesses that collect or store data relating to people in the EU, achieving GDPR compliance is an excellent way to ensure a business has robust cybersecurity systems and procedures.
The regulation’s Article 5 states that the seven principles of GDPR are as follows:
- Transparency, lawfulness, and fairness — data must be processed in light of these considerations;
- Purpose limitation –- Data must only be collected and used for the purpose designated when collected;
- Data minimization — only as much data as necessary should be collected;
- Accuracy — data must be accurate and, if necessary, up to date;
- Storage limitation — organizations must destroy data if it identifies data subjects as soon as it is no longer needed.
- Integrity and confidentiality — personal data must be processed with adequate security measures to prevent unauthorized access and accidental damage, destruction, or loss.
- Accountability — The data controller must be able to demonstrate the transparency, lawfulness, and fairness of data processing.
Payment Card Industry Data Security Standard (PCI DSS)
The PCI Security Standards Council (PCI SSC) developed PCI DSS to provide global standards and resources for safe payments.
Comprising global payment industry heavyweights, including Visa, Mastercard, Discover, and JCB, the PCI SSC’s mission to protect cardholder data is supported by its cybersecurity standards, which govern the following areas:
- Secure network and system development
- Cardholder data protection
- Vulnerability management
- Strong access control
- Network monitoring and testing
- Developing an information security policy
Other Cybersecurity Frameworks
The National Institute of Standards and Technology (NIST) Cybersecurity Framework and ISO 27001 are key cybersecurity frameworks retail businesses can use to develop or enhance their cybersecurity systems.
NIST is voluntary, and ISO 27001 is not mandatory for the most part, but retail businesses can use these and other cybersecurity frameworks to help reduce cybersecurity risk.
Retail businesses could prevent data breaches and other cyber incidents by providing training for their staff. Doing so reduces the risk and potential impact of employee error and reinforces strong cybersecurity practices.
Training needs to be company-wide, beginning with onboarding for new employees, with regular updates and evaluations throughout the employee’s time at the organization. It’s also good to have different training for different groups according to their exposure to risk. For example, cashiers need specific training regarding the secure use of POS systems.
To help retail employees provide a robust defense against emerging cyber threats, basic training should include the following topics and best cybersecurity practices:
- Understanding the company’s information security policies
- Authentication protocols
- Email security
- Data protection regulations
- The importance of keeping hardware and software up to date
- Practices to maintain strong passwords
- Data encryption processes
- Risks of using unsecured networks, such as public Wi-Fi hotspots
With hackers using ever more sophisticated methods to gain access to networks, encryption is essential because it makes it more difficult for cybercriminals to intercept or modify internet transmissions. Coding the transmissions using encryption processes between senders and recipients protects confidential data and helps prevent interference and providing a way for the system to manage user identification and verification. Furthermore, ensuring secure servers and secure payment gateways is vital.
Public key encryption using digital certificates from trusted third parties effectively protects e-commerce businesses from many cyber threats, including MITM attacks.
Internet encryption is commonly achieved using the Hypertext Transfer Protocol Secure (HTTPS) protocol, which provides security via the Secure Socket Layer (SSL) or Transport Layer Security (TLS).
Any confidential information stored on hard drives, portable or otherwise, must be encrypted to protect data.
Installing Firewalls and Antivirus
Firewalls are a basic network security practice that helps protect a retail business by providing a barrier between the internet and the organization’s network. It monitors that border for incoming and outgoing transmissions, logging, flagging, and blocking activity to protect the company network. With proper configuration, a firewall is an effective defensive layer that helps retail businesses prevent, detect, and respond to cyber threats.
Antivirus software is another way to quickly detect malware or viruses that may be affecting devices and systems and works actively to remove them. They run continuous scans on a device and can isolate and remove malicious code if they are accidentally downloaded.
Proper access management allows a retail business to limit and monitor access to confidential customer data. It effectively controls and limits who has access to critical data based on their job roles. Limiting data access can prevent unauthorized activity across the company if an employee or other user credentials are compromised.
In addition to improvement in efficiency, a primary benefit of this is that it becomes easier to identify the source of a data breach. Access control systems, which can be physical or software-based, may involve the following:
- Passwords and PINS
- Cards and fobs
- Video surveillance
- Biometric scanners
Depending on the extent of a retail business’s access control system, it can log every person entering a physical location, log everyone accessing confidential areas of the network, and insist on tougher levels of verification for those seeking to modify or transmit personal data.
Mixing transactional data with other kinds of network traffic can lead to the compromise of PII. However, separating the two through network segmentation can be challenging, especially with the following considerations:
- The increased use of IoT sensors, which improves retail business efficiency but also increases attack surfaces via the increasing number of endpoints involved in daily operations;
- Growing implementation of cloud-based services can also make retail businesses more efficient but also increases attack surfaces with unknown or unmanaged third-party devices and systems.
While many retailers think of segmentation and think of marketing, IT network segmentation needs to come first. The benefits of IT network segmentation include the following:
- Damage control during a cyber incident because the scope of the attack can be contained within one part of the network
- Improved access control, limiting access permissions to staff that need it
- More efficient and effective networking monitoring and analysis
- Improved endpoint device protection
Zero Trust Architecture
Zero trust network architecture aims to provide network security by requiring validation at every stage of every digital interaction. Digital transformation has revolutionized retail ecosystems, and zero trust is an excellent way to keep retail businesses secure amid an ever-evolving cyber threat landscape.
In a traditional security model, users granted access to a network may move laterally and access and extract sensitive data without further security controls. Zero trust, on the contrary, is characterized by:
- Network segmentation
- Strong authentication
- Access control management
- Granular security controls
- Prevention of lateral movement
In addition to more effective security, zero trust architecture can enhance efficiency improvements and reduce the complexity of security systems.
While not infallible, multi-factor authentication (MFA) makes accounts vastly more secure than password systems alone. Even with strong passwords, the added steps of an MFA system make it more challenging for cybercriminals to gain unauthorized access to systems.
Ensuring all employees use MFA to access customer data in a retail business protects sensitive information and network integrity. In addition to a password or another kind of authentication method, MFA can include one or more of the following:
- Fingerprint scan
- Voice scan
- Facial recognition
- Retina scan
- PIN code
- A badge, card, or key fob
- Keystroke dynamics
- A one-time code delivered via a mobile app
Losing customer information can be disastrous for a retail operation as it can affect mission-critical operations, including payment processing and order fulfillment, and cause problems with the supply chain and inventory.
Worst of all, however, is often the fallout from the public when people learn that the company lost sensitive customer data. When possible, rebuilding trust after a data breach or leak can take years.
While data backups do not prevent data breaches, they can help retail businesses bounce back after a critical cyber incident. As part of an incident response plan, data backups make businesses more resilient to cyber threats, which can be critical to how quickly they are operational again, how they respond to cyber threats, and how customers perceive the brand. These are all vital considerations for retail businesses.
Regular Hardware and Software Updates
One of the reasons retail businesses become targets for cybercriminals is their use of multiple access points, often combining hardware and software types, and — for larger retail organizations — geographically distributed networks.
The mix required for a retail business to have a brick-and-mortar store and maintain an e-commerce website leads to a larger attack surface and more chance of misconfiguration issues and other vulnerabilities.
Keeping hardware and software up-to-date can help maintain information security because software developers’ updates typically contain patches that fix vulnerabilities that cybercriminals could exploit to gain unauthorized access to networks.
Cybercriminals are leveraging new AI and machine learning technology to launch more persistent and varied attacks. Therefore, the retail sector must also engage with cybersecurity automation to detect and respond to cyber threats in real-time.
With machine learning technology, cybersecurity systems can watch the patterns of typical user activity and spot unusual network activity. With good input data, an AI cybersecurity system can draw on an extensive library of existing cyber threats and use this information in combination with its own observations to respond to evolving cyber attacks on the fly.