Retail Cybersecurity

Retail cybersecurity: why does it have increased importance during the holidays, and what can your organization be doing to better fortify themselves against common attack vectors?

In 2019, a report was issued stating that organized retail crime cost organizations approximately 30 billion dollars annually. Since then, retail cyber crime has been on the rise: phishing, ransomware, advanced persistent threats, and supply chain attacks continue to climb in the retail industry, while cybercriminal innovations are uncovering new ways to exploit vulnerabilities in retail POS systems, IoT devices, endpoints, and cloud and server environments. While these statistics do include storefront theft from retail stores, a very significant percentage of those losses are directly resulting from theft of credit card data, sparking the demand for increasing retail cybersecurity measures.

According to Verizon’s 2022 Data Breach Investigations Report, 98% of the 629 incidents in the retail sector involved a financial motive. Unsurprisingly, many involved payment data and personal data was compromised in one of every four attacks. Furthermore, a separate report from IBM reveals that retail cyber attack victims experienced extortion in 50% of attacks and credential harvesting in 25%. These tactics can cripple retail organizations by erasing profits and damaging reputations past the point of recovery.  

At a time when the average cost of a data breach in the retail industry is now over $3.28 million, retailers have to prioritize cybersecurity... and with 63% of retail organizations reporting a high turnover of security-related staff, this has never been more of a challenge.

Let's dive into what retail organizations should know regarding cyber crime (and how to protect themselves against it):

Retail Cyber Crime: Two Primary Cyberattack Vectors

Cyberattacks in the retail industry present themselves in two primary forms: the first is aimed at point-of-sale (POS) systems. Although theft incidents involving POS systems have declined from 2018’s figures, as a result of Payment Card Industry (PCI) compliance requirements and EMV chip technology, ram-scraper trojans that are developed to scan, grab and exfiltrate banking card data from point-of-sale systems remain a prevalent cybersecurity threat overall. Hackers continue to target POS systems because many still do not use end-to-end encryption (P2PE).

The following form of cyberattack of concern for retailers is known as carding operations. Carding operations involve using a stolen credit card to acquire prepaid credit cards. Those prepaid credit cards are then sold, usually at a discounted rate, over the “Dark Web,” resulting in goods and services being illegally acquired from e-commerce sites. According to IntSight’s report, this is the fastest-growing retail cybersecurity threat.

Retail Cybersecurity Strategies

The majority of retail organizations continue to struggle with cybersecurity concerns largely in part due to extremely thin profit margins across the sector which make it very difficult to find the budget required to establish a proper defense. Many retailers cannot afford to invest in a cybersecurity team, considering the costs involved.

In the same light, retailers have never been more hard-hitting with respect to creating digital experiences for online customers that, inevitably, involve significant financial investments in IT. Retail organizations are also aware it is only a matter of time before they will be required to address the issue as part of the breach reporting initiatives set out by General Data Protection Rule (GDPR) and PIPEDA.

Ethical hackers suggest that retail organizations focus on six primary control objectives:

1. Build and maintain a secure network and systems

2. Protect cardholder data

3. Maintain a vulnerability management program

4. Regularly monitor and test networks

5. Implement strong access control measures

6. Maintain an information security policy

Furthermore, retail organizations are warned to migrate their data to secure infrastructure and ensure POS systems are encrypted, review and maintain all compliance mandates, monitor and keep up with the latest threats and invest in regular penetration testing.

Many retail organizations would be wise to share their expertise amongst one another; however, because of the extremely competitive nature of the industry, this leaves many organizations reluctant to share information with their peers.

Conclusion

In 2023 and beyond, retail is playing a percentage game when it comes to cybersecurity, hoping that the losses they expect to incur become smaller to eat into their bottom line.

With a vast wealth of payment data, personal information, and user credentials, retailers will continue to attract keen attention from sophisticated attackers. Cybersecurity, therefore, must always be a top priority for retailers if they hope to avoid becoming victims of cyber-related crime, prevent inadvertent disclosure, and protect the array of customer data in their possession. 

If you're reading this, you're already in the market for a pentest. Contact our team today for your free, zero-obligation quote or download our Buyer's Guide below to take the next step.