The number of information security threats that practically every industry today has to deal with has reached monumental levels as companies fight to stay in control of their systems. The unending fraudulent schemes of cyber criminals seems to only become ever more commonplace with the dawn of every day.
However, there are few industries experiencing the impact of these threats as much as the retail sector. According to the Global State of Information Security Survey released by PwC in 2017, the retail and consumer sector suffers an average of 4,000 information security threats every year. Additionally, the report revealed that 16% of all the organizations surveyed suffered losses of over $ 1 million because of incidents related to information security.
These statistics might be disturbing, but they are the numbers business executives need to look at keeping in mind that their companies could be next. One of the worst retailer attacks in the US led to massive losses, damaged the company’s brand reputation and led to resignations of the company’s senior employees.
Furthermore, the retailer’s name and the breach became interlinked, something every business leader wishes it never happens to their enterprise. A lot of retailers everywhere you go around the world are in turmoil because of the increasing number of high-profile breaches in an industry that is yet to figure out how to stay safe while doing business the 21st century way.
Retailers can mitigate the information security challenges they face by recognizing and understanding the most vulnerable points which are often the cyber criminals’ first point of attack during an attempt to gain access to their system. They can also partner with cyber-security experts and other knowledgeable and resourceful partners to handle these challenges. Here are some of the information security challenges retailers face today.
Internet of Things
In October 2016, a series of distributed denial of service (DDoS) attacks shook the internet to its core following as an array of e-commerce sites, and other platforms like Spotify, Twitter, Pinterest, Shopify, and Esty fell victim to vicious cyberattacks. These attacks targeted the web domain partner, Dyn.
DDoS attacks target internet addresses associated with devices that have been infected with malicious codes. This generates massive amounts of traffic which overwhelms targeted sites.
The advancement in the Internet of Things has led to the creation of innovative devices like smart shelves, RFID trackers, and perishable goods sensors. Consequently, a need to embrace the new norm; embrace the possibility that these IoT devices will be targeted with DDoS attacks.
Perhaps some of the greatest challenges faced by retailers that are using these devices include network integration issues and slow implementation of security standards by their manufacturers. Because of this, information security experts predict that over half a million IoT devices will be compromised in 2017 alone.
Insurance service providers that serve retailers have also come to terms with the fact that the Internet of Things is going to make things harder for them. Some of these providers have already started to receive claims from retailers who have opted to connect all their business assets to the cloud. One thing is certain at this time: these claims will only increase as more retailers continue in the path of adopting IoT devices.
Information security experts, on the other hand, recommend that retailers develop an overall infrastructure policy on IoT devices. This structure should assist them towards addressing potential security issues for every new device they adopt. Retailers should also work in close collaboration with IoT manufacturers to ensure that they manufacture IoT devices that have robust security features which cyber criminals cannot easily gain access.
These security features should also survive the entire lifecycle of the device. DDoS attacks are very vicious, and there is, still relatively very little that retailers can do to stay 100% safe from them. Therefore, the way to deal with them is to be proactive and staying prepared to act as soon as news of a possible attack is received.
Increase in Ransomware attacks
The first computer virus entered the digital world more than three decades ago. Up to now, malware attacks have continued to become more sophisticated and unforgivingly brutal. Ransomware is a type of malware which prevents users from accessing their documents by locking down their files until they pay a ransom.
Recently, a more advanced crypto-ransomware targeting enterprises has emerged. This attack basically scrambles files and makes them unreadable without a decryption key. Data from the FBI now shows that ransomware and recovery costs grew to over $210 million in the first quarter of 2016.
According to network security solutions firm SonicWall, ransomware attacks grew from 3.8 million in 2015 to a shocking 638 million in 2016. The firm cited the emergence of ransomware as a service, low costs of implementing ransomware attacks, the ease of distribution and low risks of capture or punishment as the main reasons which fueled this growth.
Almost always, a retailer that tries to defy the ransom demand always losses, unless they have put in place disaster and data recovery protocols that work. Otherwise, they are forced to pay the demanded ransom because they lack the proper backups of their business systems. Therefore, as a first step towards protecting their network and systems, retailers must embrace the idea of backing up their systems on a regular basis. Updating the software in use at the company can no longer be optional. In fact, it should happen as soon as the software maker makes available an update of the software.
Today, a number of retailers are still faced with the challenge of implementing EMV-compliant point-of-sale terminals. These terminals should be able to accept chip-embedded payment cards. However, some retailers have not yet been able to differentiate between EMV’s capabilities and PCI compliance requirements. EMV technology comes with improved anti-fraud capabilities at the physical point of sale. However, this does not reduce the scope of PCI compliance.
In April 2015, PCI DSS version 3.1 was released in order to assist retailers to be compliant. Nevertheless, retailers must also address the challenges and risks posed by SSL for this to be successful. Accordingly, retailers have the following options to solve the challenges brought forth by SSL:
- Change to an upgraded and secure version of TLS that is implemented securely and its configurations do not allow fallback to the earlier version of TLS or SSL.
- Encrypt their data before sending it over SSL or the earlier version of TLS.
- Set up a strongly encrypted session before sending data over SSL within a secure channel.
Overconfidence in perception
A recent survey on retail cyber-security released by Tripwire revealed that 90% of all the retailers interviewed believed they had the ability to detect any critical data breach within 48 hours. Only 55% of the staff in retail companies with revenue of more than $100 million said that they checked compliance with security, standards, procedures, and regulations at least once every week. In addition to that, 59% of these respondents said that the tools which they used for intrusion detection were not fully implemented.
Management teams in the retail business tend to rate themselves impressively high when asked about their security preparedness and disaster recovery protocols, yet, the truth about the controls they have actually implemented is more subdued. Such things are not uncommon in the retail sector. For this reason, it is very important that retailers evaluate the actual effectiveness of the security programs they have put in place, lest an attack finds them flat footed because they spend their resources doing a PR campaign that had little basis in fact.
As it is common in other industries, employees in the retail sector may not be fully aware of what is expected of them when it comes to information security. Research has revealed that as many as 25% of the employees have the tendency to click most of the links sent to them via email or via social networks, including suspicious links that they would never click on if they became just a little bit more cautious.
Most of them are not aware that once they do that, they may be unable to control what comes next, which could include divulging sensitive company information to unauthorized parties. Consequently, retailers must develop programs to educate their employees, especially in this era, where human-focused attacks like phishing and social engineering are at their highest levels in the history of worldwide interconnectivity.