Calling All Retailers: Understanding Cyber Threats and How to Combat Them
Now more than ever, cybersecurity is a crucial form of protection for businesses across industries working to combat a variety of threats. It's easy for organizations and individuals to grow complacent about security, but implementing measures to protect the data of customers, partners and your own business is a key step in mitigating cyber risks, particularly for those within the retail space. In fact, Verizon’s 2018 Data Breach Investigations Report (DBIR) found that among incidents in which retailers had data compromised from their websites, 73 percent of the information was payment data.
With the rise of e-commerce and the proliferation of technology in stores, the challenge to reduce risks is greater as these innovations continue to open the door to vast amounts of data and information. Amid increasing pressure and competition in the industry, both online and offline, it’s important for retail organizations to recognize the patterns associated with cyber breaches and understand how they can mitigate the risks associated with attacks.
The Patterns and Consequences of Cyber Attacks in Retail
Retailers are trusted with extensive amounts of payment card data from customers, making them key targets for financially motivated cyber attacks. In fact, Verizon data revealed that retailers with online presences are consistent targets of Denial of Service (DoS) attacks, which occur when hackers attempt to prevent legitimate users from accessing the service during payment. While the confidentiality of data isn't typically compromised in DoS attacks, there is a potential of downtime, where performance degradation can have a serious impact on the bottom line. Additionally, payment card skimmers continue to be a long-time problem for brick-and-mortar retailers.
Among incidents analyzed in the Verizon DBIR, 93 percent of attacks were carried out through external threat actors. In addition, these attacks were triggered by financial motives 96 percent of the time. The DBIR also found that beyond DoS attacks, online retailers are particularly vulnerable to web application attacks. Among these confirmed web app breaches, threat actors often use stolen credentials as their hacking technique of choice. Hackers comprise devices and use code modifications in payment applications designed to capture card data, turning payment apps into criminal-controlled data harvesters.
Steps Retailers Must Take to Stay Secure
Often, retailers are operating on tight margins, limiting the budget for operating costs such as IT maintenance. Though this may ultimately boost store revenue, it can often minimize the focus on security measures and lead to lax data management, which in turn can be quite costly in the event of a breach. Retailers with an online presence must prioritize implementing mitigation plans and take the necessary steps to combat threats, especially with the rise of digitalization and mobile.
Combat Attacks and Avoid Vulnerabilities
- Retain DDoS (distributed denial of service) mitigation services proportionate to tolerance and availability loss, and verify that all bases are covered from a scoping standpoint.
- Find out from ISP(s) what defenses are already built in, as there may be pre-existing relief in place that can be leveraged for cyber defenses.
- Avoid tunnel vision and understand that availability issues can occur without a DDoS attack.
- Identify and patch server vulnerabilities with availability impacts, perform capacity planning testing to handle spikes in traffic, build in redundancy, and conduct failover testing.
Implement Loss Prevention Controls
- Employ cameras and layout designs that are integrated and extended to any card processing devices.
- Make an adversary shift in tactics and implement new technologies that make it difficult for criminals to conduct fraud, such as Chips and PIN and contactless-enabled point-of-sale (POS) terminals.
Reports indicate that retailers large and small have witnessed improvements in restricting access to retail payment card information environments from the internet, simultaneously strengthening the authentication process for those permitted. Moving forward, retailers must continue to recognize cybersecurity as a crucial component of their overall protection plans in an effort to combat the threats they face.
As digital transformation and technological innovation continues to shape cybersecurity policy and organizations more broadly in the retail industry, retailers must look to protect e-commerce applications as they represent a critical asset. Defenses against availability, integrity and confidentiality losses must be implemented, tested and refined.
Michele Dupré is group vice president at Verizon Enterprise Solutions.
Related story: Can Retailers Trust Their Third-Party Vendors?