Retail has always been and remains on the front line of any free market economy. Without retail, there would be no consumption, and without consumption no commerce. However, in today’s digitally driven world, retail stores are finding themselves on a new front line facing cybercriminals who are actively targeting their systems and data.
According to the 2018 SecurityScorecard, the retail industry is the second most at risk sector in the economy when it comes to application security. Furthermore, the report found that out of a total of 18 industry sectors, retail ranks the lowest for coordinated social engineering attacks. Regrettably, this is not a new trend. The 2017 Trustwave Global Security Report found that the retail sector suffered the highest number of breach incidents. Trustwave also concluded that social engineering was the top method cybercriminals use to compromise retail environments.
It is easy to see why cybercriminals target retailers. With the majority of credit card transactions taking place at a retail store, the card data represents the modern day equivalent of buried treasure. However, there are a few other factors which make retailers prime targets for hackers.
Retailers operating in today’s digital economy need to adopt a multi-channel approach to remain competitive. Not only do they need to maintain their physical presence, but they also need to provide online channels for their digital customers. This multi-channel strategy helps retailers heighten the customer experience but also makes securing data a challenge. With customer data spread across a broad technology landscape, adequate security monitoring can be challenging.
Point-of-sale (POS) terminals not only capture card data but have been known to contain significant vulnerabilities which make them a prime target for hackers. However, the poor installation or misconfiguration of a POS device can also result in a compromise. If retailers do not take rudimentary security precautions such as segmenting their networks, running on the latest operating system version, and changing the manufacturer’s default passwords, they increase the potential threat vectors an attacker could use to compromise their systems.
Retailers often deploy new technologies to introduce efficiencies into their business or grow their revenue base. However, these innovations are often additional avenues cyber intruders use to infiltrate retail technology environments. Quick Response (QR) codes, Tap-to-Pay solutions, beacon trackers, mobile management devices, and the Internet of Things (IoT) all create efficiencies in retail environments, but also provide hackers with multiple vectors into a network.
In larger retail environments, managing thousands of devices across hundreds of locations is a challenge. If even one unpatched device is on a network, it opens a gateway for an intruder. Further compounding the problem is technology which has reached its end of life and is no longer supported by its vendor. These older devices and applications do not receive security updates and as a result, pose a risk if they remain in use.
Customers visiting stores is the fundamental principle which underlies the retail operating model. However, gaining physical access to a target is a prime objective for any hacker. Unlike the financial services or manufacturing industries where customer movement is restricted, retail environments provide full access to the public. As such, this is a virtual playground for malicious attackers who can roam freely and execute attacks such as gaining physical access to devices, scanning Wi-Fi networks, and manipulating QR Codes and beacon trackers.
As phishing is the primary attack vector hackers use to compromise retailers, security awareness training should be a top priority for any retail business. Initiatives such as these not only help employees understand the value of protecting the organization’s data and systems, it also provides them with the crucial cybersecurity skills they need to protect themselves online.
Retailers should also regularly conduct security risk assessments to uncover any vulnerabilities in their systems and networks. These assessments should also include physical security and social engineering testing which align with the current threat environment and retail operating model.
Retail organizations must also implement and follow cybersecurity best practices. These include:
Implementing initiatives such as securing and segmenting their network.
Ensuring their POS terminals, IoT, and any other devices run the latest operating system version and have no default passwords.
Investing in a security monitoring solution to actively monitor the environment for any security-related threats or alerts.
Complying with the PCI DSS standard for payment card security. 24By7Security is a certified PCI Qualified Security Assessor (QSA) company, authorized to assess businesses against the PCI DSS standard so that they can maintain high levels of ongoing security of sensitive data.