Cybersecurity in the Retail Sector

Third-party dependencies: Retail stores often rely on third-party products and services for web hosting, payment processing, advertising campaigns, customer support, or inventory management. While these partnerships offer efficiency and cost savings, they also introduce potential security risks. A vulnerability in a third-party system can provide an entry point for threat actors to infiltrate a retailer's network.

Omnichannel operations: Today's retail environment is a complex ecosystem, encompassing physical stores, e-commerce websites, mobile applications, and other digital touchpoints. This creates a complex attack surface, requiring robust security measures across all channels. A single vulnerability in one area (e.g., staff endpoint devices that may not meet enough security requirements) can have cascading consequences, compromising the entire network.

Franchise challenges: While operating to some extent independently, franchisees remain part of a more prominent brand or franchisor. These often smaller businesses may have limited resources to invest in robust cybersecurity measures, making them more susceptible to vulnerabilities that attackers could exploit. Having a franchisee compromised can have negative repercussions on the franchisor's reputation.

Seasonal peaks and staffing challenges: Peak shopping seasons, such as holidays, often put retailers under immense pressure and require them to hire temporary staff who may not be adequately trained in cybersecurity best practices or sufficiently trustworthy. This can lead to inadvertent errors (e.g., mishandling consumer data or falling prey to phishing scams), system misconfigurations (e.g., improperly configuring POS —point-of-sale— system security settings), or even insider threats.

The rise of gift cards: Gift cards have become increasingly popular because while they provide retailers with a valuable source of upfront revenue, boost brand awareness, and often lead to increased consumer spending beyond the card's initial value, they unfortunately also offer anonymity to cybercriminals. Attackers can compromise credit cards or other payment methods, employ them to purchase high-value gift cards, and then use or sell those cards to remain undetected.

In 2020, it was reported that 24% of all cyberattacks globally (study actually limited to a few countries) were aimed at retailers, surpassing even the finance and insurance industry. Half of the incidents for all sectors were attributed to social engineering techniques.

More recent data (2023) shows that retail and hospitality rank fourth with 8.6% among the most targeted industries, with financial (17.3%), business and professional services, and high-tech sectors occupying the top three. In this research, exploits were the leading initial infection vector (38%), followed by phishing attacks (17%).

IBM's findings suggest a shift in attacker tactics, with a growing emphasis on acquiring valid credentials for logging in rather than exploiting vulnerabilities or conducting phishing campaigns (identification and authentication failures are becoming increasingly common).

According to the same study, last year, the retail-wholesale sector ranked fifth (10.7%) among the most attacked sectors globally, with manufacturing (25.7%) and finance and insurance (18.2%) at the top. In the industry concerned, 50% of the incidents involved malware, mainly ransomware. The use of valid accounts was the most common of the initial attack vectors, with 43%, followed by phishing and the exploitation of public-facing apps, each with around 29%.

For its part, Check Point, in this year's worldwide data, reports retail/wholesale as the third most attacked industry with ransomware, manufacturing being the first and healthcare the second. However, in overall attacks, it ranks ninth.

The average data breach cost in the retail sector is estimated at $2.9 million, lower than the overall industry average of $4.4 million. However, the reputational damage from a breach can be very significant, something that may magnify those costs in the near and extended future.

Vulnerability exploitation: Taking advantage of security vulnerabilities in software, including those in third-party applications or components and IoT devices, remains a common attack vector. Many retailers (perhaps 50%) are not adequately securing their IoT devices, such as POS systems and smart shelves, leaving them vulnerable to compromise. In software development, supply chain issues arise, where packages, libraries, and dependencies, often going unnoticed, constitute weaknesses and can serve as entry points for attackers. Cloud misconfigurations can also lead to data breaches and service disruptions. DDoS (distributed denial of service), SQL injection, and MitM (man-in-the-middle) attacks are among the most frequently mentioned as vulnerability exploitation in the retail industry.

Phishing attacks: This social engineering method continues to be a major threat, employing increasingly sophisticated techniques to deceive employees and customers. With the help of generative AI, phishing emails and messages can now be crafted to be incredibly convincing, making it harder to unmask them based on traditional red flags like poor grammar or miscommunication. These attacks aim to steal sensitive information or install malware, leading to further attacks and significant damage.

Ransomware: Ransomware attacks, which usually have phishing as the initial infection vector, can cripple retail operations such as online product offerings or payment transactions by encrypting critical systems and data. Attackers demand a ransom in exchange for the decryption key, often putting immense pressure on retail stores to pay up to restore their operations.

Deepfakes: Deepfake technology is becoming more sophisticated, allowing threat actors to create highly realistic fake videos or audio recordings. This poses a significant threat to retailers, as attackers can use deepfakes to impersonate customers or employees, potentially gaining access to sensitive information or facilitating fraudulent transactions.

Credential stuffing: This is a type of brute-force attack in which cybercriminals rely on automated bots to use stolen credentials seeking to gain unauthorized access to user accounts. The fact that many individuals reuse passwords across multiple platforms or applications makes it easier for attackers to compromise accounts with credential stuffing and, consequently, steal customer data, conduct fraudulent purchases, or launch further attacks.

Digital skimming: Digital skimming involves the use of malicious code injected into e-commerce websites to steal credit card information during online transactions. This threat is particularly concerning for online retailers, as it can compromise large amounts of payment data.

Insider threats: Employees or third-party contractors with access to sensitive information can pose a significant threat. Insider threats can involve intentional malicious activity or unintentional errors leading to data breaches or security incidents.

Continuous hacking: If you are a retailer focused on e-commerce, you should constantly evaluate the security of your applications and other systems. Static and dynamic analysis tools are very useful for detecting known vulnerabilities. However, these tests should be complemented with manual pentesting by security experts to keep false positives and false negatives to a minimum. Then, you could remediate vulnerabilities in order of priority, depending on the risk they pose to your company.

Compliance with industry standards: Retailers that accept credit or debit card payments must comply with the PCI DSS (Payment Card Industry Data Security Standard), which governs the storage, processing, and transmission of payment card data. Additionally, retailers processing data of EU natives or residents must adhere to the GDPR (General Data Protection Regulation), and those handling data of California residents must comply with the CCPA (California Consumer Privacy Act). Compliance with these standards helps you prevent data breaches, avoid fines, and maintain customer trust —other relevant standards to consider are HIPAA, NIST, and ISO 27001.

Implement essential security measures: Deploy firewalls to act as barriers between the internet and your network, and use antivirus software for regular system scans to detect and remove malicious files. Encrypt sensitive data, both in transit and at rest, to protect it from unauthorized access. Regularly back up your website, POS systems, and other critical applications to ensure business continuity in case of a cyber attack or system failure.

Network segmentation: Segment your network to prevent a security breach in one area from compromising the entire system. This means dividing your network into smaller, isolated sections, almost like creating separate rooms within your house. If a burglar breaks into one room, they can't immediately access the entire house. This limits the impact of attacks and helps contain the damage.

Endpoint security: Restrict access to sensitive data on endpoints like POS terminals and employee computers. Implement multi-factor authentication, including biometrics or one-time codes, to prevent attackers from gaining unauthorized access. Adhere to the principle of least privilege, granting employees only the access they need to perform their job duties.

Third-party risk management: Thoroughly vet third-party vendors and ensure they comply with relevant security standards. Regularly assess their security practices and update or patch systems as needed. Maintain an inventory of all third-party systems and their associated risks. This should cover both hardware and SaaS (software as a service), as well as components and dependencies for the development of your own products.

Cyber security awareness training: Implement comprehensive cybersecurity awareness programs for all employees, including temporary staff. Training should cover topics like phishing awareness, password security, social engineering, and safe browsing habits. Tailor training to specific roles and responsibilities, providing specialized instruction for employees who handle sensitive data or operate critical systems. For example, cashiers may require specific training on the secure use of POS systems, while developers need to be aware of secure coding practices and supply chain security risks.