Support 416-591-6711 option 1 or Email Us

Good for Business: Cybersecurity for the Retail Industry

Tue, 21 May 2019

The hot currency for cyber-criminals and hackers is credit card data, and retailers possess a great deal of it. This means that the retail industry is often targeted by cyber attacks attempting to obtain consumer's financial information. With more retailers developing their online presence, the steady shift to electronic payment options, and harnessing data-driven technologies, the retail industry’s attack surface is spreading. With industry giants, like Macy’s, Best Buy and Tim Horton’s[i], in the news for point-of-sale (POS) attacks, the retail industry needs to ensure its cyber offence and defence are at the top of their game. Cybersecurity for the Retail Industry

Cyber Attacks are Bad for Business

According to a study by KPMG, 19 percent of consumers would stop shopping at a retailer after a data breach, and 33 percent would take a break from shopping at that store for an extended period.[ii] Many retail breaches are caused by either insider threats or flaws in POS systems that are then taken advantage of by threat actors.

Insider Threats

With a high rate of employee turnover and dependence on short-term seasonal staff, insider threats in the retail industry are on the rise.

Be sure to carefully plan and monitor employee and third-party contractor's system access. Ensure that their access is limited, tied only to their job functions. Accessing various data fields must be carefully planned due to potential data aggregation. Data aggregation is piecing together what seems like unimportant data from multiple sources to create sensitive data.

The World of POS Malware

The recent Verizon Data Breach Investigations Report shows that POS terminals were the second most-attacked network asset behind database servers.[iii] The report also showed financial gains motivated 97 percent of threat actors targeting the retail industry.[iv]

One of the newest threats is POS malware DMSniff, which has been lurking in the cyber-wilderness since 2016 but was only recently recognized. DMSniff is hard to detect malware that targets small to medium-sized companies that rely on card present transactions (retail, restaurants). One of DMSniff’s features is that it uses a Domain Generation Algorithm to create command and control domains spontaneously, which makes it resistant to blocking and takedowns.

The goal for hackers deploying DMSniff is to siphon off credit card numbers and other payment information. It appears that DMSniff gains an initial foothold on devices by either scanning for, and then exploiting vulnerabilities, or brute-force SSH connection attacks.[v]

 Good for Business: Cybersecurity for the Retail Industry

Cybersecurity is Good for Business

Cybersecurity is a new competitive advantage in the retail industry; yet, very few retailers are leveraging this opportunity. A 2018 study, of 6,120 consumers in nine countries, reported: “The traditional perspective that cybersecurity and data protection is an overhead cost needs to change.” In fact, the report goes on to state, “it is an effective means to gain competitive advantage for retailers since it plays an important role in consumers’ minds when they choose their retailers. Cybersecurity and data protection also drive satisfaction and win consumers’ trust. As a result, it can make a positive impact on top-line revenue for retailers.”[vi]

The study showed that 77 percent of respondents saw cybersecurity as the third most important factor when selecting retailers, “even outranking attributes such as discounts and brand reputation.”[vii] The same survey showed that the number of satisfied retail customers more than doubled when they knew their primary retailer had implemented sound cybersecurity measures and that their privacy was protected.

Also, almost 40 percent of customers would be willing to spend 20 percent or more online if the retailer built-up consumer trust by giving them cybersecurity assurances. Revenue uplift could be as significant as 5.4 percent annually, with enhanced data protection and cybersecurity.[viii]

According to the survey, the top five cybersecurity capabilities that are linked to consumer satisfaction are:

  • encryption of stored data
  • a clear and transparent data privacy policy
  • use of advanced anti-malware tools for online shopping
  • control on what customer data the retailer can store and for how long
  • advanced encryption on web sites and apps[ix]

"Today's consumers are confident online shoppers and savvy about their consumer rights. They value cybersecurity highly, and they want to shop with retailers they can trust," stated Geert van der Linden, Cybersecurity Business Lead, Capgemini. “It’s the right time for retailers to consider cybersecurity as a business priority at executive leadership level.”[x]

Making Retail Cyber-Resilient

It is important to understand that any device that connects to the Internet can be hacked: If it’s connected, it’s vulnerable, even if it’s as seemingly innocent as a seasonal employee's smartphone. Any organization, across any sector, is susceptible to a cyber attack. For a skilled cybercriminal, all it takes to jeopardize an entire system or access POS technology is access to a single device or individual. The challenge for retailers is ensuring your store and POS are protected, but not make the online purchasing experience so difficult that carts are abandoned. Here are some tips to increase your retail company’s cyber resilience.

  • Train your team members – all of them, even the seasonal staff and part-timers. This helps to avoid ransomware attacks and phishing schemes.
  • Increase your IT funding. A little more investment can go a long way in cybersecurity for your company.
  • Streamline your cybersecurity solutions to help your company minimize vulnerabilities.
  • Team up with a retail cybersecurity software provider.

Protecting retail stores, and the customers who shop there, is of vital importance with cyber attacks increasingly targeting POS systems for the financial data. Both online and brick and mortar retailers, of every size, need to respond with network fortification measures and retail-specific incident response plans. Talk to the cybersecurity solutions specialists at ISA, who have over 27-years of demonstrated industry excellence, about how to protect your company from a cyber attack.


‹ Back