Cyber Security Risk- Hackers and their tactics are continually evolving but one thing remains the same: retailers are prime targets for a cyber-attack. This is such a widespread issue that in nearly every cyber-security report in the past few years retail is the industry topping the list for attacked organisations. Given this, along with the sheer volume of cyber-attacks that occur daily, it’s vital that retailers step up their security maturity. Understanding the risks involved, along with the steps that can be taken to mitigate them, will help retailers both large and small.
The Cloud Conundrum
Cloud adoption is a double-edged sword regardless of industry; on one hand a potential step forward and an opportunity for transformation but one which brings risk of mistakes and security impacting errors and software bugs – introducing opportunity for malicious actors to profit. Retail must know e-commerce is already a main target for cyber-attacks because of the rich-pickings of consumers’ personally identifiable information (PII) intrinsically linked to payment data required to complete transactions. At the very least, personal information gets stored for future use and targeted marketing.
When a retailer is hacked potentially millions of individuals fall victim to the hacker, having their information stored and sold on the dark web, ready to be merged with other data sets to build up useful profiles of the general public for identity theft and phishing campaigns.
It doesn’t matter how large or small the company, cyber-attacks have become so sophisticated and are increasingly automated that no business is immune. Retail, hospitality and accommodation often top the list for most targeted industries, but targeted attacks are dropping and ‘spray and pray’ attack automation means that vulnerabilities will be found and exploited regardless of company profile.
The E-Commerce race to easing purchase barriers brings its own challenge.
Retailers running e-commerce platforms should be aware that they are more likely to suffer with older IT security features because their systems naturally change incrementally to protect revenue, this means they have an increased need to maintain them with robust security processes. Even the newer systems may not be fully resistant to application attack techniques so require monitoring and review. Developing and running e-commerce applications is pure economics; the security of the application is often a low priority compared to delivering a positive customer experience. This lack of attention to security measures, coupled with an increase in investment by attackers, means that application attacks are likely to remain a significant risk for the retail industry now and in the future.
Revenue directly impacts retailer’s perception of cyber-attacks; crypto mining malware on servers can be perceived as “costing” less than the actions to remove it. Taking longer to release new features because of security testing may be perceived as a threat to the bottom line, but ultimately this demonstrates short term thinking and risks longer term damage.
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organisations that handle credit cards. PCI compliance demonstrates retailers have control over the payment card information they process and that take steps to prevent data theft and fraud. It is required by law which means any retailer that isn’t currently in line with PCI needs to take immediate steps to do so. The penalties for non-compliance are as high as $100,000 every month or $500,000 per security incident.