Shopping for Security: Cybersecurity in Retail

As summer turns to fall, the air begins to cool, leaves are falling from the trees, and hackers are preparing for what has the potential to be their most lucrative time of the year — holiday shopping season.

Last year, retail sales during November and December increased 5.5 percent over the same period in 2016 to $691.9 billion. That’s right, $691.9 billion. And while the holiday shopping season is often a significant moneymaker for retailers, it also presents a tremendous opportunity for cybercriminals to wreak havoc.

Unfortunately, the statistics invariably illustrate the industry’s need to enhance its focus on cybersecurity efforts. According to the Cisco 2017 Annual Cybersecurity Report, nearly one in three retailers have suffered revenue losses as a result of a cyberattack, and a Zynstra report revealed that 16 percent of retailers said they experienced an attack or attempted attack every day.

Compounding retail’s trouble with security, just 52 percent of retail organizations consider their security infrastructure to be up to date with the best technology tools, and only 61 percent of retailers strongly agree that they are able to maintain full compliance with payment card industry (PCI) security standards. As a result, an increasing number of retail companies are enhancing their focus on cybersecurity and compliance.

Retail = Appealing Target

Not only are retailers a treasure chest of personal data but their high-profile nature and often outdated and complex operating systems also make them an attractive target for hackers.

In today’s world of big data, retailers accumulate a massive amount of personal information about their customers, ultimately increasing the risks involved in retail data breaches as retailers tend to hold an unmatched breadth and depth of identifiable customer data that can be used in identity theft. Whether collected by way of online shopping, loyalty programs or digital marketing initiatives, the data even small retail companies store has become an enticing target for cybercriminals seeking to do damage.

Making matters worse, recent analysis exhibits that cybersecurity is a high priority for just 39 percent of directors or senior managers in the retail and wholesale sector, and the regulatory burden and financial risks involved in a data breach will only increase substantially with the deadline for compliance with the General Data Protection Regulation (GDPR) having already passed.

In addition to fines for failed compliance, according to IBM’s 2018 Cost of a Data Breach Study, each individual breached record costs the retail industry $116. And because retail systems often contain the personally identifiable information of hundreds of thousands of customers, a retail breach can become very expensive very quickly.

One of the most high-profile breaches in recent memory, the 2013 breach of U.S. retail giant Target saw more than 41 million of the company's customer payment card accounts affected and resulted in significant reputational and financial damages as the company was forced to dole out $18.5 million in a settlement, the largest ever for a data breach.

Making matters worse, research shows the Target breach was rather preventable. Vendors were subject to phishing attacks, systems lacked network segregation, Target’s detection strategies failed and outdated point-of-sale (POS) systems were vulnerable to memory scraping malware. Unfortunately, countless retailers around the country are in the same predicament today that Target found themselves in prior to being breached.

Ever-Evolving Threat Landscape

Because retail is such an appealing target, it faces numerous cybersecurity threats. From demanding payments to end denial-of-service attacks that disrupt retail sites to pilfering compromised consumer accounts to commit return and refund fraud, hackers and bad actors have the tools and techniques to exploit retail system vulnerabilities.

As the internet of things (IoT) continues to expand, the retail industry is set to witness an increase in distributed denial-of-service (DDoS) attacks. The industry is utilizing IoT innovations like smart shelves, perishable goods sensors and merchandise trackers to gain valuable insight into their products and their availability, but the manufacturers of these devices are often slow to implement security standards, and there is very little retailers can do to defend against DDoS attacks except prepare early on before a breach occurs.

Despite the adoption of EMV chip-enabled point-of-sale systems and widespread implementation of the Payment Card Industry Data Security Standard (PCI DDS) checklist, POS systems can offer cybercriminals and easy entry point as countless companies fail to maintain and ensure their software and POS systems are up to date. POS breaches are one of the top threats to retail cybersecurity as evidenced by this year’s Applebee’s breach, affecting the POS systems of 167 restaurants in 15 states.

In addition to threats, companies must also ensure compliance with the following standards:

Is There A Viable Solution?

With hackers witnessing ongoing success in the retail sector, cybersecurity cannot take a back seat. It must become an essential part of any retailer for the sake of continued operations, customer retention and brand reputation.

As the Target and Applebee’s breaches show, a lot of software and many operating systems are susceptible to technical vulnerabilities as gaps in software security are uncovered and reported every year. This means that the older a retailer’s operating system is, the more likely it is to have unpatched vulnerabilities.

While it can be a daunting and time-consuming task to routinely update software across the entire retail IT environment, effective patch management significantly decreases exposure to a breach that has the potential allow malware to penetrate retailer systems.

As cloud computing continues its proliferation, the number of devices and endpoints connected will only multiply, increasing the need for more frequent patching across more devices. Fortunately, the best way to protect your network and your system endpoints is to automate your patch management process.

And thanks to technological advances, a new generation of security tools can automate configurable patch management, software deployment and workflow management to see real-time vulnerability status and immediately remediate unpatched vulnerabilities that so often evade corporate defenses. One such advance is Automox’s cloud-native agent and policy engine. Automox allows users to control their level of patch management automation, flow processes and configuration enforcement — all from a simple, easy-to-use dashboard.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.