Cyber security in retail
The retail sector has evolved dramatically over the last ten years. Even the most traditional brick-and-mortar stores have embraced social media, automation and e-commerce. However, as the industry has evolved, so too have cyber security threats in retail.
The latest Sophos report, The State Of Ransomware In Retail, states that 82% of retail organisations hit by ransomware said the attacks caused them to lose business revenue, which is in line with the global cross-sector average of 84%. The 2023 study revealed that the rate of ransomware attacks in retail has, in fact, dropped from 77% in 2022 to 69% in 2023. Despite being a welcome decline in attacks, the rate of ransomware attacks still remains above average with the education sector most likely to suffer a cyber attack.
The report shows that exploited vulnerabilities are the most common cause (44%) of the most significant ransomware attacks in the sector, followed by compromised credentials at 22%. Phishing was the third most common root cause, and overall, nearly one-third of retail respondents (32%) said phishing attacks were the root cause of the attack, comparable with the cross-sector average of 30%.
This year’s Verizon Data Breach Report found that the retail industry is experiencing the same types of attacks they suffered last year; Use of stolen credentials, Phishing and Ransomware. Retailers continue to be targeted by threat actors that leverage various tactics such as deploying malware to capture credit cards and the more common tactics like phishing.
Historical evidence and past retail cyber security news, indicate threat actors are more likely to target retailers during the festive season. So, as peak season approaches, retailers must ensure they have the right solutions and processes in place to keep their infrastructure, staff and customers secure.
This is not to say cyber security efforts should be focused on one season—security in an ongoing, year-round exercise of continuous improvement, but if you are a retailer and are concerned about the maturity of your security posture, then now might be the most critical time to act. Read on to get our cyber security SME’s advice on strengthening your security posture in time for the peak holiday season.
Why retailers are vulnerable to cybersecurity threats
Like all sectors, retailers realise the potential of data, analytics and artificial intelligence (“AI”) to improve the customer experience and back-end operations – via personalised marketing, predictive fulfilment or last-mile delivery. As retailers continue to increase their reliance on data, cyber security has become pivotal.
UK retailers fall within the scope of the UK Data Protection Act and UK General Data Protection Regulation (“GDPR”), which both mandate strong safeguards to protect data and penalties for those who fail to protect it. This makes the stakes higher than ever for retailers – as a security incident could also lead to a costly fine that is up to 4% of annual turnover or results in reputational damage.
The last few years have been a difficult one for retail. The impact of COVID-19 was harshly felt, particularly by mainstay physical retailers. As demand for e-commerce offerings has increased, many retailers have moved toward omnichannel models, blending their offers between the physical and digital realms. This multi-faceted end-customer experience is, again, dependent on data. Consumers are putting their trust in retailers to handle their data lawfully, ethically and securely. A break in this trust, brought about by a security incident, could lead to a long-term loss of loyalty.
Moreover, retailers need to recognise that even if their own infrastructure is secure, a security incident with a supplier or partner could lead to them becoming collateral damage. Supply chain attacks are becoming increasingly common, meaning retailers must focus not only on bolstering their defences but ensuring their supply chain is secure. You can read more on this topic in our guide to supply chain security.
Indeed, as data have become more intrinsic to retail operations, cyber security has become equally essential. Therefore, having both preventative and response measures in place is paramount. Retailers must create an ongoing cyber resilience strategy aligned to business and operational objectives. Data is becoming (if it isn’t already) a highly valuable asset for retailers – but it is also a highly coveted asset to threat actors.
Common retail cyber attacks
Whilst technology continues to advance at a significant pace, we can expect new threats and more sophisticated attack vectors to come to the fore over time. However, no matter the type of attack, the end goal for a threat actor targeting a retailer is almost always the same; financial gain.
With so many ways to steal information, it’s plain to see why retail cybercriminals often see success during the peak season. Here are some of the main retail cyber attacks to look out for:
Retail threat actors frequently use stolen usernames and passwords to break into systems because it’s one of the easiest ways to gain valuable data or to install ransomware. Many people use the same passwords across multiple sites (if you’ve been paying attention to our content, you’ll have heard us advise against this and instead use a password manager), which leaves them open to their personal information being breached.
A procedure threat actors use to infiltrate point-of-sale software. Each payment card transaction leaves data in a retailer’s system. By scraping this information, they obtain all the items stored on a card’s tracks—such as the account number, CVN, and expiration date. Payment card industry data shows this type of attack vector has plagued retailers since at least 2008 when the first known RAM scraping attack was reported by credit card company Visa Inc.
Web skimming, form jacking, or a magicart, is an attack where the actor injects malicious code into a website and extracts data from an HTML form that the consumer has filled in. All e-commerce websites have a payment page, which should be securely encrypted. Retailers without robust security in place are the perfect targets for web skimmers. Not only that, but this installed malware is hard to detect, particularly for smaller businesses with less budget for advanced technology. A prime example of a breach such as this is the BA breach in 2018.
Perhaps the oldest “trick in the book” for nefarious threat actors, is a tactic that takes advantage of emotions and tricks people into voluntarily giving up their credentials or payment details. Social engineering can take the form of many different attacks, with the most common being phishing, spear-phishing, smishing (via text message) and vishing (over the phone), to name a few. Vulnerable people are most at risk, but the past few years have seen these types of attacks becoming more sophisticated and harder to identify.
Near field communication (NFC) breaches:
Near Field Communication (NFC) is a set of wireless technologies, usually requiring a distance of 4cm or less to start a connection. Price scanners, mobile phones, and card readers are common targets for NFC breaches. QR codes are also at risk of this type of attack. Though NFC is a convenient process, threat actors can use this method to easily gain access to transactions and steal data.
Web application attack
Poor web application security is a common problem faced by organisations across the world, due to the sheer volume of applications they own. The more applications, the greater the attack surface and the weaker the data security. A recent report by Outpost24 found US retailers to have a larger attack surface with an average risk exposure score of 35.1 and 30.8 for EU retailers, out of the maximum score of 42.33 which is a worrying trend. The report highlights the need for retail security professionals to do more to protect their applications from cybercriminals. Our senior cyber security test consultant explains why API security is critical to your organisation.
How retailers can strengthen their cyber security
There are several actions retailers can take to improve their cyber security posture and mitigate the threat of a ransomware attack – both for the peak season and year-round. To begin with, we suggest reading the National Cyber Security Centre (“NCSC”) and British Retail Consortium’s joint cyber resilience toolkit for retailers. The toolkit contains step-by-step guidance aimed at helping retailers build a strong cybersecurity strategy.
We also advocate completing the NCSC’s flagship standard, Cyber Essentials, which provides five foundational steps for adequate protection. A step further would be to achieve Cyber Essentials Plus. This requires a qualified, independent assessor to validate that these five steps are in place. For supply chain security, the NCSC offers 12 principles, designed to enable effective control of the supply chain. Other broad cyber security standards to consider are ISO 27001 or the NIST Cyber Security Framework. To learn more about the certification, visit our Cyber Essentials knowledge hub where you’ll find everything you need to know about Cyber Essentials.
Retailers must also prepare for the worst-case scenario. They need to have a plan to help them respond to a security incident in a calm and timely manner. We have written a guide on incident response planning to help with this. You should also ensure you have an incident response team and make sure that you create an incident response plan so that everyone knows what to do in the unfortunate event of a cyber incident. There are services that can provide cyber incident response training, such as putting your employees through an incident response exercise.
As well as focusing on their own cybersecurity protections, retailers must also remember their customers. Phishing emails, malvertising, and phone call fraud are all popular tactics threat actors use during the festive period. Often, they will disguise their attempts as Black Friday or Christmas retail offers. You can download our free guide to phishing to learn more about what to do if you think you’ve been caught out.
To help their customers stay safe, retailers should make an effort to educate their customers on fraud. They should also explain in clear terms, what genuine communications from their marketing or sales teams will look like. Taking this step will protect customers and improve customer trust in the business.
For eCommerce sites, we recommend considering regular penetration testing of your systems to ensure your infrastructure is secure and any vulnerabilities can be identified and remediated. To learn more about penetration testing services, you can download our Guide to Penetration Testing.
If you are a retailer looking for assistance with cyber security, we can help. Our cyber security team are experts in their field with vast experience across multiple industries. Contact us today to have a friendly, no-obligation chat and discuss your needs.