How Retailers Can Stay Cybersecurity Savvy During the Holidays
By Nick Hogg, Director of Technical Training at Fortra.
“It’s the most wonderful time of the year,” croons Andy Williams. And it is. For cybercriminals.
Retailers historically hurt during the fall and winter because attackers go where the money goes, and things like Black Friday, Cyber Monday, and the festive season all funnel expenses their way. Verizon notes that an astounding 99% of all cyberattacks on the retail sector are financially motivated. However, it’s not only funds cybercriminals are after. Thanks to digitization and the near ubiquity of online payments, the sheer volume of sensitive data held by retail organizations – payment data, e-commerce activity, personally identifiable information (PII), and more – is enough to tempt any black hat.
Retailers can’t help that they’re the perfect target for holiday hackers, but they can help how they respond to and prepare for this year’s challenges.
The risk to retailers
Attackers target retailers with cyberattacks that lead to a data breach or operational disruption. Simply put, threat actors want payment data, PII, and anything else that can be monetized. Retailers are legally responsible for securing this data, thanks to PCI-DSS and other data compliance regulations like GDPR and CCPA. Unfortunately for many retailers, however, that protection process is still a work in progress. For instance, IoT connections are a huge enabler of the modern retail economy with ATMs, self-checkouts, and mobile payments all dependent upon them. However, while many retailers have moved towards connected conveniences, not all are proficient at securing them properly. While 84% of retail organizations use IoT devices, less than 50% have taken serious measures against potential cyberattacks.
Data breaches lead to fines and consumer mistrust, which, studies show, is often impossible to overcome. A recent ISACA study revealed that nearly one in three consumers stopped doing business with a company known to have suffered a breach. And if the lack of business doesn’t get you, the overall cost of the breach just might. With an average data breach coming in at around $4.45 million this year, many retailers – especially small ones – won’t be able to withstand the blow.
Watch out for these prevalent attack methods
The solution is for retail organizations to stay savvy. Here are four common ways threat actors are likely to attack:
- Malware | Malware intrusions, which include ransomware, can occur either directly via a phishing link or targeted exploit through a vulnerability in the supply chain. Companies that feel they are “too small to hack” forget they are often just collateral damage. Attackers compromise the little fish to get to the big ones, such as when a major big box retailer was breached due to a hacked HVAC vendor. Once inside, info stealers sweep websites and applications for valuable data, while ransomware can bring retail operations to a grinding halt. In 2022, retail ransomware attacks increased by a whopping 67% compared to 2021.
- Bot Attacks | We witness a seasonal increase in automated bot attacks this time of the year, with a 50% rise in bad bot traffic, a 43% spike in web scraping attacks, and a three-fold surge in fake account creation the week before Black Friday. Enabled by scripts, bot attacks are designed to inflict damage or exploit retailers at scale. They can be launched by lone actors or sophisticated groups and commonly target ecommerce websites and applications.
- Phishing | The perennial prime culprit, phishing attacks put retail employees and customers at greater risk during the holiday season when urgency is high and guards are low. These attackers send out fraudulent links to employees in the hopes of stealing user credentials for easy access to systems. In a rush to secure purchases, retail consumers click, login, and give away valuable information at a time when personal finances may be the most precious. Now, these scams are made even more convincing with the use of AI, resulting in dead-ringer deepfakes, voiceprint compromises, and creepily customized phishing emails.
- Brand impersonation | The increased presence of retail brands on social media makes it easy for threat actors to collect and repurpose trademarked data for fake websites and profiles. They then lure consumers with counterfeit ad campaigns, posts, and messages. The fast-moving nature of social media means that this type of brand impersonation is often difficult for consumers to spot until it’s too late. It’s also costly for retailers in terms of revenue loss and the scars left on their brand reputation.
In addition, there are a myriad of diverse retail-targeted threats lurking on the dark web, such as gift card fraud, the trafficking of stolen merchandise, and the sale of pilfered credential lists.
Adopting retail cybersecurity
Of the 629 cyber incidents experienced by the retail industry last year, 241 resulted in confirmed data breaches, per the Verizon 2022 Data Breach Investigations Report. That’s a frightening 38% success rate. However, this year retailers don’t have to resign themselves to a similar fate. There are ways to fight back.
First, implement a defense in depth strategy with security solutions across your website, app, and network. These should be geared to discover and remediate system vulnerabilities, correct misconfigurations, and align with current retail compliance standards. Next, increase cybersecurity awareness on the frontline through security awareness training for employees and in the supply chain. Apply third party risk management best practices to mitigate supply chain attacks and gain visibility into external threats with solutions and services that both monitor and take down fraudulent activity on your digital footprint. Do not forget your technology supply chain! Electronic skimming can be even more devastating than traditional credit card skimmers.
Retail cybersecurity solutions from Fortra can enable you to sidestep common attack schemes this season and easily maintain PCI compliance, reduce your threat surface, enhance operational efficiencies, and decrease costs.