How US retailers can protect themselves from targeted cyberattacks
November 26, 2019
As a leading industry in digital transformation, retail suffers consistently from cyberattacks. Here’s how to remain safe.
How to limit the impact of data breaches IBM’s Wendi Whitmore offers advice about how to defend against and respond to data breaches.
US retailers lead the digital transformation movement, with 42% of US retailers reportedly disrupting their markets or embedding digital capabilities, a Thales study reported on Tuesday. However, this increased use of digital tools brings more threat vectors for cybercriminals to exploit.
The 2019 Thales Data Threat Report, based on a global IDC web-based study, surveyed 1,200 executives who held responsibility for their companies’ IT and data security. With focus on responses from 100 US retailers, the retail industry is clearly at risk in the security landscape.
The majority (62%) of US retailers said they have been breached, and 37% said they were breached in the past year, the report found. Despite breaches being so prevalent to retailers, less than two-thirds (62%) said they were increasing their security spending this year, which is down from 84% who said they were increasing their security spending last year.
SEE: Special report: Data, AI, IoT: The future of retail (free PDF) (TechRepublic)
Digital transformation in retail
Digital transformation is not only saving brick and mortar stores, but revolutionizing the e-commerce experience. The digital transformation initiatives leading this effort include digital marketing, analytics, omnichannel retail, artificial intelligence (AI), voice, augmented reality (AR), virtual reality (VR), sensor data, facial recognition, and cloud services.
Some 72% of retailers said that AI will become a “competitive necessity” in the next five years, according to Oxford Economics’s Shopping for AI survey. This sentiment is evidenced by Sephora’s AI foundation tone match, Lowe’s AR/VR room tour, and Kroger’s online ClickList service.
However, in an effort to keep up in a competitive market, retailers prioritized the technology over security, the Thales report found.
“Digital transformation initiatives create an interesting new threat model for retailers as many times these initiatives aren’t designed with security, and specifically anti fraud, in mind,” said Josh Zelonis, principal analyst at Forrester. “The consequence is that many times what happens is we are creating seams in our traditional processes which may be exploited.”
Shopping for cyberthreats
“No one can assume data is always safe from attack or misuse. It is impossible for retailers to be aware of every unpatched hole and channel a cybercriminal could enter through,” said Tina Stewart, vice president of market strategy for cloud protection and licensing activity at Thales.
“Threat vectors retailers face are extremely broad, complicating the process to prevent and detect them,” Stewart noted. “These vectors include external and internal players: Cyberterrorism, hacktivists, and even internal threats from within the IT organization—such as privileged users and system administrators. The most likely attacks to occur are when cybercriminals go after third-party vendors to get into retailers’ systems—such as going through web applications and supply chain.”
Some 39% of US retailers said they consider themselves either very or extremely vulnerable to attack, which is a higher percentage than the global sample overall. Security breaches result in significant loss of revenue and profit impacting retailers significantly, the report said.
“The retail sector is a high-profile target given the large amounts of sensitive customer data stored within – such as complete credit card information,” Stewart said. “According to Experian, hackers can steal credit card information to sell on the Dark Web for $5.”
Credit card information breaches have caused some of the most high-profile retail breaches, namely at Target and Home Depot, the report noted.
Target’s data breach in 2013 resulted in the release of Target customers’ names, mailing addresses, phone numbers, and email addresses for up to 70 million people, along with payment card data.
Similarly, a cyberattack on Home Depot in 2014 exposed more than 50 million customers’ credit card accounts, resulting in a $19.5 million settlement from the home-improvement retailer.
“It is therefore important that retailers focus not only on the latest and greatest technical solutions, but also pay attention to the bread and butter topics of fraud detection and identity theft abuse,” said Jonathan Care, senior director and analyst at Gartner.
Adding to the difficulty of protecting sensitive data is the growing complexity of multi-cloud environments within the retail industry, the report found. Nearly 70% of respondents said they have at least 26 Software as a Service (SaaS) applications, and more than half have three or more Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) applications. Because of this slew of systems, 40% of respondents rated complexity as the top barrier to implementing data security.
How to stay protected
Americans have a false sense of complacency in regards to breaches, the report found. Despite breach rates surpassing 60% for US retailers, 94% of US respondents said they believe they have adequate security in place for new technology departments.
Stewart offered the following four recommendations for retailers looking to improve their data security strategy:
1. Focus on all threat vectors 2. Invest in modern, hybrid and multi-cloud-based data security solutions 3. Prioritize compliance issues 4. Adopt new data security strategies – including encryption and access management
Additionally, joining retail-specific information sharing groups for better visibility into the industry’s threats can be useful, Zelonis said.
For more, check out Retailers have become the top target for credential stuffing attacks on our sister site ZDNet.
Cybersecurity Insider Newsletter
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays