Trouble in store? Don’t forget VPN

For a couple of years now security breaches in the retail sector have seldom been out of the headlines. Breaches at large retail chains like Target, Neiman Marcus and The Home Depot in 2014 were followed in 2015 by Dungarees, Starbucks, CVS, Toys R Us and Wallmart Canada. Some of the latter stores were much smaller illustrating that when it comes to attacks a retailer’s size is not important.

According to the annual Global Threat Intelligence Report, retail now makes up 22 per cent of all response engagements, up from 12 per cent the previous year. This is also reflected in the latest report from BDO which lists a possible security breach in joint top spot with “general economic conditions” as the biggest security risk to the retail sector.

Retailers are constantly handling large volumes of financial and consumer data. Bank card details, Social Security numbers and billing addresses are all in high demand on the black market. This is what makes them so attractive to cybercriminals. As many as 74% of attacks on retail and food services companies are aimed at compromising cardholder data. A prime example is the Wendy’s restaurant chain which has 6,500 restaurants across 28 countries. Fraudulent activity on customers’ payment cards first discovered in February 2016 was originally thought to be limited to fewer than 300 North American outlets. After further investigation the final reckoning could turn out to be “considerably higher”.

The most common cyber attack to be directed at large organizations is the large-scale distributed denial-of-service (DDoS) attack. This kind of attack tends to make headlines because of its ability to bring companies to a temporary standstill. Interestingly just 5 percent of retailers come under threat from DDoS. This is because the cybercriminals don’t want to bring things to a standstill. Shutting down retail sites and point-of-sale (POS) systems simply results in nothing to steal and no data to compromise. Instead the cybercriminals want to keep the flow of transactions moving.

Attackers use different types of threats on retailers. The preferred techniques are keyloggers - malicious code that steals login credentials – and Advanced Persistent Threats - malware that infects networks to watch and record specific transactions. According to Graham Cluley more than half of retail security threats leverage these attack vectors. In consequence, retail more than any other sector tends to be hit with financial losses, fines for non-compliance, legal issues, reputation damage and diminished customer loyalty.

Successive Verizon Data Breach Reports have repeatedly pointed out the relative ease with which hackers are able to access confidential data when a retail data breach occurs. This is in part due to retailer attitudes towards the PCI DSS standard. Most do not view compliance as a continuous process but rather as a chore to be forgotten as soon as the annual audit is completed. Retail data breach statistics show that not a single company was fully compliant at the time it was breached.  According to Verizon only 20% of organizations meet all requirements of the standard. To put it another way 80% of retailers leave the door open and put their critical assets at risk.

It is imperative that retailers regardless their size stop thinking of compliance as a short-term inconvenience and regularly adjust their internal policies to keep pace with the newest versions of PCI DSS. The best way to protect cardholder data is to continually enhance security processes so they far exceed the bare minimum criteria set out in the PCI DSS compliance requirements.

Properly closing the door to attackers requires a number of measures. These include improving network protection against malware, regular staff training on malware threats and best responses, treating compliance as a part of daily security routines and implementing secure connections for internal and external communications.

A VPN and a personal firewall can go a long way to mitigate connectivity risks. Company data and networks may be further protected when the following additional measures are implemented:

• Secure supply chain connectivity – insisting that all third party suppliers adhere to an agreed uniform connectivity measures with clear communication of the consequences of failing to comply.
• Friendly network detection –retail IT departments should enable personal firewalls on mobile devices to automatically differentiate between secure, or “friendly,” networks and unsecured public networks
• Endpoint protection – where the VPN automatically performs a health-check on the device before allowing a connection

In conclusion, retailers and their customers are the number one targets for cybercriminals.  Customers and employees of retail companies have therefore more reason than most to be vigilant and need to take steps to reduce the likelihood of data theft. Implementing secure connectivity between networks, external suppliers and customers is paramount. A VPN is one way to ensure connectivity in retail environments remains secure and stop the door to a data breach from opening.