Mitigating Retail Vulnerabilities
Retailers are top targets for cybercriminals.
According to the 2016 Global Threat Intelligence Report from NTT Group, they receive up to three times the number of attacks as financial institutions - who are next on the list.
In Europe, around 70% of retailers admit to being targeted (Quocirca) while 45% of the attacks are known to have been successful.
Meanwhile, the US retail sector has seen repeated attacks on electronic point-of-sale (POS) systems in the past 12 months as well as consistently high volumes of phishing emails aimed at tricking insiders into unwittingly opening up corporate networks to hackers.
With online takings expected to grow to 21% of overall sales in 2017, cybercriminals will continue to try and profit from any vulnerabilities they can find.
To counter this, retailers have a variety of mitigation techniques available to them including Virtual Private Networks (VPNs), two-factor authentication, web application firewalls and network infrastructure vigilance.
Even today, the best security approach is multi-layered since no single technology can nullify all threats at all times.
Retailers are constantly managing large volumes of payment card data.
Hackers are attracted to retail sites in the hope of harvesting credit card information in bulk with the aim of selling it on the criminal gangs on the Dark Web.
However, improvements in fraud prevention techniques mean it is now possible for banks to very quickly spot and stop bad transactions. In consequence, the black market value of credit card numbers has fallen dramatically.
Many thieves have moved on to target information such as the personal data retailers gather via online registration forms and customer loyalty schemes.
Much of this data is not financial. This has led some retailers to place a lower value on it, mistakenly affording it less protection.
In the UK, loyalty schemes are big business. It is a £5.7bn market – an astonishing 92 percent of the UK’s adult population are said to be members of one loyalty schemes or another.
Retail loyalty schemes spawn huge databases filled with just the sort of customer data that a fraudster might use for identity theft - including names, dates of birth, emails, mailing addresses and so on.
A customer database breach is extremely damaging to a retailer in terms of financial penalties and lost reputation.
In some cases, loyalty points can even be spent like cash, making them as valuable as any payment account.
Among loyalty scheme managers in the US, 72 percent have reported problems with fraud.
In the past 12 months, POS breaches have been recorded by every kind of retailer from clothing stores (Eddie Bauer) to software companies (Oracle).
However, more than 60% of SurfWatch Labs’ point-of-sale related CyberFacts collected in 2016 affected the leisure industry – particularly hotel and restaurant chains.
HEI Hotels & Resorts, IHG, Omni Hotels, Trump Hotels, Hilton, Wendy’s, CiCi’s and KFC are just some of those named in breach reports.
The reasons for these breaches are many and varied.
However, some common retail practices expose customer data to greater risk.
For example, retail websites aim to be open for business 24/7. Many invite shoppers to save their address, credit card number, billing and shipping information in their online account to save time on their next visit.
As a general rule, shoppers should only be required to enter the absolute minimum in their shopping account in case the website is breached and the data is harvested by hackers.
Additionally, online retailers rarely offer two-factor authentication - another safeguard for shoppers.
Surprisingly, it’s not just the smaller retailers who are guilty of putting customer data at risk. In a study by Lastpass, Amazon and Walmart were ranked among the lowest for account security.
Retail data is rich in detail and transaction volumes are high.
The number of online sales (expected to account for 21% of overall sales in 2017) and cyber-attacks on retailers (up by 46% in the first six months of 2016) are both on the rise.
At the same time, new threats are starting to appear.
For example, retailers regularly hire large numbers of temporary workers to help them manage busy trading periods like Christmas and New Year.
This means large numbers of relatively inexperienced employees are inevitably bringing into the workplace unsecured smartphones filled with apps they have downloaded for themselves from unspecified sources. They then use them to share work-related data with colleagues.
Mitigation strategies available to retailers include deployment of VPNs.
VPNs create secure, encrypted connections between remote networked systems, POS terminals, customer databases and mobile devices.
Along with other technologies such as two-factor authentication, web application firewalls and network infrastructure vigilance, VPNs can help retailers to substantially reduce web threats.
In summary, with attacks on POS systems increasing, retailers and their customers have more reason than most to be wary of the threat to their data. A VPN forms an important part of a multi-layered security strategy enabling retailers to lock down all connection channels that could lead to a data breach.