The accessibility and convenience of shopping online has seen retailers shifting their focus to providing improved, custom, and omni-channel online experiences. Many retailers have increased their digital presence to meet and manage the demand.
The transition to digital and the broadened digital landscape leaves retailers with increased and potentially vulnerable attack surfaces, making them more susceptible to cyber-attacks and other security risks such as technical debt, inconsistent and ill-maintained user access management, and unmaintained legacy software.
This POV will explore the cybersecurity challenges that retailers face and how these can be mitigated.
Retailers process and handle large amounts of customer data, including personal and financial information. Cyber criminals target retailers due to the value of personally identifiable information (PII) and financial/payment details.
Figure 1; Type of data compromised (respondents may select more than one option)
This POV will utilise research conducted by IBM in their annual Data Breach Report to understand the effects of cyberattacks on the retail industry and how these breaches differ depending on varying factors such as the initial attack vector, type of data, and the form of identification.
The cost of a data breach in terms of time, effort, and cost to identify and remediate, as well as any lost business and reputation makes focusing on cyber security a top strategic priority for retailers in 2024.
Cybersecurity Challenges in Retail
The growing complexity of IT environments, extensive data storage, and both digital and non-technical workforces creates a wealth of security challenges for retailers to manage and mitigate.
The foundations of these threats have been around for years, but as technology and security get smarter, so do the attackers.
Common Attack Vectors
· SQL Injection
· Denial of Service
· Man in the Middle
· Stolen credentials
· Malicious insiders
· Unpatched software vulnerabilities
· Cloud misconfigurations
Figure 2; Measured in days
This section will be exploring how these attack vectors and methods are exploited and deployed by cybercriminals to access, steal, and hold hostage company and customer data.
Ransomware is a type of malware used as a tool to steal data and hold it ‘hostage’. In 2023, ransomware attacks accounted for 24% of malicious cyberattacks, with the average cost of attack increasing 13% from 2022, standing at $5.13m.
Once ransomware enters a computer, it secretly attacks and accesses files to encrypt data; this makes the data inaccessible without the right decryption key. This decryption key is typically released to the victim upon ransom payment to the hacker.
There are several tactics employed to infect a system with ransomware, including:
- Phishing emails that unknowingly lead users to download malicious attachments
- Existing vulnerabilities within software that allow cybercriminals to inject malicious code into a network or device
- Credential theft allows hackers to log into a network or computer and directly inject ransomware
The value of data is to the retailer in these instances. Typically, the data is not stolen by the attacker, rather is kept away from the victim for the duration of the ransom, meaning the data and systems cannot be accessed or used. The more sensitive and valuable the data, the more likely it is going to be targeted due to the likelihood of payment for its release. The sensitivity of data and the costs incursion for customers and damaged reputation makes retailers prime targets of ransomware attacks.
Research by IBM found the cost difference between paying and not paying the ransom (without considering the cost of the ransom payment) was not dissimilar at around $110,000 difference in 2023. This suggests that not paying the ransom is the better option before you consider the inability to access key data and systems and the implementations and consequences against the victim.
Figure 3; Measured in USD millions (ransom cost not included)
 Phishing Attacks
In 2023, 16% of breaches saw phishing to be the initial attack vector, with the average cost of the breach costing ~$4.76m. Phishing is a method of attack access, more than the method of attaining information, meaning it is the door to the file room, not the filing cabinet itself.
Phishing attacks commonly occur through email, but also come from phone calls and SMS. The aim is to appear as a legitimate sender to encourage the victim to open and click through any links of attached documents. These links will likely include other cyber-attack methods to obtain personal or financial information, or to download ransom- or malware to the recipient’s device and systems.
Phishing relies on human error and vulnerability to attack and vary in levels of sophistication. Successful phishing attacks can lead to largescale cybersecurity breaches depending on the objective, i.e., if employee credentials are stolen due to a scam link, hackers can access company systems and data.
 System Vulnerabilities
Weaknesses in systems and software such as unsupported, unpatched, or legacy (not updated) operating systems, web browsers, and applications leaves retailers vulnerable to cyberattacks.
Unsupported, unpatched, and not updated/legacy software can fall under the same category of vulnerability; namely, that the software version is no longer actively being developed against known vulnerabilities and security risks. Known unpatched vulnerabilities accounted for 6% of data breaches in 2023, costing on average $4.17m per breach.
Unpatched vulnerabilities allow cyber criminals to leverage known security bugs, install and run malicious code such as malware or ransomware, or just access unsecure systems and data. This is why maintaining software support and updates are vital to security, as they contain additional code (patches) to secure these known vulnerabilities and remove outdated ones.
 Cloud Systems
Advancements in cloud computing has transformed the way businesses operate; new methods of data gathering, storage, flexibility and scalability all contributing to increased operational efficiency.
Despite this efficiency, 82% of breaches in 2023 involved data stored in the cloud (public, private, and multi-environment).
The most common security risks to cloud systems include:
- Unmanaged attack surfaces – the increase in remote work and the move to cloud has meant attack surfaces are now fragmented, making it easier for businesses to become exposed.
- Misconfiguration – businesses may choose to go with one or more cloud service providers (multi-environment). This creates risk as different default configurations can lead to system vulnerabilities.
- Human error – if users are not familiar with applications or using APIs, they can unknowingly create holes in cloud perimeters, leaving networks and sensitive data open to attacks.
 Internet of Things
Internet of Things (IoT) devices create security risks due to the expanded and varied attack surfaces. IoT refers to the network of devices that use software, sensors, and network connectivity to transfer data with the primary goal of being self-reporting devices that communicate in real time.
Users who do not know how to protect their IoT ecosystems can leave devices vulnerable. The biggest reason IoT devices are vulnerable is due to the lack of capacity to have built in security. Similarly, weak access control, lack of updates, and limited budgets for testing expose IoT devices to vulnerabilities.
Research shows that IoT environments increased the average cost of a data breach by over $195,000.
Protecting your Data
Although retailers attract attention from cyber criminals, there are multiple ways to test for weaknesses and best practices to implement to increase information security and mitigate the risk of cyber-attacks.
IBM identified key factors and their monetary influence against the average cost of a data breach. There are multiple factors that affect the cost both positively and negatively, identified in Figure 4. By understanding the causes and factors that increase or reduce costs, retailers can see how they can mitigate risks and reduce costs of a data breach.
Figure 4; Measured in USD
 Cybersecurity Regulation
Cybersecurity regulations are designed to streamline and direct the development of stronger and more resilient IT and security practices. Adhering to regulation is beneficial for multiple reasons, not least the avoidance of costly fines, but the guidance on where focus should lie to protect your company, supply chain, and customers.
Regulatory non-compliance increased the average cost of a data breach by $219,000; likely due to the associated fines.
Two of the main regulations affecting the retail industry are:
- GDPR – the EU’s primary data protection law that applies to businesses collecting and storing data from customers in the EU. Compliance requires businesses to ensure information is processed lawfully and gives customers the right to be forgotten.
- PCI DSS – developed to provide standards and resources for safe payments with a mission to protect cardholder Compliance includes regular risk assessments and implementing safeguards.
Maintaining IT security is an ongoing task that requires continuous action and review to ensure regulations and policies are followed. Compliance is crucial for retailers to maintain reputation and avoid financial consequences.
 Cybersecurity Training
Providing training for staff can prevent data breaches by reducing the risk of employee error; crucial given the success rate of phishing scams. Employees should be up to date on authentication protocols, email security, information security policies, and basic understanding of why to keep software up to date.
Research finds that adequate employee training reduced the average cost of a data breach by $232,867 in 2023.
Enterprise-wide training should be completed regularly to ensure information and best-practices are up to date. This is especially important due to the fast-natured development and sophistication of new scams and threats.
Furthermore, departmental training should be completed depending on the exposure of cybersecurity risks across different roles. This could be interactive training asking end users to actively engage and identify risk factors in example material. For example, asking end users to identify the suspicious areas of a phishing email.
 Cybersecurity Strategy and Tactics
Retailers should ensure they have a robust cybersecurity strategy determined by an information security policy.
A comprehensive plan should be developed to protect digital assets from cyber threats. This starts with identifying and assessing potential risks throughout the IT landscape and environments and implementing measures to mitigate and prevent the risk of cyber-attacks.
Responsiv Consultants provide support for developing cybersecurity strategy by reviewing what is implemented currently, identifying vulnerabilities, and providing recommendations on what can be improved.
 Identity and Access Management (IAM)
The correct access management allows retailers to limit and monitor access to confidential customer information. This limits access and controls who has access to the data depending on job roles and can share who is accessing what and identify where verification needs improvement.
Identity and Access Management saved $180,000 against the average cost of a data breach in 2023
Responsiv Cloud Security Service provides multiple methods of identity and access management for cloud platforms including Responsiv Cloud, IBM Cloud, and Microsoft Azure.
The service supports access against the following criteria:
- Context and Time
 Data Security Software
Having a data security platform to uncover vulnerabilities and protect sensitive data will allow retailers to have visibility, compliance, and protection of and for their data.
IBM found that breaches identified by an organisation’s own security tools and teams cost ~$380,000 less than those identified by a benign third-party, and ~$970,000 less than those disclosed by the attacker, showcasing the benefits of procuring and maintaining cybersecurity skills and software.
Figure 5; Measured in USD
Tools like IBM Guardium, a database security product, help to prevent data leaks, ensures information integrity, and automates compliance controls, monitoring, auditing, and reporting in line with defined rules.
Responsiv has expertise in database security products and can administer configure software, perform vulnerability assessments and health checks, and monitor set up tools like IBM Guardium.
Learn more about IBM Guardium and how Responsiv can help here: IBM Guardium – Is It For Me? – Responsiv
IBM Randori is an attack surface monitoring tool that actively and continuously scours an organisation’s IT landscape attempting to gain access to the environment as an attacker would. This aids in identifying unknown vulnerabilities that can be exemplified by growing decentralisation of IT procurement, unaware employees, and unpatched software.
Read more about Cybersecurity with IBM Guardium and IBM Randori
Customers trust retailers with their data. Retail success depends on maintaining this trust and reputation through the protection of sensitive and personal data. As technology and security develops, cyber threats are getting smarter at the same pace. It is vital that retailers reduce probability and stay prepared in the event of an attack.
Whilst cyberthreats are never going to completely disappear, there are many ways retailers can mitigate the risks and improve how quickly they recover from an attack. From simple employee training exercises such as mock phishing emails to the procurement of enterprise-grade data security software, retailers should research and make themselves aware of these cybersecurity best practices.
Staying proactive in combatting cybersecurity risks gives retailers the best chance at avoiding threats
Responsiv supports retailers with training, strategic guidance, and the implementation of security software. Our expertly skilled team of Consultants are available as and when you need them to cost-effectively augment and support your in-house skills.
Get in touch today to find out how Responsiv can help retailers stay cyber secure in 2024!