The Christmas Season is Here – and Retail Cyber-Defenses are Lacking

Posted on by Robert Ackerman

The year’s busiest period for retailing has begun and once again will test the effectiveness of retailing cybersecurity – and just as the World Economic Forum has produced a new report stating North American business executives rank cyber attacks among their top risks. While retailing cybersecurity is improving to some extent, its breadth and quality still has ample room to grow. 

This means retailers may not be fully able to protect customers amid holiday season sales almost certain to ring in sales north of $700 billion in the U.S. alone. 

Merchants often don’t spend their cybersecurity dollars as efficiently as they should. More importantly, retailers don’t spend enough; about four percent annually of their IT budgets are devoted to cybersecurity, according to Gartner --less than the healthcare industry, another tight-fisted spender. By contrast, the financial services industry spends more than 5.5 percent on cybersecurity annually. 

In part, this is why giant retailers such as Home Depot, Neiman Marcus and Target have suffered breaches in recent years. This year alone, Saks Fifth Avenue, Lord  & Taylor, Sears and Under Armour have also fallen victim to major data breaches. In total, nearly one in three retailers have suffered revenue losses stemming from cyber attacks, according to the Cisco 2017 Annual Cybersecurity Report. 

Retail Cybersecurity Ranks near the Bottom

SecurityScorecard, which monitors more than 200,000 businesses globally and grades the cybersecurity effectiveness of various industries, ranks the retail industry second from the bottom. One big problem is that merchants are enticing targets of personally identifiable information and associated financial information. Another is that big retailers have complex networks, making them more vulnerable. 

In addition, retail is a rich target of social engineering attacks, according to SecurityScorecard. A SecurityScorecard report also found a retail industry failure to sufficiently comply with PCI DSS standards for the protection of cardholder data. 

Because the fifth anniversary of the Target breach in December 2013 – the biggest retail breach in history –- is on the horizon, merchants this year are more fidgety about the state of their cybersecurity protection. Point-of-sales terminals at Target were compromised by hackers for more than two weeks, enabling them to steal credit and debit cards from more than 40 million customers. The company paid dearly on multiple fronts, including breach-related cumulative expenses of $162 million. 

Barely More Than Half of Retailers Have Good Security Infrastructure 

The Cisco cybersecurity report found that that just 52 percent of retail organizations consider their security infrastructure up-to-date and upgraded with the best technology tools. Among other industries, this figure averaged 59 percent. 

The online retailing industry, in particular, has become a choice hunting ground for cyber criminals, especially with new payment technologies that are transforming the way consumer shop, whether online, via mobile or in the store. These technologies provide new entry points for cyber criminals. 

Also newly at risk are large volumes of business-related data regarding operations, business management, procurement and logistics – all a profitable source of data for cyber criminals. 

Other substantial threats are point-of-sale (POS) breaches, ransomware and distributed denial-of-service (DDos) and credential stuffing attacks. 

In the last two arenas, at least, multiple companies now offer effective defenses in one or both, including Shape Security, Akamai, Netacea and F5. 

POS Systems Get Little Attention

Many companies, in particular, fail to maintain their POS system. This means they use outdated operating systems. In addition, POS systems lack point-to-point encryption, which is why retailers are implementing less effective endpoint protection. Meanwhile, DDoS attacks are growing in concert with the rise of the Internet of Things (IoT). And ransomware, an older retailing threat, is experiencing a resurgence. To help combat these attacks, retailers are increasingly automating data backup. 

Retailers must take a number of other steps to successfully thwart malicious actors. Here are the key things they must do: 

  • Determine the location of the most sensitive data and networks and implement endpoint detection and response technology. This not only enhances protection but curbs the gap between when an intrusion begins and when it is discovered. 
  • Avoid default passwords like the plague, particularly for hardware devices that can allow direct access to critical data. 
  • Patch operating systems and third-party applications. 
  • Employ next-generation anti-virus protection to detect and prevent malware on POS terminals. It doesn’t rely on reactive signature updates to allow businesses to detect and stop attacks. 
  • At least begin to investigate the implementation of technology that tracks online visitors as they use websites and apps. The way people press, scroll and type on a phone screen or keyboard can be as unique as fingerprints or facial features. This can weed out suspicious transactions and automated attacks. 

RBS Leading the Cutting Edge

A leader in this space is The Royal Bank of Scotland. When clients log in to their RBS accounts, software begins recording 2,000 interactive gestures. On phones, it measures the fingers they use to swipe and tap, the pressure they apply, and how quickly their scroll. On a computer, the software records the rhythm of keystrokes and the way the mouse is wiggled. 

Among all the security vulnerabilities confronting retailers, the single biggest problem is unmistakably obvious: stores often don’t realize they have been attacked until far too late. 

Often, they don’t learn about an attack until receiving a call from a credit card company regarding seemingly strange activity. In the interim, according to the 2018 Crowdstrike Global Threat Report, the average attacker’s “breakout time” in 2017 was 118 minutes, and it continues to narrow. The upshot: Once an intruder compromises a network, he can move to other machines in the network in less than two hours. 

This is unacceptable, and retailers must confront this vulnerability immediately and head-on. It’s too late to act this holiday season. But this needs to be their top priority for the holiday season in 2019, and preferably much sooner.

Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs