Top threats facing retailers this holiday season

Business Security

While it may be too late to introduce wholesale changes to your security policies, it can’t hurt to take a fresh look at where the biggest threats are and what the best practices are. which helps to neutralize it.

Retail at risk: Top threats facing retailers this holiday season

The holiday shopping season is starting in earnest. While retailers are focused on jockeying for estimated at $1.5 trillion in sales this year (and that’s just for the US), their hard work may be wasted because not enough attention is being paid to cybersecurity.

Why? Because these are the best of times and the worst of times for retail IT teams. The busiest time of the year for customers is also a magnet for cybercriminals. And while it’s too late at this stage to introduce wholesale changes to your security policies, it doesn’t hurt to take a fresh look at where the biggest threats are, and which best practices can help neutralize it.

Why retail, why now?

Retailers have long been singled out for special treatment by cybercriminals. And the busiest shopping time of the year has long represented a golden opportunity to strike. But why?

  • Retailers hold large amounts of their customers’ personal and financial information. Just think about all the details of the card. It’s no wonder that all (100%) of retail data breaches are investigated by Verizon last year was driven by a financial motive.
  • The holiday shopping season is the most important time of the year for retailers from a revenue perspective. But this means they are more exposed to cyberthreats such as ransomware or distributed denial-of-service (DDoS) designed to extort by denying service. On the other hand, competitors can launch DDoS attacks to deny their rivals important customs and profits.
  • Being a busy time of year means that employees, especially IT teams, are more focused on supporting the business to generate as much revenue as possible than on finding cyberthreats. They can even tweak internal fraud filters to allow larger purchases to be approved without review.
  • Retailers increasingly rely on digital systems to create omni-channel commerce experiences, including cloud-based business software, in-store IoT devices and mobile-facing applications to the customer. In doing so, they (often unintentionally) expand the potential attack surface.

Let’s not forget that one of the largest recorded data breaches in the world occurred and was announced during the holiday season of 2013, when hackers stole 110 million customer records from the US retailer Target.

What are the biggest cyberthreats to retailers this holiday season?

Not only do retailers have to defend against a greater range of attacks, they also have to contend with an increasingly diverse set of tactics, techniques and methods (TTP) from a determined set of adversaries. . Attackers’ goals are to steal customer and employee data, extort/disrupt your business through DDoS, commit fraud, or use bots to gain a competitive advantage. Here are some of the top retail cyberthreats:

  • Data breaches can come from stolen/cracked/phished employee credentials or vulnerability exploitation, especially in web applications. The result is significant financial and reputational damage that can derail growth plans and profits.
  • Digital skimming (ie, Magecart attacks) occur when threat actors exploit vulnerabilities to insert skimming code directly into your payment pages or through a third-party software supplier/widget. Such attacks are often difficult to detect, meaning they can damage reputations. It accounted for 18% of retail data breaches last year, according to Verizon.
  • Ransomware is one of the main threats for retailers, and during this busy period threat actors may increase their attacks in the hope that more businesses are willing to pay to get their data back and be decrypted. SMBs in particular are in the crosshairs, as their security controls may be less effective.
  • DDoS remains a popular way to extort and/or harass retailers. Last year, the sector is on the receiving end in nearly a fifth (17%) of these attacks – a 53% year-on-year (YoY) increase, with peaks seen on Black Friday.
  • Supply chain attack may be targeted at a digital supplier such as a software company or even an open source repository. Or they may be aimed at more traditional professional businesses or even cleaning services. The Target Breach became possible when Hackers steal network credentials from an HVAC supplier.
  • Account takeovers (ATOs) usually activated by stolen, phished or cracked credentials. This could be the start of a major data breach attempt, or it could be aimed at customers, in credential stuffing or other brute force campaigns. Usually, malicious bots are used here.
  • Another nasty bot attack include scalping (where competitors buy in-demand items to resell at a higher price), payment/gift card fraud, and price scraping (enabling competitors to undercut your prices). Malicious bots consist of about 30% of all internet traffic today, with two-thirds of UK websites can’t block even simple attacks. THERE approximately 50% increase of poor bot traffic in the 2022 holiday season.
  • APIs (Application Programming Interface) is at the heart of retail digital transformation, enabling more connected and seamless customer experiences. But vulnerabilities and misconfigurations can also provide an easy route for hackers to customer data.

How retailers can protect themselves against cyber risks

In response, retailers must balance security with employee productivity and business growth. That’s not always an easy calculation, especially with the high cost of living putting more pressure on profitability. But it can be done. Here are 10 best practices to consider:

  • Regular staff training: This should go without saying. Make sure your employees can detect even sophisticated phishing attacks and you have an effective last line of defense in place.
  • Data audit: Understand what you have, where it is stored, where it flows and how it is protected. This must be done in any case as part of GDPR compliance.
  • Strong data encryption: When you discover and classify your data, use strong encryption of the most sensitive information. This should be done on an ongoing basis.
  • Risk-based patch management: The importance of software patching cannot be overstated. But the sheer number of new vulnerabilities published each year can be overwhelming. Automated risk-based systems should help streamline the process and prioritize the most critical systems and vulnerabilities.
  • Multi-layered security protection: Consider the anti-malware and other capabilities of a server, endpoint, email network and cloud layer, as a preventive barrier to cyberthreats.
  • XDR: For threats that elude containment, make sure you have robust extended detection and response (XDR) that works across multiple layers, including supporting threat hunting and incident response.
  • Supply chain security: Audit all suppliers, including digital partners and software vendors, to ensure their security posture is aligned with your risk appetite.
  • Strong access controls: Password managers for strong, unique passwords and multi-factor authentication are a must for all sensitive accounts. With XDR, encryption, network segregation and preventive controls they form the basis of a Zero Trust security method.
  • Disaster recovery/business continuity planning: Reviewing the plans helps to ensure that the right business processes and technology tools are in place.
  • Incident response planning: Make sure your plans are watertight and regularly tested, so that every stakeholder knows what to do in a worst case scenario and doesn’t waste time responding and containing the threat.

For most, if not all, retailers, PCI DSS compliance is also an essential business requirement. Think of it as an opportunity instead of a burden. Its detailed requirements will help you create a more mature security posture, and reduce risk exposure. Technologies such as strong encryption also help reduce the cost and administrative burden of compliance. Happy holidays.

Leave a comment