Cyber security threats in retail

Retailers have had little choice but to transform their IT infrastructure as customers increasingly move to online shopping and high street-based revenues decline. Retailers and most of their customer interactions and data are now online and as such, many retailers are adopting Cloud for some, or all, of their customer-facing revenue impacting applications. Cloud computing offers agility and scaleability to meet demand – a much better approach than risking the chance of being under-resourced when demand and traffic are high, or over-resourced when demand is lower.

Retail Data Breaches

Cloud adoption is a great step forward for the retail world, but the dark side of the story is that cyber attacks are targeting retail on a regular basis. Customers’ personal and financial details are now stored online by a whole host of retailers, as are their spending patterns and loyalty behaviours.

It’s not uncommon, especially recently, to learn that millions of user accounts have been compromised and this can have a devastating effect on a business. This type of incident can be seen as a signal to your customers that you can’t protect your most valuable assets. The most obviously damaging information to be made public is of course customers’ financial information (credit or debit card numbers) but retailers have a duty of care towards all the information they process.

Even seemingly benign details such as spending habits could allow sophisticated cybercriminals to send ‘phishing’ emails that could in turn lead to further data theft or cybercrime.

An example of a recent retail data breach comes from a UK second hand electronics retailer CEX, who suffered a data breach affecting up to two million customers in August 2017. It’s therefore not surprising that retailers are outsourcing payments and worrying about the upcoming GDPR regulation. The unfortunate reality is that retail companies are rich pickings for cyber criminals – I witnessed that credit cards are very easy to monetise whilst doing my own research on the dark web.

Security Risks in a Retail Environment

In the 2016 Retail Crime Survey, published by the British Retail Consortium, 53% of reported fraud in the retail industry is facilitated by cyber; totalling almost £100m a year. The importance of security in the retail industry can also be seen in the Alert Logic Cloud Security Report 2017, which found that the retail industry observed a staggering amount of security incidents across a variety of online environments; some 14,000 in the public cloud, 199,000 in hosted private cloud environments, as well as 50,000 on-premises, to name but a few.

Specifically, web application attacks were the most pressing and recurrent issue that retailers had to deal with in 2017. Of all the incidents observed by Alert Logic that their customers experienced, 75% of them were web application attacks – that is a client-server computer program in which the client runs in a web browser. This is no different for the retail industry, of which 80% of attacks noted were indeed web application attacks.

Retailers running e-commerce systems should be aware that they are more likely to be missing modern security features, and even recent systems may not be fully resistant to all application attack techniques. Attackers are increasingly able to launch multiple probes against these systems, searching for weaknesses that can be exploited to gain access. Access to systems serves as a point of ingress for further attacks, giving attackers a means of stealing financial information, or as a way to obtain goods without payment.

Furthermore, the public-facing nature of the retail industry means that cybercriminals can exploit the public’s general shopping trends, using them as opportunities to launch cyberattacks at particularly busy periods; for example, at times where retailers are all attempting a sales push (like Black Friday, the Golden Quarter or post-Christmas), cybercriminals could exploit this increased traffic as cover for attacks.

Developing e-commerce applications is a game of economics as much as anything else. Ensuring the security of the application is often a low priority, compared to delivering a positive customer experience. This lack of attention to security measures coupled with an increase in investment by attackers means that application attacks are likely to remain a significant risk for the retail industry in the future – particularly at busy times of the year.

Retail Industry Faces a Challenging Cyber Threat Landscape

Brute force attacks are likely evidence of similar activity, where attackers simply try and guess system usernames and passwords. Worryingly, systems are frequently deployed with default usernames and passwords, or replaced with insecure passwords that a systematic password guessing system could bypass in minutes.

Reconnaissance and suspicious activity attacks are evidence of attackers probing systems and networks, searching for potential vulnerabilities that can be exploited to gain access. Once the cyber attacker gains access to a system, he can launch further attacks to escalate privileges until he obtains full control of the system to plunder information at will. Trojan activity detected within the retail industry encompasses malware that has infiltrated networks and is attempting to spread, or seeking to communicate with cyber criminals to obtain further instructions.

The retail industry faces a challenging threat environment. By processing large amounts of financial data, the retail industry will continue to attract the attention of malicious actors. Investing in and maintaining security systems to combat attackers and their continued innovations are vital to protecting systems and the valuable information they hold.

As hacker techniques are becoming more widespread and sophisticated, it is important to have a comprehensive cyber security strategy in place. The impact of these data breaches can be catastrophic, especially in retail where brand reputation and loyalty are the keys to success.

While securing a retail business can seem like a daunting task, if organisations remain aware of the risks, aware of the new attack vectors and methods that cybercriminals are undertaking, and take some of the necessary precautions to stop them from happening, they can remain ahead of the actors seeking to hurt your business.

How Can Businesses Achieve High Levels of Cloud Security?

Ask yourself these questions: do I have an access management system in place, do I patch my systems as regularly as possible, can I make sure my web applications are secured? The best way to do this is to adopt a more proactive approach to finding a breach. A modern security team of cyber security experts will consist of cyber hunters and threat analysts to predict how the most valuable data could be stolen and constantly look for signs that an intruder has gained access to the network.

These expert cyber skills are hard to find, and expensive to hire. So, unless retailers are in the desirable position of being able to run a fully comprehensive cyber security system, with all the tools, technologies, threat intelligence and people that can keep you safe, 24/7, they must establish priorities and companies might find that the quickest and most cost-effective way of delivering security might be to partner with a Security-as-a-Service provider.

In many cases, an online presence may be a priority for retailers in terms of its importance to their revenue. But there’s no doubt that it can also be a significant challenge. There is a fine line between success and failure in online trading – sometimes all it takes to take the business down is just one cyber attack. An effective cloud security strategy can make it easier to stay on the right side of that line.

Oliver Pinson-Roxburgh is the EMEA director for Solutions Architecture at Alert Logic, one of the nation’s leading cloud security providers.