Retail Data Security: ‘Tis the Season to Be WaryEnsure your retail data security includes all the trimmings this holiday season By: Troy Bettencourt, Director - Incident Response
Retailers are anticipating a rough holiday shopping season due to major supply chain woes. But there’s one retail supply chain that is in full working order. In fact, the 2021 holiday season is likely to be its best one yet.
That’s the supply chain of seasonal retail cyber threats.
The holiday season is obviously the best time for threat actors to attack retailers. After all, that’s when retailers have the most to lose. And, unfortunately, in their intensive prep for the upcoming weeks of peak shopping, retailers have a lot to do besides shore up their cyber defenses.
So with the holiday season upon us, it’s a good idea to review the top threats to retailers posed by some of the folks on Santa’s “absolutely definitely naughty” list.
Costly, Disruptive Attacks
First, let’s consider threats that are potentially catastrophic to retailers because they disrupt business right when a good percentage of the entire year’s revenue hangs in the balance:
- Ransomware. Ransomware has been the #1 bogeyman for just about every business over the last several years. A well-executed ransomware attack can quickly bring every aspect of a retailer’s operations—including POS systems, inventory management, email, websites, and payroll—to a grinding halt. And there are plenty of documented high-profile incidents where threat actors launched their ransomware right before a key holiday for maximum impact.
Remember, though, that ransomware attackers are mostly opportunistic—and that their goal is primarily to create just enough pain to get their victims to pay the ransom. So a good security program can make a retailer just difficult enough for threat actors to move on to an easier target.
- Distributed Denial of Service (DDoS). DDoS attacks attempt to overwhelm a target with too many requests for information or services. This can be done by targeting a specific point of attack such as a website or the target’s perimeter (i.e., websites, firewalls, etc.). In these cases, a retailer may have to depend on their Internet provider and/or web hosting service to help block or minimize the attacks.
- Insider threats. Insider threats come in many forms. Among the worst are those perpetrated by disaffected IT admins with broad system privileges since they can shut down systems, steal data, and do all other kinds of mischief with both impunity and skill.
Other staff, however, can do damage as well. Salespeople can steal client lists. Operations staff can do physical damage to critical systems. And managers with the right access privileges can steal data and freeze applications.
Retailers have to be especially careful about insider threats during the holidays, because they hire temporary staff with no personal stake in the long-term health of the company. And, given how desperate retailers are to find and hire people in the current labor market, they may fail to properly screen their temps. Amid the holiday crunch, retailers may also fail to properly train temporary staff, leaving the company exposed to the risk of unintentional, non-malicious digital harm.
Read the 2021 State of the Threat: A Year in Review
Costly, Non-Disruptive Cardholder Data Theft (PCI)
Retailers focus almost exclusively on disruptive attacks, since those can do the most harm during their revenue prime time. But there are also threats that don’t disrupt holiday shopping, yet can ultimately have significant consequences for the business.
Cardholder data theft is one such threat. Retailers are obviously vulnerable to this threat since they accept credit and debit card payments. This attack can take many forms, but the threat actor’s ultimate goal is to steal your customers card information. And, though these attacks may not immediately disrupt holiday sales, they still have consequences. No one wants to be subject to an investigation by one or more card brands. And, in some cases, a card brand may start their investigation during the holiday season—making the retail data security attack at least somewhat impactful to holiday business.
Also bear in mind that the investigations and fines that result from cardholder data theft can be quite costly. There have even been cases where the card brand fines anticipated by retailers have been sufficient for them to consider bankruptcy.
Gauging Potential Consequences
The fact that the consequences of cardholder data theft may not entail any loss of actual in-the-season transactions at all brings us to one more point: These organizations often under-fund and under-attend to retail data security because they don’t fully comprehend the full extent of the damage an attack can wreak on their business in the long term. So, let’s quickly review this partial list of potential impacts:
- Payments. The inability to accept payments is probably every retailer’s greatest fear. The impact of attacker-induced downtime is also the easiest cost to calculate, since retailers have a pretty good idea of what their hourly, daily, and weekly sales volumes are. The direct impact of a DDoS attack is usually just the loss of a few hours’ worth of revenue. A successful ransomware attack, on the other hand, can last for days—or even weeks.
- Inventory chaos. Cyberattacks can disrupt a retailer’s inventory management, which in turn leads to all kinds of business impacts including lost sales, failure to replenish, permanent loss of unhappy customers, added shipping costs, spoilage, and unchecked shrinkage. While these impacts may be difficult to fully and accurately quantify, they are significant impacts nonetheless. Every retailer should ask themselves how long they could really tolerate the loss of their inventory management functions.
- Relation/reputation loss. Customers buy from their favorite retailer because they are confident that company has the right product at the right price, offers the right levels of service and expertise, and consistently delivers a positive shopping experience. Unfortunately, it only takes one bad experience—even if it’s caused by a cyberattack beyond the retailer’s control—for a customer to become a non-customer.
Ex-customers can also become ex-recommenders, so a security incident can also cost retailers a lot of future business. And that loss of loyalty typically becomes a competitor’s gain. Cyber incidents can also shake the confidence of favored suppliers, further compromising a retailers’ long-term prospects.
- Personnel loss. It is tough to hire and retain good retail workers. But when retailers experience operational and/or cash-flow problems, they often have little choice but to let employees go—or perhaps lay them off, in which case they often take another job elsewhere. In the current labor market, such losses are less tolerable than they might have been in the past.
What’s a Retailer to Do?
The good news is that retailers can protect themselves from all the above attacks and their consequences by implementing the same retail data security controls during the holiday season as they should have in place year-round. And, while a full description of those controls wouldn’t fit in this space, retailers—like every other business—need to bear in mind three basic principles:
- Protection. The primary goal of cybersecurity is obviously to prevent threat actors from achieving their nefarious goals. This is done through all the essentials of defense—including multilayer security from the perimeter to devices, applications, and data; encryption; strong passwords and multi-factor authentication; educating users how not to fall for phishing attacks, and so forth.
- Detection. Often undervalued, the ability to quickly identify any penetration of the retail environment (i.e., minimizing Mean Time to Detect or “MTTD”) is an essential aspect of security. And that identification shouldn’t just be that some incident has happened. It must also include to whatever extent is possible identifying what has happened and/or is happening—because that identification is what will enable retailers to understand and neutralize an incipient attack before it does any real damage.
- Resiliency. Retailers can also protect themselves by adopting best practices for maintaining business continuity even in the event of a serious breach. These best practices include reliable data backup, an alternative failover for processing payment cards, and pre-planned emergency procedures (such as ATM access and plenty of small change on hand in case business suddenly has to be done in cash).
The holidays are the most wonderful time of the year. It just takes a reasonable amount of due diligence to keep them that way. And if you need a little help with that due diligence for your retail data security, you know who to call. Just think of us as Santa’s Little Hackers!