Retailers are on high alert. U.S. companies and government agencies experienced a record 1,093 data breaches in 2016, up 40% year over year, and all evidence suggests still more (and still more dangerous) digital attacks are coming in 2017.
Nearly one in three retailers have already suffered revenue losses as a result of a cyberattack, and retail organizations perceive targeted attacks as the greatest risk facing their business, according to the Cisco 2017 Annual Cybersecurity Report. Even so, just 52% of retail organizations consider their security infrastructure up-to-date and upgraded with the best technology tools (below other industries at 59%), and only 61% strongly agree that they are able to maintain full compliance with payment card industry (PCI) security standards.
But knowledge is power. Not only can retailers mitigate the threat of cybercrime by understanding and recognizing the most likely vectors of attack — they can also team with cybersecurity experts and other trusted partners to fortify their defenses. Here’s what retailers need to know.
1. The Internet of Things is a growing target
The internet was shaken to its foundations in October 2016 when an array of e-commerce sites and digital platforms including Etsy, Shopify, Twitter, PayPal and Pinterest fell prey to a series of distributed denial of service attacks on web domain partner Dyn. DDoS attacks leverage internet addresses associated with devices already infected with malicious code to generate massive amounts of traffic to overwhelm targeted sites; blame for the assault on Dyn, which unloaded a reported 1.2 trillion bits of data traffic on its servers, ultimately landed on botnets targeting unprotected Internet of Things devices, including web-enabled cameras.
With IoT innovations like smart shelves, RFID merchandise trackers and perishable goods sensors gaining increasing momentum in retail, look for DDoS attacks targeting IoT devices to escalate in 2017 and beyond. With IoT manufacturers slow to implement security standards and network integration challenges still looming, research firm Forrester anticipates half a million IoT devices will be compromised this year alone.
“The Internet of Things is going to make things a lot trickier,” Robert Horn, associate director at insurance and risk management solutions provider Crystal & Co., told Retail Dive. “We’re already getting claims from companies that are connecting everything they have to the cloud. We’re going to see more of those claims.”
Experts say retailers should develop an overall infrastructure policy on IoT devices, and address potential security issues for each new device before trouble arises. Merchants should also work closely with IoT manufacturer partners, and lean on them to make their devices as secure as possible throughout the product lifecycle.
“There’s very little you can do to defend yourself against DDoS attacks,” Maarten Van Horenbeeck, vice president of security engineering at content delivery network Fastly, told Retail Dive. “More and more, retailers are starting to prepare early on. They do that by purchasing significant bandwidth so that they’re prepared for large attacks. Preparation is key.”
2. Ransomware is on the rise
More than three decades after the first computer virus entered the digital bloodstream, malware continues to grow more sophisticated and more nefarious. Exhibit A: Ransomware, a strain of malware that prevents users from accessing their system, locking down screens or files until a ransom is paid. More advanced crypto-ransomware that essentially scrambles files and renders them unreadable without a decryption key has become increasingly prevalent in recent years, especially among cybercriminals targeting enterprises: In the first quarter of 2016, ransomware and recovery costs climbed to $210 million, according to FBI data.
All in all, ransomware attacks exploded from 3.8 million in 2015 to a staggering 638 million in 2016, according to network security solutions firm SonicWall, citing the emergence of ransomware as a service (a user-friendly variant enabling thieves to simply download the virus either for free or a nominal fee, determine a ransom total and payment deadline, then devise a scheme to trick unwitting victims into infecting their computers) as well as the low costs of carrying out ransomware plots, the ease of distribution and the low risk of capture or punishment.
“A lot of times with ransomware attacks, companies are at a loss to defend it. They pay all these ransoms because they don’t have proper backups of their security systems,” Horn said. “Backing up regularly is a huge and pretty simple way to protect your network and your system. Also, update all the software — any time there’s a security hole, software companies issue patches pretty quickly. It’s important to update software as those updates come through.”
3. There’s strength in numbers
Following a spate of high-profile retail customer data breaches during the first half of the decade, the retail industry took dramatic steps to bolster transaction security, highlighted by the adoption of EMV chip-enabled point-of-sale systems and widespread implementation of the Payment Card Industry Data Security Standard (PCI-DDS) checklist. Those efforts began paying off handsomely in 2016: SonicWall reports that the number of new POS malware variants plummeted 88% year over year, indicating that cybercriminals are increasingly less interested in dedicating time and energy to hacking POS systems — a trend that should continue moving forward.
The decline in POS malware is proof positive that aggressive action can neutralize cyber threats. But in addition to industrywide efforts, retailers must implement proactive in-house cybersecurity strategies as well. Basics include both a Written Information Security Program (a set of comprehensive guidelines and policies designed to safeguard all confidential and restricted data) and an Incident Response Plan (a set of instructions outlining how to identify, react to and limit the impact of an information security event). Retailers also should hire security professionals specializing in cybersecurity protections, as opposed to expecting IT admins to juggle cybersecurity expertise alongside their existing responsibilities.
Look for retailers to rely more and more on vendor partners as well. “New ideas, concepts, and schemes are developed every day by cybercriminals, and their sophistication often includes virtual escape methods,” according to Richard Mellor, former vice president of loss prevention for the National Retail Federation. “Therefore, it will be even more important for loss prevention professionals, IT teams and cybersecurity specialists within a retail organization to find the right partners to protect their brand integrity. These partners will be those that specialize in providing solutions that enhance shopping processes for the business while also protecting online channels.”
Experts recommend purchasing a cyber liability policy — i.e., insurance coverage designed to protect retailers and other online businesses from financial losses, service disruptions or reputation damage suffered as a result of data security breaches. “Insurance policies go a long way in saving the balance sheets of small and mid-sized companies, but our clients also include some larger, multinational retailers,” said Horn.
Last but not least, retailers should share information for the greater good. In 2014, the Retail Industry Leaders Association teamed with retailers including Gap and Walgreens to launch an intelligence-sharing resource enabling merchants to swap information on breaches and looming threats. Transparency should remain the watchword moving forward, Van Horenbeeck said.
“Attackers are going to attack any way they can find to reach the information they’re after,” he said. “Retailers should share information and insight to stop them.”