Retailers continue to shift their attention from traditional brick and mortar operations to digital channels, and consumers like it: in 2016, U.S. retailers’ non-traditional sales, which include ecommerce, increased 11.9 %.
While digital channels offer opportunities to expand into new markets, the obvious downside is the increased exposure to digital risks. Retail consistently ranks as the industry that faces the biggest security risks because they possess a treasure trove of customers’ personally identifiable information (PII) and financial data. Nearly 90% of retail cyber security experts acknowledge their companies had been compromised by attacks between 2014 and 2016, according to KPMG International.
While a possible security breach is the biggest retail security risk, companies must contend with all types of online breach attempts. Including social engineering and DDoS attacks, malicious code that steals login credentials as well as malware. In fact, Graham Cluley noted that over 50 %of retail security risks leverage the last two of the attack vectors.
In recent years, we have seen a number of high-profile breaches, including Target, Ebay, Neiman Marcus and Yahoo, to name just a few. What are the lessons online retailers can learn from the biggest online retail breaches of all time?
Lesson 1: Online Retail Breaches are Everywhere
Whether it’s a retailer that sells exclusively online or a bricks-and-mortar store that is moving to e-commerce, the threat of a data breach is a primary concern. Cyber security is, in fact, tied in 1st place along with general economic concerns in a list of Top 20 Risks for Retailers. Unlike other industries, retail has far more digital footprints for cybercriminals to target for fraud, malware, DDoS and other attacks.
Lesson 2: Importance of Authentication and Social Media
A breach of the high-end retailer Neiman Marcus in late 2015, offers a lesson about the importance of improving user authentication and shoring up social media security gaps. Hackers used automated attacks to try various login and password combinations to compromise 5,200 customer accounts of several Neiman Marcus Group brands. Neiman Marcus downplayed the breach by saying only basic contact information and the last four digits of credit cards were viewed by the hackers, while PII such as Social Security and PIN numbers and dates of birth were not visible.
But Neiman Marcus’ post-hack defense failed to consider how cybercriminals can gather details about consumers by viewing their social media profiles and then pairing that information with PII and other data – including all-important usernames and passwords – that they got from different hacks. The Neiman Marcus hackers didn’t need every detail -- nor could they get every detail -- about the customers in one breach. Like most cybercriminals, they have to work haphazardly,putting together portions of data from they stole from different along with data they purchased from underground forums to eventually have a complete profile of a consumer’s personal information.
Retailers – along with other customer-facing industries such as finance – they have to start implementing and encouraging their consumers to use other types of authentication methods. Technology such as: biometrics, mobile verification codes and geo-location. But until merchants and banks solidify current security processes and invest in new security technology, they can expect cybercriminals to continue breaching customer accounts.
Lesson 3: Supply Chain as an Attack Vector
While focusing on the many customer-facing channels is critical, retailers shouldn’t forget about supply chain risks. Just about every retailer’s supply chain is comprised of mostly SMEs, and this digital ecosystem is a wide portal of connections: suppliers, vendors, service providers, contractors, affiliates and partners.
There’s no guarantee a retailer’s vendors’ cyber security meets retailers’ own security standards. Vendors’ lack of cyber vigilance usually puts retailers' data at great risk. Almost 80% of data breaches are caused by supply chains vulnerabilities. Cyber risk changes shape frequently, so it’s imperative for retailers to constantly vet their vendors’ security processes.
Lesson 4: Breaches Are Expensive
The cost of a single stolen record that contains sensitive and confidential information is now $158, according to a recent Ponemon Institute and IBM study. But an even a bigger danger from a breach is the reputational and brand damage a retailer can suffer.
Target’s year-on-year sales fell by 46% in the fourth quarter of 2013 after 40 million credit card records were stolen from the retailer’s air conditioning supplier (see previous lesson about vendors). And, after a massive breach of 145 million customer records in 2014, eBay acknowledged declining user activity that impacted its quarterly net revenue.
Lesson 5: Employee Awareness and Training is Paramount
Every department can put a retail business at risk, so that’s why employees need to be aware of the many risks they face with email, social media and other digital channels. While cyber security programs and solutions aim to protect data at all levels, it’s not effective if employees at all levels can’t buy into security.
As the eBay breach demonstrated, employees can inadvertently help cybercriminals. The hackers who penetrated eBay’s corporate network used legitimate credentials they lifted from employees.
Nearly 100% of Microsoft Office threats are from malicious macros, and retailers have recently been hit by POS-laced macro threats – methods that rely on employees not being careful. All it takes is one employee to be tricked into opening a supposedly clean email attachment to infect a retailer’s networks and potentially compromise POS systems.
Lesson 6: Over-Confidence is the Problem
Considering that retail is targeted by cybercriminals more often than any other industry, it would seem that retailers wouldn’t be overconfident. But they are. A new survey points to a worrisome trend: companies are overconfident in their ability to detect data breaches. 90% of survey respondents believe they could detect a data breach within their critical systems in one week or less.
Confidence doesn’t always breed success, especially in the difficult realm of cyber security. No matter how well a retailer’s cyber security posture might seem, it needs the technology and expertise of a managed detection and response provider to continuously monitor digital assets to ensure relevant risks and threats are discovered quickly before they cause irreparable damage to customer trust and the bottom line.