July 15, 2014 By Douglas Bonderud 4 min read

Target. Adobe. AOL. eBay. What do they have in common? Big companies that have been the victims of big security breaches over the last year. In the case of online auction site eBay, over 145 million records were compromised, while Target dealt with upwards of 70 million breaches. While the rise of e-commerce and cloud data storage have proven to be a boon for consumers, a host of compliance and security challenges have emerged. How do retailers protect their bottom lines?

Security Challenges and Profit/Loss

According to a recent IBM research, data breaches significantly impact consumer confidence. In the case of one major breach, for example, the company saw a 46 percent drop in profit the quarter after the breach occurred. And while malicious actors are becoming more sophisticated, learning to ape the actions of legitimate consumers and distract retailers with DDoS attacks as they steal customer data, the public has little patience even in the case of advanced threats or zero-day attacks. Why? Consider the high value of stolen credit card data. Posted online, this data can instantly start generating revenue for attackers and causing serious headaches for consumers. Here, your customers’ bottom line is most important: If you hold their data, it must be close to your chest.

“The financial and reputational damage that can be inflicted on a retailer by a major security breach can be so severe, and so destructive, as to approach the financial and reputational damage a commercial airline might suffer from a serious accident,” IBM’s Global Retail Solution Lead Mark Yourek notes in a recent Insights on Business series on retail security.

With data breaches presenting such a significant risk, it only makes sense for companies to take every defensive avenue possible; but according to Dark Reading, almost one-tenth of retailers haven’t reported any cyber risks in financial documents filed with the SEC since 2011. What’s more, only 9 percent consider outsourced vendors a potential threat source and less than 10 percent have purchased insurance to cover any cyber exposures, accidental or otherwise. In other words, retailers don’t seem that concerned.

Threat Vectors

Breaches pose a real risk to confidence and profit; but are they really so common? As noted in the second article in Yourek’s series, retail companies occupy one of the top five targeted industries. Why? Because they process massive amounts of financial data, and many do so from multiple stores across multiple states every single day. As a result, there are hundreds of potential access points for an attacker. It’s safe to assume that, at any given moment, every major retailer in the U.S. is under attack; even if 99 percent of these attacks are deflected, the threat is real — and continuous. It’s also worth noting that security and compliance are not the same thing. Since PCI DSS compliance can be a long and complex procedure, it’s often easy to equate the process with effective security. Compliance is simply adherence to government or industry data-handling standards; security is the defense of that data.

So where do these attacks come from? While much has been made of disgruntled ex-employees or those with intimate knowledge of a company, only 3 percent of all attacks come from insiders. Just under 1 percent come from inadvertent actions, while 83 percent come from outsiders. And the reason for these attacks? In most cases it’s not high-level espionage, terrorism or social activism but simple, opportunistic behavior. Hackers know these companies are high-value targets and are therefore willing to toss whatever they can at retail networks to see what sticks.

But what creates these opportunities? Five factors stand out:

  • End users accessing malware-laden websites or downloading infected files,
  • Weak passwords,
  • Insecure system configurations,
  • Legacy or unpatched technology,
  • Poor network security.

Effective Protection

So how can retailers overcome these security challenges to protect their bottom line? An in-depth security strategy is the key, and it starts with establishing a culture of security and speed. Users must be educated in effective password creation, safe network use and monitored while on corporate networks. Companies must also have a broader security plan in place, one that contains elements to effectively contain a breach, assess the damage, remove the vulnerability and then communicate responsibility to the public; a speedy response can help mitigate total damages and minimize the loss of consumer confidence.

IBM’s white paper uses the example of a multinational supermarket chain that wanted to make it easier for employees to share data and communicate internally. By designing a single sign-on (SSO) personalized work environment for every user combined with automatic access rights updates and monitored network use, the retailer was able to increase productivity without compromising security.

Network defense is also critical and must be viewed as a series of access points rather than a single, defensible perimeter. For example, retail organizations must secure network points that include POS terminals, e-commerce websites, third-party vendor links, employee access points and, increasingly, IoT-based devices such as printers and security cameras. Each network connection must be considered a potential breach point, even if it is only peripherally connected to “crown jewel” components. As a result, each connection requires security protocols that reflect its function as a part of the larger network.

Finally, retailers must make use of analytics-based security tools. These tools scan incoming data and resource requests to identify anomalous behavior then report this behavior to IT admins for further study. Effectively spotting odd behavior starts with monitoring everything from infrastructure logs to network data packets and DNS transactions, but to be truly proactive, it must go several steps further, reporting any odd network behavior in real time and intelligently adapting to network use patterns. The ideal analytics solution needs minimal oversight and should return few, if any, false alerts.

The New Security

Retailers are on the most-wanted list for hackers, who use opportunistic attacks to get in, get what they want and quickly get out. The first step in addressing retail security challenges is recognizing their destructive potential and coming to terms with the fact that no business is truly safe. Next, companies must determine how these opportunities are being created; finally, they must develop a holistic, end-to-end security model. Protecting the bottom line is no easy task but by addressing the severity of attacks, assessing the scope of threat vectors and then designing an in-depth solution, it’s possible to minimize security risk.

More from Retail

5 ways to improve holiday retail and wholesale cybersecurity

4 min read - It’s the most wonderful time of the year for retailers and wholesalers since the holidays help boost year-end profits. The National Retail Federation (NRF) predicts 2022 holiday sales will come in 6% to 8% higher than in 2021. But rising profits that come at the cost of reduced cybersecurity can cost companies in the long run when you consider the rising size and costs of data breaches. The risk of data breaches and other cyber crimes can make this shopping…

Cost of a data breach: Retail costs, risks and prevention strategies

3 min read - Whether it’s online or brick-and-mortar, every new store or website represents a new potential entry point for threat actors. With access to more personally identifiable information (PII) of customers than most industries, bad actors perceive retail as a great way to cash in on their attacks. Plus, attackers can duplicate attack methods more easily since retailers share similar cybersecurity infrastructure. The good news for retail is that the cost of a data breach in the sector remains low compared to…

Lessons learned by 2022 cyberattacks: X-Force Threat Intelligence Report

3 min read - Every year, the IBM Security X-Force team of cybersecurity experts mines billions of data points to reveal today’s most urgent security statistics and trends. This year’s X-Force Threat Intelligence Index 2022 digs into attack types, infection vectors, top threat actors, malware trends and industry-specific insights. This year, a new industry took the infamous top spot: manufacturing. For the first time in over five years, finance and insurance were not the top-attacked industries in 2021, as manufacturing overtook them by a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today