In this edition of our continuing SecurityIntelligence industry podcast series, we examine the current state of retail cybersecurity and review some best practices for the holiday season with the help of retail security expert Justin Ball.
We all know that retail cyberattacks increase during the holiday season. So, how can companies keep e-commerce sites and on-premises networks secure over the holidays and into the new year?
Why Security Maturity Is Lagging in the Retail Industry
Ball has seen it all, from Fortune 100 companies to small and midsize enterprises. His main takeaway is that, when compared to other industries, retail remains heavily focused on compliance and the “mid-to-low tiers of security maturity.” Most spending is still tied to payment card industry (PCI) protection and redesigning these environments, yet the past two years have brought a shift in attackers’ tactics. Now, threat actors are passing on the PCI in favor of more tempting morsels of personally identifiable information (PII) that let them conduct loyalty program attacks or carry out online fraud.
Shifting Operations Are Outpacing Vulnerability Management
As retail attacks ramp up during the holiday season, Ball advises companies to watch out for a variety of attacks, including:
- Online fraud via e-commerce stores;
- The use of stolen PII available on the dark web to compromise systems; and
- Illegitimate attempts to convert loyalty points into cash or store credit.
According to Ball, the speed of shifting retail operations is outpacing vulnerability management. As a result, companies often build applications or platforms without implementing common security standards, allowing threat actors the luxury of time to conduct reconnaissance and plan their attacks. Legacy tools also play a role here; many existing systems and tools can’t keep up with new cybersecurity demands.
How to Implement Effective Retail Cybersecurity During the Holidays
Ball has observed a common retail pattern during the holidays: putting systems into “IT lock,” where all changes, patches and updates to e-commerce and point-of-sale (POS) systems are frozen. It makes sense, since many companies generate 80 percent of their revenue over one-and-a-half months each year. It also means attackers can exploit existing vulnerabilities and high-traffic volumes to hide in plain sight.
For Ball, effective retail cybersecurity during the holiday season starts with paying extra attention to new employees, POS systems and mobile endpoints. Improving access oversight and hardening device security goes a long way toward combating attackers’ efforts. Another recommendation is improved disaster recovery: Failed systems frustrate users and can fast-track cyberthreats. Finally, it’s worth investing in threat intelligence tools that are capable of spotting cyberattacks before they even reach retail networks.
If you enjoyed listening, please consider rating the podcast or leaving your feedback on iTunes or wherever you listen.