November 18, 2016 By Christopher Burgess 4 min read

In the U.S., the post-Thanksgiving shopping blitz of Black Friday often serves as a make-or-break event for many retailers. Indeed, Black Friday is the day when retailers start to make a profit for the year.

No further explanation is needed to understand why retail cybersecurity is so important. Since the arrival of the browser, online shopping has evolved. In 2005, the National Retail Foundation (NRF) coined the term Cyber Monday to describe the Monday after Thanksgiving and Black Friday, and over the years it has evolved into a major concern for security-conscious businesses.

Retail Cybersecurity Is a Big Deal

According to Practical Ecommerce, the 2015 shopping weekend saw billions of dollars of sales, of which more than $10.4 billion was attributed to in-store sales and $5.77 billion to online sales. Meanwhile, comScore reported nearly $70 billion in desktop and mobile online sales between Nov. 1 and Dec. 31, 2015.

Everyone knows that criminals follow the money. Before the internet, we read about robberies of brick-and-mortar establishments. Now, with an anticipated $70-plus billion in online sales in just a 60-day period, we find that criminals have adjusted and moved online. In 2014, the number of daily attacks decreased during the timeframe surrounding Black Friday and Cyber Monday. Similarly, 2015 saw no major upticks in cybercrime, though small and medium-sized businesses found themselves in the bull’s-eye.

Verizon’s “2016 Data Breach Investigations Report” noted that “around 90 percent of all security incidents in the retail sector involved denial-of-service (DoS), point-of-sale (POS) or web app attacks.” The report explained that it took 79 percent of the organizations weeks or more to recognize that a crime occurred. In contrast, the holiday shopping period lasts for only eight weeks.

Passing on Passwords

Retailers should update their technologies. Security experts have been imploring retailers to move away from password-only environments. A 2012 Institute of Electrical and Electronics Engineers (IEEE) paper titled “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes” describes the ongoing, decades-old struggle to replace passwords with other authentication tools.

We asked John Haggard, chief executive officer (CEO) of Nymi and a global authority on authentication, for his thoughts on how retailers might protect themselves and, by extension, their customers. Here’s what he had to say:

“The single biggest corrective step a organization can make to secure its environment is to ensure all identities, including employees, partners, customers and especially machines, are correctly authenticated. This sounds simple, but it is incredibly difficult to break the addiction to passwords that is the current champion of authentication.

“What’s worse, the industry is getting organizations hooked on the multifactor alternative, which is arguably worse in today’s environment. With passwords, everyone knows the problem. With one-time codes, organizations believe they have plugged the hole when in fact they haven’t. Despite this warning, organizations should set a key objective that simply states, ‘Authenticate correctly and effortlessly.’

“This likely will never be solved 100 percent for any given period of time, therefore a constant evaluation of the authentication position can be captured by reviewing the data on incorrect authentications. A full 63 percent of breaches can be traced back to this issue, according to the Verizon study. The name of the game is to reduce the attack profile while preserving productivity.

“Passwords are in the red (as in your blood red), one-time passwords (OTPs) are yellow/red and Fast ID Online (FIDO) authenticators are green. Start by setting the objective and developing discipline to understand issues and then support vendors that are trying to help you get there. You get to give feedback and request/demand improvements — staying stuck isn’t a good strategy.”

POS systems are a primary area of concern. Every retailer should separate its POS infrastructure from its corporate infrastructure. Tripwire recommended including monitoring and two-factor authentication for all users accessing the POS environment in addition to segregating the infrastructure.

This begs the question, would retailers know if their POS infrastructure was compromised? Do they have a plan to respond to indicators of compromise? Does your response plan affect your ability to conduct commerce?

Customer Trust and Engagement

The NRF created a comprehensive playbook for its members that highlighted three key areas in which retailers need to focus: trust, community and anticipation. Customers will quickly lose trust in retailers that don’t focus on securing their environments and technologies.

How retailers engage their customer will speak volumes to how seriously they take security. Are you asking the customer to provide data that you are not able to protect? Do you send emails containing hotlinks to get your customer to click and buy? Do your privacy and terms of service statements clearly articulate how you protect customers’ data? Can customers quickly engage with your support teams if they report cybercrime? Are your support teams trained to handle social engineering attempts to access customer accounts?

Improve Online Habits for the Holidays

First and foremost, only deal with retail organizations you trust. Understand how they operate. More importantly, understand that every entity can be spoofed in email or online.

Practice good online hygiene as part of the overall retail cybersecurity solution. Resist the urge to click on Cyber Monday coupons in emails — type the URLs into your browser window instead. Ensure your devices are up to date with both your security suite and your operating system. Download apps only from trusted environments.

We asked Rebecca Herold, The Privacy Professor and industry thought leader on privacy, what consumers can do to protect their online engagements. Not surprisingly, her advice addressed the need for authenticating yourself with the vendor.

“Use two-factor authentication wherever it is offered,” Herold advised. “This way, if a password is one of the factors and the password file gets hacked, that second factor will help to prevent unauthorized access into your accounts.”

Speaking of passwords, remember to use a unique password for every online account. It sounds cumbersome, but give it some thought. If you reuse passwords and the password file of the company with the least secure infrastructure is compromised, then your user ID and password combination are the keys to all your other accounts, especially for those that lack two-factor authentication.

The holiday season is upon us. Make it a joyous occasion by keeping your company, customers and yourself safe online.

More from Retail

5 ways to improve holiday retail and wholesale cybersecurity

4 min read - It’s the most wonderful time of the year for retailers and wholesalers since the holidays help boost year-end profits. The National Retail Federation (NRF) predicts 2022 holiday sales will come in 6% to 8% higher than in 2021. But rising profits that come at the cost of reduced cybersecurity can cost companies in the long run when you consider the rising size and costs of data breaches. The risk of data breaches and other cyber crimes can make this shopping…

Cost of a data breach: Retail costs, risks and prevention strategies

3 min read - Whether it’s online or brick-and-mortar, every new store or website represents a new potential entry point for threat actors. With access to more personally identifiable information (PII) of customers than most industries, bad actors perceive retail as a great way to cash in on their attacks. Plus, attackers can duplicate attack methods more easily since retailers share similar cybersecurity infrastructure. The good news for retail is that the cost of a data breach in the sector remains low compared to…

Lessons learned by 2022 cyberattacks: X-Force Threat Intelligence Report

3 min read - Every year, the IBM Security X-Force team of cybersecurity experts mines billions of data points to reveal today’s most urgent security statistics and trends. This year’s X-Force Threat Intelligence Index 2022 digs into attack types, infection vectors, top threat actors, malware trends and industry-specific insights. This year, a new industry took the infamous top spot: manufacturing. For the first time in over five years, finance and insurance were not the top-attacked industries in 2021, as manufacturing overtook them by a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today