Retail security has made many news headlines over the past couple of years. Many dubbed 2014 the year of the megabreach, but the number of high-profile data leaks continues to grow. According to recent research by NTT Group, the retail industry is a particularly popular target, experiencing 2.7 times the number of attacks of the financial services sector.

Vast Swaths of Personal Data

Retail security is complicated by the large amount of data that organizations tend to process and hold, including credit card data and personal information related to loyalty accounts. They also usually operate highly distributed environments, with many point-of-sale (POS) systems.

According to NTT, attacks against the retail sector spilled over to the wider hospitality, leisure and entertainment sector, with several major breaches seen in 2015. This sector also collects large amounts of information, and transaction sizes tend to be large. In many of the breaches, however, the properties were not attacked directly, but rather via service providers and retailers operating on hospitality premises, many via POS malware.

The Switch to EMV Helps

Attacks against POS systems sought to steal payment card information in many of the breaches recorded, taking advantage of vulnerable terminals as well as the less secure magnetic stripe card payment system. According to the “2016 Data Breach Investigations Report” from Verizon, 64 percent of breaches with confirmed data disclosure in the retail sector were cause by POS intrusions.

Most countries around the world have moved away from that system in favor of the more secure Europay, MasterCard and Visa (EMV) chip-and-PIN technology. The U.S. has dragged its heels in this transition, but as of October 2015, liability for payment card fraud shifted from the card issuers to retailers that accept payments made using the less secure magnetic stripe technology.

To boost security, retailers need to embrace the EMV system by upgrading their terminals and requiring customers to enter their PIN. This will do much to improve security but is not by itself sufficient. All payment card data should be encrypted or tokenized to protect it in back-end systems. This also makes sure it is in compliance with the requirements of the PCI standard to protect cardholder data.

Spear Phishing Remains Prevalent

Spear phishing attacks are also prevalent in the retail sector — and they are on the rise. In many cases, these are targeted at retail personnel and executives. These attacks are often connected to financial fraud, such as attempting to get the organization to pay fake invoices.

Some may take a different route, attempting to convince users to click on tainted links in emails or open malicious attachments so that information-stealing malware is downloaded. This can lead to customer information being stolen, which can have serious financial or reputational consequences for retailers.

Surging Online Channels

Many brick-and-mortar businesses also operate as omnichannel retailers, combining sales via physical stores with online e-commerce. As the number of channels proliferates and attackers become more advanced, cybersecurity concerns have surged. According to BDO International, 100 percent of the retailers it has analyzed disclose such concerns in their annual filings.

In 2015, e-commerce sales accounted for 7.3 percent of all retail sales, and mobile sales are expected to grow exponentially in the years to come. As a result, 57 percent of retailers see cybersecurity and changing internet trends as a risk to their businesses this year, more than double the 28 percent that cited it in 2013.

As a result, a holistic strategy is required for successful retail security. All network endpoints should be adequately secured, from point-of-sale terminals and e-commerce websites to employee access points and even connected devices such as printers and security cameras. Each network endpoint should be considered a potential breach point.

Prioritizing Retail Security

The retail sector offers rich pickings for criminals, indicated by the number of breaches happening throughout the industry. Retail security is a real and growing problem, and it is spilling out to other sectors that rely on retail sales, such as hospitality.

To be successful in this competitive market, retailers must have many touch points for their customers, and they need to be open in nature. They must also be capable of handling huge swaths of information and multiple transactions. But all of these factors make the retail industry a magnet for criminals. The onus is on retailers to double their efforts if they hope to avoid becoming the next headline.

Read the IBM X-Force research report on security trends in the retail industry

More from Retail

Cost of a Data Breach: Retail Costs, Risks and Prevention Strategies

Whether it’s online or brick-and-mortar, every new store or website represents a new potential entry point for threat actors. With access to more personally identifiable information (PII) of customers than most industries, bad actors perceive retail as a great way to cash in on their attacks. Plus, attackers can duplicate attack methods more easily since retailers share similar cybersecurity infrastructure. The good news for retail is that the cost of a data breach in the sector remains low compared to…

Lessons Learned by 2022 Cyberattacks: X-Force Threat Intelligence Report

Every year, the IBM Security X-Force team of cybersecurity experts mines billions of data points to reveal today’s most urgent security statistics and trends. This year’s X-Force Threat Intelligence Index 2022 digs into attack types, infection vectors, top threat actors, malware trends and industry-specific insights. This year, a new industry took the infamous top spot: manufacturing. For the first time in over five years, finance and insurance were not the top-attacked industries in 2021, as manufacturing overtook them by a…

Magecart Attacks Continue to ‘Skim’ Software Supply Chains

Did your company or e-commerce firm recently buy third-party software from a value-added reseller (VAR) or systems integrator? Did you vet the vendor code? If not, you could be at risk for a Magecart group attack. Magecart is an association of threat actor groups who target online shopping carts, mostly from within the e-commerce platform Magento. The Magecart name is derived by combining ‘Mage’ (from Magento) with ‘cart’ (shopping cart). This type of attack is especially dangerous as it only…

Omnichannel E-commerce Growth Increases API Security Risk

Today, a lot of the digital innovation we see is largely thanks to the application programming interface (API). Without APIs, rapid development would be nearly impossible. After all, the API is the link between computers, software and computer programs. But wherever there’s a link, a potential data security weakness exists. Essential for modern mobile, SaaS and web applications, APIs are nearly ubiquitous in everything from front office, back office and internal applications. By nature, however, APIs expose application logic and…