Retail Security: Industry Provides Rich Pickings for Cybercriminals

Retail security has made many news headlines over the past couple of years. Many dubbed 2014 the year of the megabreach, but the number of high-profile data leaks continues to grow. According to recent research by NTT Group, the retail industry is a particularly popular target, experiencing 2.7 times the number of attacks of the financial services sector.

Vast Swaths of Personal Data

Retail security is complicated by the large amount of data that organizations tend to process and hold, including credit card data and personal information related to loyalty accounts. They also usually operate highly distributed environments, with many point-of-sale (POS) systems.

According to NTT, attacks against the retail sector spilled over to the wider hospitality, leisure and entertainment sector, with several major breaches seen in 2015. This sector also collects large amounts of information, and transaction sizes tend to be large. In many of the breaches, however, the properties were not attacked directly, but rather via service providers and retailers operating on hospitality premises, many via POS malware.

The Switch to EMV Helps

Attacks against POS systems sought to steal payment card information in many of the breaches recorded, taking advantage of vulnerable terminals as well as the less secure magnetic stripe card payment system. According to the “2016 Data Breach Investigations Report” from Verizon, 64 percent of breaches with confirmed data disclosure in the retail sector were cause by POS intrusions.

Most countries around the world have moved away from that system in favor of the more secure Europay, MasterCard and Visa (EMV) chip-and-PIN technology. The U.S. has dragged its heels in this transition, but as of October 2015, liability for payment card fraud shifted from the card issuers to retailers that accept payments made using the less secure magnetic stripe technology.

To boost security, retailers need to embrace the EMV system by upgrading their terminals and requiring customers to enter their PIN. This will do much to improve security but is not by itself sufficient. All payment card data should be encrypted or tokenized to protect it in back-end systems. This also makes sure it is in compliance with the requirements of the PCI standard to protect cardholder data.

Spear Phishing Remains Prevalent

Spear phishing attacks are also prevalent in the retail sector — and they are on the rise. In many cases, these are targeted at retail personnel and executives. These attacks are often connected to financial fraud, such as attempting to get the organization to pay fake invoices.

Some may take a different route, attempting to convince users to click on tainted links in emails or open malicious attachments so that information-stealing malware is downloaded. This can lead to customer information being stolen, which can have serious financial or reputational consequences for retailers.

Surging Online Channels

Many brick-and-mortar businesses also operate as omnichannel retailers, combining sales via physical stores with online e-commerce. As the number of channels proliferates and attackers become more advanced, cybersecurity concerns have surged. According to BDO International, 100 percent of the retailers it has analyzed disclose such concerns in their annual filings.

In 2015, e-commerce sales accounted for 7.3 percent of all retail sales, and mobile sales are expected to grow exponentially in the years to come. As a result, 57 percent of retailers see cybersecurity and changing internet trends as a risk to their businesses this year, more than double the 28 percent that cited it in 2013.

As a result, a holistic strategy is required for successful retail security. All network endpoints should be adequately secured, from point-of-sale terminals and e-commerce websites to employee access points and even connected devices such as printers and security cameras. Each network endpoint should be considered a potential breach point.

Prioritizing Retail Security

The retail sector offers rich pickings for criminals, indicated by the number of breaches happening throughout the industry. Retail security is a real and growing problem, and it is spilling out to other sectors that rely on retail sales, such as hospitality.

To be successful in this competitive market, retailers must have many touch points for their customers, and they need to be open in nature. They must also be capable of handling huge swaths of information and multiple transactions. But all of these factors make the retail industry a magnet for criminals. The onus is on retailers to double their efforts if they hope to avoid becoming the next headline.

Read the IBM X-Force research report on security trends in the retail industry

Share this Article:
Fran Howarth

Senior Analyst, Bloor Research

Fran Howarth is an industry analyst and writer specialising in security. She has worked within the security technology sector for more than 25 years in an advisory capacity as an analyst, consultant and writer. Fran focuses on the business needs for security technologies, with a focus on emerging technology sectors. Current areas of focus include cloud security, data security, identity and access management, network and endpoint security, security intelligence and analytics, and security governance and regulations.