Want to read more on cybersecurity? Check out our comprehensive guide analyzing the trends and themes impacting cybersecurity in 2017 and beyond.
Retailers are becoming increasingly popular targets for cyber attacks.
Analysts say it’s less likely a question of whether an attack will occur, and more about when. Now more than ever, retailers need to have a game plan in place.
The retail industry faces more attacks than any other industry. In fact, retailers face three times as many attacks as the next top target, the financial industry, according to information and communications technology firm NTT Group's 2016 Global Threat Intelligence Report. Cyber threats across all industries are also on the rise. Only three years ago, Microsoft says there were 20,000 attempted cyberattacks per week. Now there are between 600,000 and 700,000 per week.
Within the last few years, big retailers like Target, Home Depot, Eddie Bauer and Vera Bradley have all fallen victim to the tricks of cyber thieves, and the financial and reputation costs of such attacks can be enormous.
Retailers need to take the security of their online data as seriously as the protection of their physical inventory, according to Mark Flegg, a global product director of domains and security at Corporation Service Company.
“In the olden days, we thought nothing about hiring a foreman for the warehouse to make sure that everything was going well and there was no shrinkage from an inventory perspective. We put whatever controls we needed to do that in the past,” he told Retail Dive. “Online, it’s the same thing — you need that warehouse foreman to look at your digital footprint and figure out what’s going on, what new technology is coming out.”
That means retailers need to be more proactive about investing in protecting themselves before cyber attacks occur. First and foremost, Flegg says retailers need to make sure that they have a cyber security policy that makes sense for their individual needs. Given that cyber attacks are continuously evolving, many retailers may not know where to begin: Data show that retailers are still struggling to cover the basics of cybersecurity.
A recent analysis of the security ratings of the 48 biggest holiday retailers showed that big-box retailers, including those who ranked highly, had particularly big gaps in DNS health, social engineering and network security, according to SecurityScorecard’s 2016 Biggest Holiday Retailers Cybersecurity Report. While keeping a secure system is an ongoing process, here are six fundamental steps retailers can take to strengthen their cybersecurity.
1. Strengthen domain and network security
As retailers consider their cybersecurity policies, the very basics of network security should not be overlooked.
“The gateway to everything online is a domain name,” Flegg said.
SecurityScorecard’s report showed that 73% of retailers that held a "C" letter rating for more than three months had poorly-configured website domains. That means the website's content management system could have an exposed administrative portal, which could allow a hacker into the system.
"What we see very frequently is that retail websites expose their administrative portals, which means they are publicly accessible," Sam Kassoumeh, COO & co-founder of SecurityScorecard, told Retail Dive.
Retailers need to ensure that they’re investing in a high quality and secure domain provider — and cheaper is not always better.
“One of the cheapest providers is Go Daddy. They are cheap; it's like $10 a year to register a domain name and you pay by credit card. But what happens when that credit card expires? Go Daddy can’t charge a renewal fee because every domain has to renew, and there goes your domain name. Then you’re out of luck,” Flegg said. “So having someone looking after domain names properly and treating it like the asset it is paramount. You have to make sure the basics are in place.”
After that, an SSL certificate to secure and encrypt data on the page is essential for retailers that process personal information such as addresses and credit card numbers for e-commerce purchases. Many retailers are failing to meet this critical step, according to the report. Retailers need to be mindful of proper configurations of those domains to defend against possible impersonation attacks.
“Organizations with poor DNS configuration are at risk for hackers who can can set-up websites that look like a retailer’s site and falsify a checkout form to obtain a user’s credit card information,” according to SecurityScorecard’s report.
2. Establish strong password policies
All too often, vulnerabilities are created when employees don’t change their password and username from the default login information provided to them, which can leave an opening for hackers and put retailers at risk. If retailers have exposed administrative portals, Kassoumeh says hackers may still be prompted for login information. But if those default credentials aren't changed, hackers can look up default login information assigned by common CMS programs such as Wordpress and often gain access.
SecurityScorecard’s report showed that 69% of retailers with a "C" letter grade for three or more months had multiple entry points for hackers. Retailers should start by ensuring that they implement strong password policies, which require employees to create a new multi-factor password and username, as well as changing that information every so often.
Whether it's negligence or ignorance, Kassoumeh says retailers often don't know what their infrastructure looks like from the outside or how simple password policies can have a major impact on their security.
3. Create a regular patching routine
It’s not often that a hacker will try to bang through a new locked front door if an old forgotten back window can be broken into — and that’s exactly what out-of-date software is.
This is clearly a pain point for most retailers — 83% of the retailers analyzed by SecurityScorecard had unpatched vulnerabilities in October 2016 and 62% were using end-of-life products, which no longer have any security support from the manufacturer. Hackers are much more likely to exploit older vulnerabilities, making it critical to consistently update all company devices.
“If you’re not keeping up with the latest patches, you’re not keeping up with the latest ways of keeping your company safe from attack, which can lead to a system that is permanently exposed,” Kassoumeh said. “Mature companies will have an update on a weekly, monthly or quarterly basis. Companies that are less mature in that practice — they won’t do it or it’s hard.”
Scaling security can be especially difficult for big-box retailers with global operations. Security is often decentralized but a unified approach can pay off in the long run for retailers.
Regularly updating software is a simple yet often overlooked way to reduce the number of cybersecurity vulnerabilities.
“The longer the patch goes unapplied the longer the hacker has to exploit that vulnerability,” Brian Engle, executive director of The Retail Cyber Intelligence Sharing Center, told Retail Dive.
4. Segment networks
Another key to filling in vulnerabilities is segmenting various applications and databases, grouping items of similar sensitivity. That allows retailers to limit traffic within high-risk zones, which helps break up data into many pathways in the case of a malware attack.
“Compartmentalizing, or segmenting networks — to keep corporate environments, support environments and store environments where retail payment occurs at the point of sale separated — is important in limiting the success of cybercriminals,” RCISC’s Engle said.
Oftentimes, third-party service providers are granted access to serve a functional component during the point of sale. Such services can range anywhere from climate control to music and security cameras, according to Engle.
“You want to segment that type of IT or tech from the point of sale systems as well, so they can’t become an avenue, so the light or air conditioning can’t be the pathway to get to point of sale system,” he said. “Segmentation and prohibiting traffic from going through them — or limiting it to only necessary traffic — is important.”
5. Test through the eyes of a ‘hacker’
Retailers that have completed all of these steps may already have a good understanding of their internal security system and its vulnerabilities. But they don’t know how a hacker looks at its infrastructure and what openings cyber attackers may sniff out.
“There are a lot of companies that do penetration testing, which basically means it’s ethical hacking,” CSC's Flegg said. “You can employ a company and say go at it, try to get as much information out of it as you can. They’ll give you a report about it at the end and hopefully it’s not all of your customer information with their credit cards.”
6. Boost employee awareness
Money, tools and technology aside, Kassoumeh says a retailer’s security is only as strong as its weakest link — most commonly, people.
“In a big company with stellar security, what’s the most common way to break in? Through social engineering — tricking an employee into doing something they shouldn’t be doing.”
Many hackers prey on employees they presume have a lack of knowledge of their company’s security policies, but many retailers are also failing to provide adequate training on a regular basis. Employees need to understand they have the keys to the front door, Flegg said. “It’s repetition, you’ve got to keep [security] at the forefront of employees’ minds all of the time.”
Phishing attacks can plague employees as well as consumers if retailers do not employ or properly configure an email Sender Policy Framework (SPF) record. Over 90% of retailers in SecurityScorecard’s report had an SPF record missing, which increases the risk that hackers could reach out to shoppers posing as a retailer and send spoof email attacks to gain access to financial or other personal information.
Phishing awareness for employees is particularly critical, Flegg said. From time to time, he will send out a phishing link to employees of his company to see how many people click on it.
“Anyone who does gets directed to our human resources link,” he said. “They have to go through education immediately. It’s a risk. You’re giving away your username and password, what is wrong with you? People just don’t take it seriously — your information is gold.”