Retailers now experience the most cyber attacks of any industry sector—three times as many as the previous top target, the financial industry—according to information and communications technology firm NTT Group's 2016 Global Threat Intelligence Report.
NTT Group notes that 22% of all incident response engagements in 2015 originated from the retail vertical market client base, just ahead of the finance vertical (18%), with many attacks against retailers using spear phishing (i.e., email that appears to be from a known individual or business). Some 65% of attacks originated from U.S. IP addresses, up from 49% in 2013 and 56% in 2014, though hackers themselves could be operating anywhere in the world, the report states.
Among the most alarming findings in the NTT Group report: Many business vulnerabilities were sitting on corporate IT systems for years, just waiting to be exploited. Nearly 21% of vulnerabilities were more than three years old, more than 12% were over 5 years old, over 5% were more than 10 years old, and some date back as far as 16 years, the report found.
“Retail companies are becoming increasingly popular targets as most process large volumes of personal information, including credit card data, in highly distributed environments with many endpoints and point-of-service devices,” Rory Duncan, head of security business unit at NTT Group's Dimension Data UK, said in a statement. “Such diverse environments can be difficult to protect.”
While the NTT data was largely collected before the U.S. switched to EMV chip-enabled cards and point-of-sale systems, the report covers cyber hacks worldwide, including markets where EMV use is commonplace. Regardless, savvy retailers and their IT departments already know (though it may be worth repeating) that the switch to EMV is an extremely limited solution given the realities of today’s cybersecurity risk.
The move here to EMV and its ability to stymie some number of hackers will likely result in thieves heading to where the metaphorical broken windows and doors ajar are found—online. The U.S. is the last developed country to switch to EMV, and experts say that online fraud has grown in every market that has implemented the technology.
It’s not just hackers, either. Everyone—retailers included—is moving online for more and more tasks and activities. For retailers, it’s not just the very real matter of boosting their e-commerce and their mobile capabilities, but also increased use of connected devices, the cloud and social media.
The NTT Group report also takes stock of the cybersecurity arms race. As businesses move to thwart hackers, the hackers devise work-arounds, and even when retailers are seemingly on top of the problem, they must still contend with a nerve-racking truth: When it comes to cybersecurity, a retailer is only as secure as its least secure vendor.
Last year for example, CVS, Costco, Walmart Canada, Sams Club, Walgreens, Rite Aid and Tesco all reported possible security breaches at their photo sites. The retailers’ photo operations had a common vendor, PNI Digital Media, which is owned by office-supplies retailer Staples.
“It only takes one gap, it only takes one hole,” Stephen Boyer, co-founder and CTO of BitSight, told Retail Dive last year. “You can have a lot of locked doors, but one window’s open and you have a problem.”