Want to read more on cybersecurity? Check out our comprehensive guide analyzing the trends and themes impacting cybersecurity in 2017 and beyond.
Cybercrime is big business — and retailers are squarely in the crosshairs.
Cybercrime — the catch-all term applied to an ever-expanding range of digital assaults from malware to theft of personal data to distributed denial-of-service attacks (DDoS, i.e. coordinated traffic onslaughts on servers, systems or networks designed to make the target difficult or impossible for legitimate users to access) — is rapidly growing more common, more dangerous and more complex. Service interruptions from DDoS attacks alone surged 162% in 2016. Cybercrime is also growing more lucrative: Nearly 90% of all cyberattacks now involve financial or espionage motivations, according to the Verizon 2016 Data Breach Investigations Report. Corresponding annual global costs related to damage and destruction of data, intellectual property theft, lost productivity and fraud are on pace to grow from $3 trillion in 2015 to $6 trillion by 2021.
While the second half of 2016 brought to light three of the largest data breaches ever recorded (two raids on web platform Yahoo that impacted at least 1.5 billion accounts combined; the other affecting about 412 million accounts across social network Adult Friend Finder), retailers in fact experience the most cyberattacks of any industry sector — about three times as many as the previous top target, the financial industry — information and communications technology firm NPD Group reports. The list of victims is long and ignominious, and includes Target, Home Depot, Eddie Bauer and Vera Bradley.
The question isn’t if and when yet another retailer will fall victim in the weeks and months ahead, experts say, but simply where the wheel of misfortune will land next.
“You’ll never be able to put up perimeters and defenses to stop the behavior of malicious attackers. Organizations need to accept the fact that if they’re not breached today, they likely will be breached at some point in the point in the future,” Paul Truitt, vice president of cybersecurity services at managed network solutions firm SageNet, told Retail Dive. “Getting ahead of the criminal and stopping them before they do what they’re going to do is a losing battle. But acting quickly and having the processes in place to respond what it does happen is achievable, and if every organization had that in place, we could significantly shorten the average data breach notification and identification, and also create much less juicy targets for the bad guys.”
Retailers are like catnip to cybercriminals because of the wealth of customer data stored on their networks. While hijacking credit card account data has long been the primary objective — about 42 million Target shoppers had their credit or debit information stolen when the retailer was breached in late 2013 — thieves are also keen to acquire personal data like names, mailing addresses, phone numbers and email addresses.
“There’s a lot of data around shopping habits and purchasing patterns now being stored by retailers — information they never had before,” Truitt said. “If you’re tying a loyalty program to a mobile payment program, those payment programs are bringing more sensitive data into the retail organization than in the past, and that’s what criminals are looking for.”
The threat isn’t lost on retailers. Fully 100% of retail executives surveyed for the 2016 BDO Retail RiskFactor Report cited data privacy and security breaches as major business risks, up from 55% in 2011 and 26% in 2007. But according to Truitt, relatively few retailers have advanced their cybersecurity efforts beyond implementing the basic safeguards necessary to meet payment card industry (PCI) security standards.
“[Cybersecurity] varies by retailer,” he said. “We still see a lot of retail organizations putting their eggs into the PCI basket. The feeling is that they’ve secured their organizations by meeting PCI compliance requirements, but in reality, the vectors of attack are outside what PCI mandates needs to be done. When you think about security programs focusing only on PCI at best, we’re going to see a lot of data continue to be exposed.”
The media fallout and brand damage associated with past merchant data breaches (not to mention the legal costs and governmental penalties, which can run into the millions) are driving retailer cybersecurity awareness and investment, says Robert Horn, associate director at insurance and risk management solutions provider Crystal & Company.
“Retailers have been forced to increase their cybersecurity because of the breaches we’ve had in the last several years. Your public perception takes a hit, there’s customer churn, and the fines and penalties are increasing,” Horn told Retail Dive. “Cybersecurity is getting much more attention from the C-suite. Before, just the IT director was involved. Now you’ve got legal, you’ve got corporate governance, you’ve got the CFOs and the CEOs wanting to know what’s going on.”
But knowing what’s going on is easier said than done, because cybercrime evolves with mind-boggling speed. What began two decades ago with relatively simple viruses and website attacks hatched by malcontents seeking internet notoriety has rapidly mutated into discrete, laser-targeted and highly sophisticated offensives masterminded by thieves, hackers and extortionists motivated by financial gain.
“There isn’t a single organization that can say they’re 100% secure,” Maarten Van Horenbeeck, vice president of security engineering at content delivery network Fastly, told Retail Dive. “But there are organizations that have the maturity and the smart people to say, ‘We understand what is happening, and we believe we know how to defend against it and how to protect our customer data.’”
Personnel and protection
Understanding what’s happening begins with identifying potential cracks in your armor. Verizon found that most attacks exploit known vulnerabilities that businesses failed to patch, despite software providers making patches available months or even years prior to the breach taking place. In fact, the top 10 known vulnerabilities account for about 85% of all successful exploits each year. Avoiding disaster also depends on recognizing the warning signs and criminal patterns: 95% of breaches and 86% of security incidents fall into nine established exploit patterns.
Building a more secure retail business begins with smart personnel decisions. “The single biggest thing an organization can do today is hire the right people. There are so many technologies out there,” Van Horenbeeck said. “It’s like putting together a puzzle of the correct pieces to make sure you’re defending yourself against attack. You need to hire the right people who understand that puzzle, and who know how to make the organization as safe as possible.”
Perhaps no retail security solution has generated more headlines and discussion than the fall 2015 shift from traditional “swipe-and-signature” credit and debit cards to chip-enabled EMV cards, a move designed in part to better protect consumers from escalating transaction fraud. While EMV (which takes its name from Europay, MasterCard and Visa, the three companies that created its chip-integrated standard) effectively blocks card cloning and other commonplace criminal tactics, its security innovations are limited to transactions where the physical card is present, meaning many cyberthieves are shifting their focus from brick-and-mortar stores to the web.
That means retailers dependent on e-commerce must embrace software solutions including end-to-end software encryption, a method of secure communication that prevents hackers, internet service providers or any other third party from accessing, stealing or damaging cardholder data or other information during its transfer from one system or device to another.
“Organizations that have made investments in EMV but did not invest in end-to-end encryption have a risk misperception,” said SageNet’s Truitt. “They believe they are secure, but they’ve only accomplished authentication of credit cards. They’ve accomplished nothing related to the security of the actual transaction. Many retailers that don’t have security teams internally, or that outsource their security fully and don’t have anyone with that knowledge in-house, has misinformed themselves about what EMV is doing. We’re going to see more organizations put fewer security controls in place and reduce some spend, because they think they have put the right security in place. But they’ve left themselves more exposed than they used to be.”
Beyond the basics, retailers should also consider adopting data loss prevention solutions to help monitor, manage and protect confidential data wherever it’s stored or used, as well as emerging tools like advanced behavioral authentication (methodologies that monitor headquarters and store employees’ attributes and behaviors to prevent imposters from accessing infrastructure and data), data-mining and visualization techniques, and security response automation.
There’s no time to waste. Experts anticipate cybercrime to continue to increase in the months to come, and warn that emerging technologies like the Internet of Things and advances in artificial intelligence present a multitude of new opportunities for attack. Only the strong will survive.
“It’s hard to predict what new threats will come about,” said Horn. “[Security] all comes down to putting resources into cybersecurity teams. A bad breach can put you out of business.”