Three new threats facing retailers, and three security concerns to keep in mind
The security threat landscapedoesn't stand still, as attackers look for new weaknesses to exploit and use toaccess corporate networks.
Digital transformation is a key component of many retailers' IT strategies: While just three per cent of retailers say they've completed their digital transformation programme, 74 per cent have already undertaken pilots or limited projects. Full-scale digital transformation often means a root and branch replacement of systems, meaning data may be transferred to new software and suppliers, moved to the cloud, or be sent to or received from Internet of Things devices for the first time. As such, digital transformation may see sensitive data exposed to new environments, and new risks as a consequence.
Cryptojacking – where computing resources are hijacked from their legitimate purpose and used to mine for cryptocurrency – has overtaken ransomware as the most common type of cyberthreat. There are two main ways that cryptojacking can affect retailers. The first is that, with so much computing power on hand, rogue employees may decide to subvert IT systems to covertly mine for cryptocurrency, potentially slowing down retailers' tech infrastructure. The other is cryptojacking malware, where criminals create malicious software that can infect IT systems to much the same end. In both cases, the mining is designed to escape detection for as long as possible – meaning retailers may not be aware of it taking place on their systems, apart from seeing a dip in IT performance.
Supply chain attacks
The larger a company, the more complex its supply chain. From third-party suppliers to white label clients, each connection with another business is a potential point of weakness for a retailer. It's something cybercriminals know all too well, and are keen to exploit. Take the recent Best Buy breach. A third-party chat app was the conduit for the leaking of customer data. Any system breach or compromised data store caused by a third party will reflect badly on a retailer, even if the error is not theirs. Similarly, if third parties don't inform retailers appropriately about attacks, they're left unable to shore up their defences. Companies need to think of security beyond simply protecting their own boundaries, and to consider their broader attack surface.
Thanks to the constant evolution of security risks, it can be easy to overlook some of the more basic security concerns that have been with us for years. Here are three of the more established security issues that retailers should continue to keep an eye on.
Point of sale (POS) devices have been a security attack vector for more than 10 years, with threats ranging from intercepting network traffic to stealing payment details, or using malware to exfiltrate credit and debit card data. Yet the risks posed by POS devices show no signs of going away: one of the highest profile retail data breaches of recent years, the one that cost US chain Target $18.5m in settlements, was based on hijacked POS terminals. The new wave of mobile POS machines from the likes of Square and PayPal have also been in the security spotlight of late.
Distributed denial of service (DDoS) attacks may have been occurring for decades, but there's no sign they're going away any time soon. In fact, 2018 saw the biggest DDoS attack ever recorded, while the complexity and number of different types of DDoS attacks is also rising. Every firm that does business via the internet is at risk from a DDoS affecting their ability to keep serving customers. But for retailers, such attacks can be particularly devastating if they take place during times of high traffic, such as sales events, Black Friday or the pre-Christmas period. Aside from the business impact of going offline, such attacks can also have a significant negative effect on retailers' reputations.
GDPR may only have come into full force in May of this year, but it feels like the regulation has been on retailers' security agendas for far longer, thanks to the threat of heavy fines. While businesses have treated the legislation with varying degrees of seriousness, the first complaints under the GDPR were lodged within hours of it becoming law. While they've tended to focus on privacy issues within the tech sector, the next significant data breach in retail could see companies attracting closer regulatory scrutiny.