How well retailers can manage the surge in cyberthreats may be crucial for their prospects in a post‑pandemic world
It’s hardly surprising that the retail sector is one of the most frequently targeted globally, with retail sales in the US alone projected to top $5.2 trillion in 2022. Consumers’ money and data have for years been a big potential prize for cybercriminals to get their hands on, and the surge in digital investment and online shoppers prompted by the pandemic has only made retail a more attractive prospect for would-be hackers. Malicious insiders, negligent staff and misconfigured or vulnerable software across networks, endpoints and point of sale (POS) devices have all widened the corporate attack surface over the years.
In this context, cybersecurity plays a critical role in protecting customers’ personal and financial data, keeping ransomware at bay and preserving brand reputation. Ultimately it is a means of seizing opportunity – the opportunity to drive closer customer engagement and grow business.
As a new report from ESET makes abundantly clear, the pandemic has already had an outsize impact on the sector. How well retailers can manage the surge in online threats may define their long-term success in a post-pandemic world.
ESET industry report on retail: Evolving threats to data and payments
COVID-19 has helped to transform retail organizations from the back office to the POS terminal. It’s also exposed them to new cyber-risks. Mass remote working made tools like Microsoft Exchange and Kaseya more popular for communication and IT management. They were duly exploited en masse for data theft and extortion.
More broadly, retailers are exposed at multiple points in their IT infrastructure, including customer databases, POS terminals, marketing automation, web search optimization tools, and payment processing platforms and services. We’ve seen everything from phishing to ransomware, man-in-the-middle attacks to SIM swapping and spoofed mobile apps. In fact, the tactics, techniques and procedures (TTPs) used more broadly in COVID-themed attacks are all present in targeted campaigns against retail customers and businesses.
POS was traditionally the number one target for data-hungry attackers – most notably in the high-profile breaches of tens of millions of accounts at Target and Home Depot several years back. There’s still a threat here today, as we saw with the discovery of the ModPipe POS malware and the impact of the Kaseya supply chain attacks on some retailers’ POS systems. However, the widespread adoption of EMV cards – which can’t be cloned as easily using stolen POS data – and new systems like Apple Pay are starting to force more malicious activity online.
That general trend was given a huge push with the advent of COVID-19, with online as a percentage of total retail sales increasing from 16-19% in 2020. Here’s a snapshot of some typical e-commerce threats today:
For retailers, these risks are heightened by the presence of rigorous data protection regulations like the GDPR and the Californian CCPA, alongside industry data security standard PCI DSS. Non-compliance could result in major fines and reputational damage, leading to customer churn – a serious risk in an industry where loyalty is hard won but easily lost.
There are no silver bullets for solving these challenges. And best-practice cybersecurity should have multiple layers to it, from the end user to the endpoint. But at a high level, retail IT security teams can help to mitigate some of these risks by better securing their back-end e-commerce servers. Consider the following:
Retailer IT environments span everything from back-end logistics and CRM to the front-end e-commerce store and POS terminals in brick-and-mortar stores. That’s a large target for the bad guys to aim at. As online business continues to grow and digitally transform, the key to competitive advantage will increasingly be defined by how well risk-based cybersecurity strategies stack up.