Fighting Cyber Criminals in the Retail Industry

With the UK’s High Streets floundering amid falling consumer power and rising import prices, the country’s retailers have turned towards digitalisation to improve their customer experience and find efficiency savings in a struggling retail sector. However, as Anthony Perridge points out, these opportunities don’t come without risks. Indeed, new analysis shows that the number of cyber breaches in retail more than doubled in the last year, resulting in disruption, reputational damage and significant financial losses.

Last year, health and beauty retailer Superdrug Stores admitted to a security breach that potentially compromised names, addresses and, in some cases, the dates of birth and phone numbers of 20,000 customers. The financial and reputational consequences of a cyber attack can be huge and retailers of all sizes, including Superdrug, need to ensure they can effectively respond to and recover from a cyber breach if the worst should happen.

Retailers are very tempting targets for hackers due to the sheer amount of business being done, the scale of their systems and the type of data being held. As a result, they face a multitude of threats from different cyber criminal individuals and collectives, using an ever-increasing variety of vectors and techniques.

In such a crowded environment, knowing where to direct defence activity is a large part of the problem. These businesses need cyber security teams to find a way to combine and summarise all external and internal threat data, filter out the noise, assess and prioritise threat intelligence and use that threat intelligence to act.

In cyber security, attack is the best form of defence. Therefore, the faster a team can streamline their ability to import, enrich, deploy and operationalise that information, the more chance that these actors make offensive mistakes and oversights.

Key challenges for retailers

The key challenges for retailers surround PIN and payment information, spear phishing and vulnerability patching.

Personally Identifiable Information and payment information

Personally Identifiable Information (PII) and credit card data is essential to the retail industry. Every transaction involves the exchange of valuable information, and this massive amount of data makes retailers lucrative targets for threat actors. Secure payment technology helps to strengthen defences, but it’s not a silver bullet.

When attacks do happen, research by Visa shows that they result in higher impact breaches. While chip technology increases the security of Point-of-Sale transactions, it does nothing to protect Card Not Present transactions involved in the e-commerce side of the business.

Spear phishing

Many of the top threats to the retail industry use spear phishing e-mails that are nearly impossible to differentiate from legitimate ones. Some campaigns engage in a rapid, wide-scale attack to target multiple merchants using a scattergun approach. Others target the merchant’s Point-of-Sale vendor or integrator to gain access. Once inside the network, they take advantage of vulnerabilities for credential takeover and privilege escalation to steal payment card data or launch ransomware attacks.

Vulnerability patching

Threat actors take advantage of the fact that IT and security teams struggle to keep up with patching of their Point-of-Sale systems, e-commerce payment applications and underlying internal infrastructure. As retail merchants strive to remain competitive in this difficult market, they invest in additional digital channels, applications and technologies that add complexity to the environment, further compound patching challenges and create new vulnerabilities.

Six steps to success

Retailers need to ensure that their cyber teams are operationalising threat intelligence, therefore allowing teams to learn from industry peers and their own past experiences to discover adversarial TTPs and proactively reassess and strengthen defences to combat future attacks.

Following these six workflow steps allow retailers to successfully combat these ongoing threats.

Consolidation of all sources: Whether the information is external (eg R-CISC) or internal (eg SIEM). The threat intelligence and vulnerability data need to be kept in a central repository

Elimination: With the large amount of data and sources, it’s imperative to eliminate noise and easily navigate through vast amounts of threat data to focus on critical assets and vulnerabilities

Prioritisation: Security teams need to ensure that they prioritise what matters most for their respective environment

Anthony Perridge

Anthony Perridge

Proactivity: It’s important to ensure the teams are hunting for malicious activity which may signal payment card fraud, denial of service attacks and other harm to consumers and merchants

Focus: Attention on known security vulnerabilities in currently active exploits which may impact regulatory status and security posture is also a key step in ensuring proactive measures are taken

Analysis: Evaluation and response to attacks against multiple targets, including Point-of-Sale systems, e-commerce applications, new digital channels and supporting infrastructure is another important step in proactive measurement

All these steps are necessary. Having a robust threat intelligence platform to assist the security teams will ensure it gives retailers the context and prioritisation they require to make better decisions, accelerate detection and response to combat the biggest threat to retailers in the modern digital age.

Anthony Perridge is Vice-President (International) at ThreatQuotient

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts