Targeted attacks on retailers are becoming all too common, but what can be done about it?
The 2016 annual Retail Crime Survey by the British Retail Consortium (BRC) showed that 53% of retail fraud is via cyber-attacks. Supporting this report, the RPC, UK corporate and insurance law firm, states that the number of retail businesses reporting data breaches to the ICO has doubled in the space of one year.
The RPC also points out that these statistics do not represent retail as a whole, as companies are not currently required to report every attack they suffer. The actual number of data breaches in the retail sector is likely to be even higher. This will change, however, once the new GDPR laws take effect in May 2018, where reporting breaches will be made mandatory.
The huge rise in the use of online shopping, loyalty programmes, digital marketing and online receipts, has escalated the quantity of personal data that retail suppliers hold. With retail companies gaining more and more information about customers, these databases have been rightly described by Jeremy Drew, Partner at RPC as a “goldmine of personal data to hackers”.
Mark James, ESET IT Security Specialist, looks into how data breaches can occur in the retail industry and the best ways to combat attacks for both the retailer and consumer.
“Hackers are definitely getting better, or maybe more advanced is a better description, and when data breaches happen, any shortfalls in the defences of retailers are quickly brought to light.
“Stopping cyberattacks is a mixture of established defences, knowledge of current methods, predicting future attacks, and being able to react quickly, adapting as needed.
“Of course one of the biggest problems is not knowing if you have done enough until the attack happens. For the retailers to be successful they have to stop every attack every time, whereas the bad guys only need to be successful once.
“In any large company there is a degree of ‘if it ain’t broke, don’t fix it’, and sometimes when it comes to computer systems this can still apply.
“For retail to work smoothly, systems need to integrate. They need to share data seamlessly across many platforms and indeed stores.
“In each store there may be smaller networks or tills, POS and computers that all have to work together with little or no friction.
“As software advances then we are forced to upgrade to stay current, but in an environment where upgrading one or two machines could cause stability issues for other machines.
“So we end up with whole connected systems running outdated or old software.
“This of course can, and does, lead to vulnerabilities, and as time moves forward these systems get older and more vulnerabilities are found and used to compromise those systems.
“The number one rule in security is: keep it up-to-date. Updating in stages is much easier (and often cheaper) than being forced into whole network upgrades, but they have to be done to keep your systems from becoming the next target on an ever increasing list.
“As a customer we also have the responsibility to be careful.
“We would not have the same key for our house, car and office building so why have the same password for multiple logins? If we limit our attack surface then we give the bad guys less of a chance of hitting the jackpot.
“If the data retrieved from one data breach is unable to be used in another attack then it’s bordering on useless.”
Do you think responsibility lies with the retailer or yourself? Let us know on Twitter @ESETUK.
Join the ESET UK LinkedIn Group and stay up to date with the blog. If you are interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.