Retailers are among the most targeted organizations by cybercriminals, and it’s important to ensure security is strong, especially ahead of major retail events, according to security firm Sekuro.
Prashant Haldankar, CISO at Sekuro, says while online shopping has opened up a whole new world of convenience, it has meant that retailers (and their customers) have increasingly become targets for cyberattackers and scammers.
“Every e-commerce transaction deals with a lot of sensitive personal information — from your name, address and phone number to your bank or credit card details,” says Haldankar.
“So retailers need to make sure their security device is watertight, especially ahead of big trade events like EOFY sales,” he says.
Sophos found that retail, along with education, was the industry most affected by ransomware in 2020 with 44% of organizations affected (compared to 37% across all industry sectors). Other common attacks against retailers include credential phishing and malware attacks.
“Any of these can spell disaster for a retailer and its customers – from halting operations during critical shopping times, to the theft of customers’ credit card information used to make fraudulent purchases, to personal information of people held for ransom or sold on the dark web,” Haldankar said.
“This increase in cybersecurity attacks in retail may be due to a combination of factors, including: higher efficiency for a hacker to obtain personal information about consumers, allowing them to use the same model of attack on similar retail organizations, and social engineering activities to compromise security, often unforeseen by retailers, leaving retail organizations vulnerable to hackers who wish to use their employees and others to obtain sensitive information.”
Fortinet research also shows that as retail businesses grow, so do their attack surfaces. Whether retailers expand through physical stores or online, every new outlet, store, or website is a potential target for retail cybersecurity threats.
“So how can retailers stay ahead of ever-evolving threats? When it comes to credential phishing, most think attackers only target consumers, but searches show that scammers are increasingly preying on corporate targets,” Haldankar said.
“This is because hackers can use an account as a starting point to attempt further phishing operations within an organization and throughout its supply chain – including accessing customer information. customer identification,” he says.
“Strong staff security training and email protection are your best line of defense here.”
To mitigate the risk of malware and ransomware, tools such as firewalls and intrusion detection/prevention systems can help protect retailers from remote attacks. Again, email services can also be configured to block links that trick staff into visiting malicious sites or opening dangerous attachments, Haldankar says.
“The old adage of frequent patching is also key to ensuring that known exploits don’t leave the door open to attackers,” he says.
“It’s also essential to have a valid backup strategy, so if the worst happens, only the minimum amount of data is lost.”