3 Generative AI Security Risks Retailers Should Beware of
Generative artificial intelligence (GenAI) is the next big thing for retail. With 92 percent of retailers planning to increase AI investments next year, leading brands like Walmart are already rolling out GenAI assistants to help customers with purchases. The possibilities for GenAI are endless, but they create new risks for data breaches that everyone needs to beware of.
To protect your business and customers, it's important to understand how cybercriminals are using AI to infiltrate systems, where common exposure points are located, and how to assess the supply chain for vulnerabilities.
1. Speed and Personalization of Cyber Attacks, Magnified.
A multibillion-dollar international criminal organization is selling GenAI tools, helping bad actors around the world hack retail businesses. Experts predict these tools will help cybercriminals steal $1 trillion over the next year. Even before GenAI was launched, researchers mapped 33 offensive AI cyber capabilities. Cybercrime has never been more accessible and more potent through technology.
Hackers are using GenAI tools to speed up elements of cyberattacks — e.g., writing personalized, error-free phishing emails and leveraging malware — making it easier to infiltrate unsuspecting businesses. With tech enabling criminals to pose as someone from the IT department, employees can be tricked into sharing their passwords, for example, for routine maintenance. Criminals can even follow up with the employee via phone call, using GenAI to sound identical to a specific IT employee. It’s difficult for retail workers to recognize the danger of these new interactions — and once they realize, it’s already too late.
Simply put, GenAI is making it too easy. Cybercriminals can subscribe to underground GenAI phishing services for merely $200 to $1,000 a month. No one needs an advanced degree to be a hacker — just a computer, internet access and a few hundred dollars. To fight back, organizations should start with updated training to help employees recognize the signs of a GenAI cyberattack before it wreaks havoc. In addition, organizations must remain vigilant in implementing multilayered security solutions to protect their enterprises and may consider using AI-based threat detection tools. One thing is certain: With the rising threat landscape, now is definitely not the time to reduce security budgets.
2. The Cyber Attack Surface is Rapidly Expanding.
According to Accenture research, over 90 percent of retail executives say GenAI models will play an important role in their strategies in the next three years to five years. Over half of executives are experimenting with GenAI for customer support or process automation. With this rapid shift comes huge risks.
GenAI models require a massive amount of data. Retailers building GenAI models are often not properly securing this data — which can include competitive, proprietary or sensitive information. There must be strict limits on who has access to these datasets, which should be completely quarantined from other internal systems — especially as 63 percent of retailers report high turnover of their security staff.
To reduce complexity, many retailers are connecting with GenAI application programming interfaces (APIs) to get access to these large datasets. However, this comes with major risks as well. API attackers can leverage AI to appear as a legitimate user, helping them remain below the radar of monitoring systems as they hunt for vulnerabilities like broken authorization or business logic flaws. A large organization might have thousands of API endpoints. This attack surface is massive, and hackers can use GenAI to sift through APIs to pounce on the most vulnerable.
The urge to implement GenAI to aid in the customer experience or make the shopping experience more efficient is strong, but retailers must thoroughly assess the security of these models first. This requires implementing AI-enabled defenses such as adversary training, input perturbations, and ensemble methods to ensure the security of these systems.
3. Increased Vulnerabilities Throughout Digital Supply Chains.
These same risks multiply across retailers’ supply chains. Suppliers are using GenAI models too, so the same API vulnerabilities retailers are patching must be patched across the supplier base. Retailers should implement heightened assessments of their suppliers’ use of AI models and ensure they've taken proper security measures that don't jeopardize their own security. This includes developing strong contracts with vendors that outline security requirements, including clauses that mandate regular security assessments and reporting. Retailers should also continuously monitor third-party activities to detect any suspicious or unauthorized behavior.
As the use of GenAI grows in the retail industry and by cybercriminals, more vulnerabilities will be identified and the more likely the retail supply chain will be breached. Target’s 2013 cyberattack was one of the largest ever retail industry data breaches, exposing 41 million payment cards and contact information for approximately 70 million customers. This breach originated from a supplier. GenAI is accelerating security risks because retailers are unaware of where they could be exposed internally and across their supply base.
Fight Fire With Fire
Retail businesses have a plethora of sensitive customer information (e.g., credit card info, biometrics, social security numbers, etc.), making the industry a top target for cybercriminals armed with GenAI. As a result, the time is now to create a defensive plan for security as the exciting technology takes over.
Most retailers with a plan in place are overburdened with multiple security tools that provide wide-ranging protection — but only on the surface. In the era of GenAI, being too reliant on these tools will not guarantee your security. Retailers must fight fire with fire and implement AI cybersecurity systems that help predict where vulnerabilities lie and what actions to take to stay protected.
Kevin Pierce is the chief product officer at VikingCloud, the leading predict-to-prevent cybersecurity and compliance company.
