In today's drive to provide a premium online shopping experience, retailers handle more customer data, including shipping and contact information, shopping preferences, and purchase history, than ever before.
In 2022, the retail industry experienced 629 incidents, of which 241 involved confirmed data breaches, according to Verizon's 2022 Data Breach Investigations Report.
The primary goal of these incidents was to steal customer data for financial gain. This makes it essential for retailers to find more effective ways to protect this data from theft or unauthorized access in order to maintain a positive brand reputation and customer trust.
Cyber Risks in the Retail Environment
Security concerns are growing as Internet of Things (IoT) connectivity becomes more common in retail via self-checkouts, mobile payments, enhanced app functionality and more. Most businesses use IoT technology, but many don't have the proper security procedures to prevent cyberattacks. Retail payment systems have inherent vulnerabilities frequently caused by the enormous variety of hardware, software and cloud-based components required to operate them.
Third-Party Risk Continues to Impact Retailers
The manufacturers, wholesalers and fulfillment centers that are crucial components of the modern retail supply chain can also be a security risk in addition to payment systems. Most retailers have several vendors, and those vendors have other vendors, creating a hidden web of data risk. Many of these vendors require connectivity to the retail network, adding an additional layer of risk. A recent Forrester report found that problems caused by third parties account for 60 percent of security incidents.
This is nothing new. Target’s infamous 2013 incident came from a HVAC supplier, Fazio Mechanical Services. Target systems were accessible to Fazio, enabling threat actors to remotely check on and regulate the temperature of each store across the nation. Hackers accessed Target's network using Fazio's login information through a phishing attack and stole payment card information, sensitive customer data, and other info.
Making Progress With a Risk-Based Approach
Retailers of all sizes must take security and privacy seriously across the entirety of their supply chains. While the PCI DSS is a useful tool to establish a baseline, using compliance status shouldn't replace an overall security stance; strong security can ensure compliance, but the inverse is not necessarily true. Security teams within retail organizations must be vigilant in discovering vulnerabilities in vendors' systems and implement policies and procedures to meaningfully reduce risk. A risk-based cybersecurity strategy has many different components, but retail organizations should focus on these two crucial elements for successful implementation:
- Risk scoring: Many risk variables from inside and outside an organization are considered during prioritization scoring. Security teams can discover and rank their organization's riskiest assets and vulnerabilities using this advanced risk assessment, enabling retailers to focus repair efforts on incidents with the most significant business impact.
- Vulnerability prioritization: Advanced vulnerability prioritization automatically considers threat data, asset context, and attack surface exposure analysis to evaluate and mitigate cyber risk. Rather than only looking at CVSS severity, this enables smarter and more accurate remediation strategies. Prioritizing the riskiest vulnerabilities allows organizations, even with complex environments and scarce resources, to focus their efforts where it counts.
Retailers will only become more vulnerable to cyber attacks as supply chains become more sophisticated and technology continues to replace in-person interactions in stores. That's why the time is now to ensure extensive cybersecurity measures are in place.
Terry Olaes is the senior technical director at at Skybox Security, a global leader in security policy and vulnerability management.
Related story: 3 Cybersecurity Trends Shaping Retail in 2023
Terry Olaes is director of North America systems engineering at Skybox Security. Terry brings more than 20 years of experience in IT, including IT/OT convergence, audit and compliance, data breaches, and incident management. Terry’s eclectic background, which includes working on the ground floor at a manufacturing plant, serving as a systems engineer, and managing large security teams, gives him a unique perspective on fortifying IT/OT security posture. Terry specializes in helping organizations devise the right cybersecurity strategies to help manage vulnerabilities and mitigate risks across IT, OT, and hybrid cloud environments.