New advancements in technology are changing the retail industry in unprecedented ways, further blending the physical and digital worlds and forever evolving customer experience. As the industry changes, so do the methods cybercriminals use to steal sensitive data from companies and consumers.
Prior to 2018, cybersecurity data suggested that the most common type of incident in the retail industry was point-of-sale (POS) intrusion. This included the remote compromise of POS environments, as well as the corresponding malware and payment card exfiltration. Recent data, however, shows that attackers are now targeting retailers through new and improved methods, leaving companies scrambling to pick up the pieces after a breach has occurred.
Attack Patterns Are Changing
According to this year’s Verizon Data Breach Investigations Report (DBIR), web application attacks have overtaken POS intrusion as the most common cyberattack. Since 2014, POS breaches have decreased by a factor of 10, while web application breaches are 13 times more likely to occur and hit unsuspecting retailers.
So, how do cyber threat actors pull off these web attacks?
First, they compromise a website’s payment application, and then they install code into the application that will capture customers’ payment card information as they complete their purchases. These are the everyday attacks that don’t necessarily make headlines, but have the same consequences. Today’s cybercriminals look for vulnerable e-commerce applications to provide an avenue for efficient and automated attacks. In fact, there are criminal groups that specialize in these types of low-hanging fruit attacks.
What Can Companies Do About It?
To keep data safe, retailers must take appropriate measures to help combat cyberattacks. While there's no end-all solution, here are a few steps companies can take to mitigate risk:
- Know the importance of integrity software. Cybercriminals who target web applications aren’t targeting data at rest. Rather, they inject code to capture customer data as it's entered into web forms. To combat this method, consider adding file integrity software to your malware defenses on payments sites, in addition to patching OS and payment application code.
- Embrace what’s new. Continue to embrace new technologies that make it harder for criminals to use POS terminals as low-hanging fruit. Some considerations are EMV and mobile wallets, or any other method that utilizes a one-time transaction code, as opposed to PAN.
- Remember, it’s not just the payment card data. While criminals are often after payment card information, it’s not the only data variety that they consider useful. Rewards programs that can be leveraged for "points" are potential targets, as is your customers’ personal information.
For many retail organizations, especially smaller ones, implementing widespread security measures is neither affordable nor feasible. However, each security step, no matter how small, can have highly beneficial impacts when it comes to detecting and deterring cybercriminals. It’s also important to educate your staff on identifying potential threats. Ensuring that someone in your organization can detect a threat is a simple but valuable start.
In the cybersecurity world, retailers live in the unenviable position of having to consider their own data security as well as that of their many customers. In an increasingly digital age, it’s important to install as many security measures as your company can, but equally important is your awareness of what cybercriminals are after and how they’re doing it. Having an open mind to the newest technologies is an invaluable way to always be one step ahead of would-be attackers.
Michele Dupré is the group vice president of Verizon Enterprise Solutions, a division of Verizon Communications that provides services and products for Verizon's business and government clients globally.
Related story: Retail in the Post-Digital Era: Helping Retailers Blend Physical and Virtual Worlds
Michele Dupré is a group vice president at Verizon Enterprise Solutions and is responsible for enterprise customers in the Retail, Hospitality & Distribution Verticals as well as customers headquartered in Canada. In this capacity she is responsible for maintaining and growing a base of more than 160 vertical enterprise customers and over 1000 customers in Canada.
In her role, Michele is charged with driving sales strategy while focusing on acquiring new customers, increasing profitable revenue growth and maintaining the global customer base. Additionally, Michele leads the development and growth of her enterprise leadership and sales team.
Michele’s organization is comprised of sales, sales operations and support personnel who drive business solutions including network and managed services, security, mobility, collaboration, professional services and outsourcing.
Previously, Michele was group vice president for enterprise customers for the Central U.S. Region. With revenue responsibility in excess of $1B and over 3000 accounts she led one of the largest areas in the U.S. In her prior role she was area vice president for enterprise customers in Illinois & Wisconsin and had revenue responsibility in excess of $500M. Before that, she was a branch vice president of Sales for Premier Accounts where she led a team of sales and service professionals responsible for some of the largest global and Fortune 100 Customers’ in Chicago and Wisconsin.
Michele started her career with the legacy company, MCI, in 1988 and has over 25 years of industry experience. Based in Chicago, Michele is also a noted contributor to media publications including Women’s Wear Daily, CNBC.com, USA Today and Forbes among others.