Retailers Under Cyberattack – What They Can Do Now and in 2018 to Protect Themselves

Retailers Under Cyberattack – What They Can Do Now and in 2018 to Protect Themselves

crowds shoppingGenerally speaking, there are two types of attacks against retailers: attacks at point of sale where a POS device is compromised or fraudulent cards are used for purchases, and attacks at the corporate location where criminals compromise a retailers entire customer and transaction history. This blog post focuses on the latter, the nature of the attacks, and how retailers can detect breaches before data is lost.

The Scope of the Cybersecurity Challenge is Evidenced by Boardroom Interest

The scale of the cybersecurity problem for retailers can be measured not evaluating threat activity and losses but also by studying the priorities of boardrooms and executives in the retail sector.

In a survey conducted by Lastline studying the 2016/2017 annual reports of FTSE 250 retailers with a Market Capitalisation of £1 billion or more, the strategic risk from Information Security and data protection is addressed in the annual reports by 100 percent of retailers. The threats mitigated by Cybersecurity is further highlighted as a principal risk by 93 percent of retailers. Additionally, implementing processes and controls to achieve compliance with the General Data Protection Regulation (GDPR) by May 2018 is specifically mentioned in 73 percent or major retailers’ annual reports.

The Boardrooms of major retailers have stated without exception – 100% of reporting organizations – that regular briefings, reviews and the reporting of cybersecurity status happen not only at board level but additionally, is reviewed by internal and external audit functions in order to measure the effectiveness of risk management from cyber threats. Finally, 47 percent of major retailers also have proactively tested the effectiveness of their controls or have conducted a simulated breach response planning exercise.

Retail-specific Cybersecurity Threats

Cyber threats can generally be bucketed into causing one or more of three risks:

  • Loss of intellectual property, such as product design or details of confidential supplier agreements
  • Loss of controlled data, often personally identifiable information (PII) about their customers
  • Loss of operational capability, such as ransomware, that effectively shuts them down. This is particularly damaging at this time of year

Retailers will be and need to be, concerned about all types of risk. However, the highest priority risk to retailers is the loss of PII, customer information and financial data caused by unauthorized access to internal systems. This would be the black swan scenario on which retailer’s cybersecurity mechanisms place an emphasis.

Responding to a Breach Starts Before it Happens

Having a clearly defined incident response process is vital for gauging how to react to different types of scenarios or situations. Even a simple assertion that a hack indeed resulted in a breach needs to be considered and planned for given that a hack often is a precursor to a larger data breach.

For example, the sale of stolen merchant accounts is big business on the dark web (see example below of how stolen accounts are promoted).

retailer cyberattacks on the dark web

A criminal group could buy stolen accounts for a number of fraudulent reasons. Often simply purchasing goods with stolen credit cards is the goal, known as Carded Items on the dark markets. Or returns fraud is another popular technique by criminal groups. This known bad activity is a factored loss, well understood by retailers.

But there are other, more challenging scenarios for which retailers also must prepare themselves. What has proven more difficult to detect and gain visibility into is the threat actor that takes the stolen credentials and then tries to move deeper into the organization, moving laterally until they compromise sensitive databases and payment systems. The key step retailers need to take is to ensure appropriate visibility into the precursors of unauthorized network access that indicate the potential for a future breach of sensitive data.

Responding quickly and effectively is a critical success factor here. This requires, at a minimum, understanding the full scope of the breach (i.e. all systems and data that’s been affected), isolating and cleaning infected systems, and notifying customers and regulatory organizations as appropriate.

Adequate Protection Requires Technology

Retailers have invested heavily in cyber response teams. However, the size of these teams is typically too small for them to be consistently successful, and just like with every other industry, there simply aren’t enough qualified candidates to fill open positions.

Retailers need to arm their security teams with strong detection technologies reinforced with automated analysis platforms that proactively study and analyze user activity and internal system behaviors. Such technologies will enable small teams to hunt for the high-risk precursors to a breach, and stop unauthorized access before it causes harm.

Looking Ahead – Retail Cybersecurity Threats in 2018 and Beyond

The Lastline survey of major retailers’ annual reports uncovered that in 100 percent of retailers there was not a single mention of bitcoin, blockchain or cryptocurrency. However, we are seeing the use of domain names using blockchain technology to host stolen data and credit card information, making it harder to be shut down and traced by law enforcement. As retailers increasingly adopt cryptocurrencies, the potential for increased losses via stolen wallet data will increase the overall level of fraud.

In addition, proving that no harm was done (that is, data was not exposed or stolen) will become an important metric for cybersecurity in retailers, and automating the gathering of evidence that clearly shows that infections and unauthorised access did not expose sensitive data will be a critical function in the decision making process on whether to alert regulatory bodies under the 72 hour notification requirement in GDPR (which regulates all companies doing business with European citizens, not just European companies).

Andy Norton

Andy Norton

Andy has been involved in cyber security best practice for over 20 years, specializing in establishing emerging security technologies at Symantec, Cisco and FireEye. In that time, he has presented threat and intelligence briefings for both Bush and Obama administrations, The Cabinet office, the Foreign and Commonwealth office, SWIFT, Swiss National Bank, Prudential Regulation Authority, the Bank of England, The Hong Kong Monetary Authority and NASA. Returning to Europe from Asia in 2011, he has spent the past 5 years helping many of the FTSE 250 companies measure, manage and respond to cyber incidents.
Andy Norton

Latest posts by Andy Norton (see all)