The state of cybersecurity in retail: how best to defend ?


September 2022

The retail industry is heavily targeted by cybercriminals – and as the COVID-19 pandemic caused more people to shop online, the e-commerce space has now become a major focus for cybercriminals. Therefore, retailers must now improve their security defences and Rashid Ali, Enterprise Solutions Manager at WALLIX, discusses the ways they can do this to ensure positive change in the retail space.

Whether you are a retail giant or a smaller regional shop, the risk of a cyberattack can be just as a great. Retailers hold a wealth of sensitive data on their customers, from names and addresses through to spending habits, bank cards and other personal identifiably information – a gold mine for cybercriminals. So, it hardly comes as a surprise that attacks are on the rise. But the good news is that there are steps retailers can take to boost their security defences.

Embracing technology

One of the primary reasons that the retail industry is seen as a hot target is because its infrastructure can be vulnerable and easy to break into. Retail systems are often created by using a combination of different technologies available over a long timeframe. Typically, this means that both legacy infrastructure is in place as well as new cloud based or digital innovations. For example, think of old point of sale systems and cash registers on the frontend, which are essential to support on-site customers. But this is usually also combined with some type of cloud system that powers the e-commerce side of the business.

The mixed technological state of retail is largely driven by the industry’s desire and need to provide omnichannel touchpoints for consumers. To remain competitive, retailers need to provide convenience for their customers and this means offering different ways that are easy and familiar to pay. As a result, there is often a reluctance to upgrade systems and implement new and improved cash registers or POD systems. After all, now more than ever each transaction counts and retailers do not want to face complex systems or barriers that may prevent sales.

However, we are seeing retailers looking to upgrade their digital offerings and enter the e-commerce space. The pandemic has certainly had a part to play in pushing this forward with many retailers forced to embrace digital ways to conduct business as the only way to keep sales coming through. But, while combined these old and new systems meet retailers’ goals of both efficiency and scalability – they also present multiple potential attack vectors for cybercriminals and many retailers are often unaware of this increased risk.

Risky business in retail

So, just how often do cyberattacks really impact the retail sector? Recent research is pointing to a rise in cybercrime, especially as many retailers rushed through their Digital Transformation. In fact, data on the UK market showed we are particularly vulnerable to ransomware attacks, with one in every five attacks targeting an online retail business (21%). These attacks are costly for retailers as they cause widespread system downtime and reputational damage.

There are also several other reasons why retail is especially at risk of an attack. Customer data is frequently seen as high value because of the ability to access information like credit card numbers – something highly sort after. Also, there is traditionally a higher rate of staff turnover in the retail industry, which means that without proper management, there is also a high rate of privileged account access to systems.

The way forward: Simplify and enhance security

All these security risks point to the need for a robust privileged access management platform. In a nutshell, privileged access is about making sure that no one person has complete access to all the data. It means implementing permission levels and making sure that even if permission is granted for someone to access highly sensitive data, it also considers other measures alongside the password/credentials needed such as the location of the request and the time. This means any red flags can immediately be highlighted, protecting the business should a hacker steal credentials.

Many cybersecurity risks inherent to retail are related to privileged access, and having a system in place such as this is something that can quickly and easily add an extra layer of protection – while still granting access as and when needed. Attacks through a public access point such as an e-commerce login are stopped before they can do systemic damage or spread throughout the entire business, because the PAM system never grants such users privileged access to any part of the system. Outdated user accounts are discoverable and any privileged credentials can easily be revoked, which keeps hackers from successful attacks that leverage outdated staff accounts. This also means that third parties like suppliers and contractors can only see systems that are relevant to them and cannot ‘bounce’ to unrelated systems.

A robust PAM solution also secures machine-to-machine (M2M) components within a system. So, even if a hacker somehow gains control of an IoT device in an automated warehouse, for example, the PAM solution has not granted privileged access to that device. Therefore, the hacker cannot use it as a platform from which to further their exploits. To secure the system even further, a full-featured PAM solution is capable of real-time monitoring of all privileged session activity, automatically terminating suspicious sessions or alerting an admin.

Remaining complaint and secure

Not only does this type of technology significantly enhance security, but it enables the business to remain compliant. The retail industry is subject to a wide variety of regulations with which companies must be complying – for example, PCI DSS, GDPR, NIST and SOX, to name just a few. Also, along with the session monitoring capabilities, if the PAM solution also records and makes it searchable every session, there is always an audit trail to aid in compliance with all those regulations. Furthermore, the recorded sessions are also useful for security reviews, as well as for the training of security team members. It is a win-win scenario for retailers.

Cybersecurity in the retail industry does not need to be complicated and retailers need to compromise between new and old technology. However, it is essential that we start to acknowledge the risks, implement PAM technology that can combat this and start to turn the tide – shining a light on just how secure and innovative the retail space can be.

Read the article on Intelligent CISO here.