With payment-card details and personal data remaining a lucrative cash cow for cybercriminals on the dark web, retailers are firmly on criminals’ radar these days. E-commerce and business-to-business (B2B) transactions are the norm for most shops, which opens up a big digital avenue straight into the heart of the business for capturing card information and personally identifiable information (PII) including names, addresses, shopping preferences, and loyalty program information. Exacerbating matters is the fact that retail tends to be a vertical that falls behind on the security front – something that cyber criminals are well aware of.
All of this means that if you’re in charge of a company in the retail space, you need to make cybersecurity a priority. In case it’s not already, here are eight stats to think about as you plan strategic decisions going forward.
1.Retailers are top targets for cyber criminals.
According to a recent Alert Logic cybersecurity report, retailers topped the list of cyberattack targets out of eight different types of organizations (4,000 organizations in total). Alert Logic’s analysis of the attacks in this vertical revealed aggressive scanning, including indicators of extensive directory-guessing techniques and a large array of automated code injection and vulnerability scanning. Application attacks, where hackers infiltrate a victim company’s mission-critical services in order to capture the information flowing to and from them, are by far the dominant attack type in this industry group, accounting for 85 percent of all attacks.
2. Retailers lack social-engineering awareness.
The retail industry ranks dead last in foiling social-engineering efforts, where cyber criminals pose as a legitimate correspondent in an email to get an employee to click on a malicious link or open a weaponized attachment. According to the 2018 SecurityScorecard Retail Cybersecurity Report, since the retail industry employs younger, less experienced people at a higher rate than other industries, these employees may be less aware of these attack vectors.
3. Most retailers miss the mark on PCI compliance.
Also, according to SecurityScorecard, more than 90 percent of retailers are out of compliance with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a standard for those that handle credit and debit card transactions. It’s mandated by law, requiring steps such as maintaining a firewall around customer data, practicing good hygiene when it comes to account passwords, and so on. Penalties for non-compliance are as high as $100,000 every month or $500,000 per security incident.
4. Retailers fall behind on encryption for data in the cloud.
According to the retail edition of the “2018 Thales Data Threat Report,” despite being among the primary adopters of cloud storage for company and customer information, retailers tend to put encryption for the data they keep in the cloud on the back burner. Only 26 percent of U.S. retailers are implementing encryption in the cloud today.
5. Data breaches are accelerating.
The Thales report also revealed that half of U.S. retailers experienced a data breach in the past year, up from 19 percent the year before. Further, a full 75 percent of retailers have experienced at least one data breach in the past.
6. Retailers see data theft as the biggest challenge this year.
According to the SecurityScorecard report, eight in 10 retailers think that their biggest IT challenge for 2019 is combatting data theft. And no wonder: a majority (79 percent) of those hit with an incident in 2018 said they lost customers, while 62 percent admitted to incurring legal costs.
7. Breaches impact customer loyalty.
According to a study by KPMG, a fifth (19 percent) of consumers would take their retail business elsewhere after a breach, and 33 percent would take a break from shopping at a store for an extended period. Examples of 16 retailers that have been affected by data breaches since January 2017 can be found here.
8. Security spending is on the rise.
The good news is that many retailers seem to be waking up to the cyber-dangers out there and the implications of a break or attack. According to the Thales study, 84 percent of U.S. retailers plan to increase their security spending in the next year.
The bottom line is that cybersecurity trends are growing worse for retailers in terms of the volume and success rate of attacks. This, combined with a lack of awareness and poor security posture within the vertical, makes retail an attractive target for information thieves. All too often, retail locations don’t have in-house expertise, which can be an obstacle for security preparedness.
The good news is that a growing number of retailers are increasing their use of managed security services to fill the gaps in personnel and budgetary resources. For example, TPx has a full range of state-of-the-art protections and mitigation services, all offered on a cost-effective, managed basis. Call your TPx representative today to find out how we can help your retail business navigate the always-evolving threat landscape.
About the Author
Erik Nordquist is the Senior Product Manager for TPx Communications’ managed security services. He’s led a broad range of critical activities, including Field Operations and the Hostmaster team where he built TPx’s anycast DNS network to service its 55,000 customer locations. His work on the Network Integrity team made him the resident expert for mitigating Denial of Service (DoS) attacks. After interfacing with customers for years, Erik is bringing his customer-focused approach to his Product Manager role, helping to deliver first-in-class security services to TPx clients with unsurpassed customer support.