Hackers and their tactics are continually evolving but one thing remains the same: retailers are prime targets for a cyber-attack. This is such a widespread issue that in nearly every cyber-security report in the past few years retail is the industry topping the list for attacked organisations. Given this, along with the sheer volume of cyber-attacks that occur daily, it’s vital that retailers step up their security maturity. Understanding the risks involved, along with the steps that can be taken to mitigate them, will help retailers both large and small.
The Cloud Conundrum
Cloud adoption is a double-edged sword regardless of industry; on one hand a potential step forward and an opportunity for transformation but one which brings risk of mistakes and security impacting errors and software bugs – introducing opportunity for malicious actors to profit. Retail must know e-commerce is already a main target for cyber-attacks because of the rich-pickings of consumers’ personally identifiable information (PII) intrinsically linked to payment data required to complete transactions. At the very least, personal information gets stored for future use and targeted marketing.
When a retailer is hacked potentially millions of individuals fall victim to the hacker, having their information stored and sold on the dark web, ready to be merged with other data sets to build up useful profiles of the general public for identity theft and phishing campaigns.
It doesn’t matter how large or small the company, cyber-attacks have become so sophisticated and are increasingly automated that no business is immune. Retail, hospitality and accommodation often top the list for most targeted industries, but targeted attacks are dropping and ‘spray and pray’ attack automation means that vulnerabilities will be found and exploited regardless of company profile.
The E-Commerce race to easing purchase barriers brings its own challenge.
Retailers running e-commerce platforms should be aware that they are more likely to suffer with older IT security features because their systems naturally change incrementally to protect revenue, this means they have an increased need to maintain them with robust security processes. Even the newer systems may not be fully resistant to application attack techniques so require monitoring and review. Developing and running e-commerce applications is pure economics; the security of the application is often a low priority compared to delivering a positive customer experience. This lack of attention to security measures, coupled with an increase in investment by attackers, means that application attacks are likely to remain a significant risk for the retail industry now and in the future.
Revenue directly impacts retailer’s perception of cyber-attacks; crypto mining malware on servers can be perceived as “costing” less than the actions to remove it. Taking longer to release new features because of security testing may be perceived as a threat to the bottom line, but ultimately this demonstrates short term thinking and risks longer term damage.
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organisations that handle credit cards. PCI compliance demonstrates retailers have control over the payment card information they process and that take steps to prevent data theft and fraud. It is required by law which means any retailer that isn’t currently in line with PCI needs to take immediate steps to do so. The penalties for non-compliance are as high as $100,000 every month or $500,000 per security incident.
There are different levels of PCI compliance and any organisation who takes payments for goods or services on the internet, even if that actual transaction is outsourced, must go through some level of assessment.
Any organisation that runs public applications must place security itself, testing and, if running bespoke applications, coding best practices on their critical path. This includes several considerations:
- Become deeply familiar with the Open Web Application Security Project (OWASP) Top 10, bear in mind that older versions can apply to older systems. In other words, just because something has dropped in priority in the latest version of the OWASP that does not mean it is a lower priority for you if your application, or its components, are dated.
- Security focused testing means full tests against components that can impact the security of the application. Integration and Regression testing are vital, unit and smoke testing methods are not appropriate for security critical components such as authentication, data access and integration.
- Sanitise user input, this cannot be overstated! Developers are inclined to produce a path of least resistance for integrated components and to improve performance. When applications talk to each other they need to exchange complex information and handing this off to each other in a homogenised or simplified way can be easier, letting the remote application deal with interpretation hugely increases the likelihood of remote compromise. Code to handle and exchange well-structured and strictly typed data, always.
- Monitor third party component vendor sites and other lists of vulnerabilities to identify priority patches that need to be put into place. Using 3rd party modules or plugins may seem like a money saver, it is in the development pipeline, but it needs to be mitigated with security processes and maturity. It may reduce the developers on staff but in reality, it significantly increases the number of individuals that can affect the security of the application, whilst relinquishing control.
- Authenticate everything and everyone. Any remotely accessible end-point must confirm the identity and authority for access and behave accordingly. Consider the streaming service that implemented very robust application interface authentication but if no authentication token was sent skipped the process all together. Audit and document third party integrations especially and do not allow human perception of trust to influence measures implemented to authenticate access.
Maintaining a good IT security posture is an ongoing task that requires ongoing action and review. A modern IT security team of cyber-security experts will consist of threat hunters and data analysts to predict how the most valuable data could be stolen and constantly look for signs that an intruder has gained access. These cyber-security skills are hard to find and harder to retain than traditional IT roles. So, unless retailers are in the desirable position of being able to run a fully comprehensive cyber-security system, with all the tools, technologies, threat intelligence and people that can keep customers and their data safe. They should focus on their business value and apply a ‘buy not build’ approach, where possible, to allow security employees to focus on maturity and improvement programs.