The retail industry has been traditionally perceived to be a happy hunting ground for hackers and other cyber attackers. There are card based and card-not-present transactions done with POS, and online retail purchases and both of these are prone to cyber fraud. There is, therefore, a sword of responsibility hanging over the retailers’ heads with respect to protecting their consumers’ information; safeguarding them from being defrauded.
Cyber risks associated with retail
The retail industry is acutely exposed to cyber attacks because of three main trends:
1. The vulnerability of the Internet of Things – Retailers are one of the biggest adapters of IoT and cloud technologies, with gizmos like RFID trackers for their merchandise, sensors and so on getting huge prominence in stores. All the IoT devices are highly vulnerable to hacking. The real danger comes when the compromised devices turn into zombies operating under the control of the malware and are used to generate a massive amount of traffic to specific websites, which quickly brings them down. This is known as DDoS – Distributed Denial of Service attack, and one that retailers fear. Compromised POS terminals lead to theft of customer credit card and other personal information, which is even more severe.
2. The omnichannel exposure – Retailers are massive early adapters of the digital, omnichannel paradigm. Their consumers are given access through multiple channels, but this increases the points of vulnerability, and that makes it harder to monitor from a security perspective.
3. The rise of malware as a service – Of late, malware- especially ransomware – is readily available for download from the dark net. Even relatively newbies, armed only with criminal intent can avail of the services and launch an attack. This naturally raises the sheer number of possible attackers, and that increases the need for retailers to tighten up on the security front.
Are retailers doing enough?
The impact of a security breach on a retail business is two-fold: one, the immediate cost of repairing and recovering from the breach; and two, the long term cost associated with customer churn and loss of confidence. Retailers find themselves in a sensitive spot with respect to cyber attack vulnerabilities, much more than any other industry.
The general perception is that retailers are not doing enough to protect their customers’ information. It is observed that a large number of companies do not even check their security compliance once a week. Antivirus tools, Intrusion Detection Systems and other solutions are not fully implemented in many retail organizations. It indicates that retailers are only marginally conscious of the difficulties in protecting themselves and have not got into the ‘war’ mode that is presently warranted in cyber security.
Measures to protect retailers’ systems and networks
While there is a whole lot that retailers must do to protect their systems and their customers’ information, the two broad areas that require rigorous implementation are:
1. PCI DSS compliance – PCI DSS stands for Payment Card Industry Data Security Standards. Being PCI compliant ensures that a standard security framework is applied throughout all the retailer’s systems that handle critical customer data, coming in from the customers’ credit cards.
PCI DSS includes the use of a system called tokenization, which is a process whereby the important customer data is replaced with randomized tokens generated by a token server. Even if a malicious attack succeeds in penetrating, all it will find is a meaningless token, the actual values being stored in a token lookup table within the external token server.
This also includes minimal data exposure- including letting employees look at customer data only on absolute need basis. It also ensures storing bare minimum customer data and for a bare minimum time.
2. Employing security tools and techniques– Cyber threats are the most serious form of threat to customer information secrecy, and a slew of layered security measures must be undertaken by the retailers to protect their networks and systems. Firewall and IDS systems protect the network perimeter, and tools like Seqrite’s Endpoint Security protect the end devices which could be computers, phones or even the IOT devices, from being infected by malware.
The retail industry is in a particularly vulnerable spot today. They need to stay competitive by providing online, omnichannel customer access while at the same time face the increased presence of cyber-attackers who threaten to steal their customers’ sensitive information and bring down their business. Retailers today must up their levels of security awareness and invest in a multi-pronged security strategy to protect their business as well as their customers’ information. They can achieve the same through various mechanisms that include standards compliance, and the implementation of rigorous security policies, practices and tools.