While the volume of cyberattacks is on the rise across the board—attacks are up 100 percent since 2015—retail is particularly at risk. And the numbers back that up.
One study found that retailers respond to cyberattacks on average twice a week, with an astonishing 16 percent experiencing attempted attacks daily.
These numbers can skyrocket during peak retail times, such as the holiday season. Last year’s fourth quarter saw an unprecedented level of attacks on e-commerce, with almost 193 million rejected transactions, representing a 92 percent increase over the previous quarter and a 173 percent increase over the previous year.
And those are just the attempts. According to one retail cybersecurity researcher, around 50 to 200 new stores are successfully hacked per day.
Why is retail such an attractive target? One reason is that retailers handle vast amounts of personal information, particularly credit and debit card data. Another reason is that retail is not subject to the same regulatory restrictions as some other industries, such as the healthcare and financial sectors. In addition, retailers tend to have aging IT infrastructure and are often slower to patch software vulnerabilities.
Let’s take a close look at the security challenges that retail is facing and what retailers can do to address them.
Weak or Stolen Passwords
First of all, retailers, like other businesses, struggle with password-related issues. After all, passwords are considered one of the weakest links in a company’s security armor.
According to Verizon’s Data Breach Investigations Report (DBIR), 83 percent of hacking-related data breaches last year were the result of weak, default, or stolen passwords. And in 2016 alone, more than three billion credentials were stolen.
Unfortunately, many organizations are still using dated password policies. Contrary to common perception, implementing stricter password policies passwords will not increase security.
In fact, NIST, in its latest Digital Identity Guidelines, no longer recommends using overly long or complicated passwords, making frequent password changes, or using password hints.
Phishing Schemes and Human Error
Even the most up-to-date password policies are unlikely to protect your organization against today’s advanced threats. Most successful attacks simply trick users into giving up their passwords through phishing and other social engineering schemes. The DBIR report found that 43 percent of breaches were the result of social engineering tactics.
Awareness training plays a huge role in educating and reminding users to be wary of phishing emails and malicious activity, but human error is still a reality. Even the most security-conscious person in the world is prone to momentary lapses in judgement and will likely click on at least one malicious link in their lifetime.
Third-Party Supplier Vulnerabilities
When a company provides access to a third-party supplier, it lowers the company’s security level to that of the third party. As the saying goes, you are only as strong as your weakest link. Organizations must consider the vulnerabilities of their third-party suppliers, which have caused many of the largest breaches.
For example, the 2013 Target breach, in which 41 million payment cards were stolen, was traced back to credentials stolen from an HVAC contractor. Target’s total breach expenses amounted to $162 million in 2013 and 2014.
The Home Depot breach the following year resulted in the theft of 50 million payment cards. That breach was also traced to stolen credentials from a third-party vendor. The breach cost the retailer close to $45 million in settlements and $134.5 million in compensation to credit card consortiums.
There are a number of reasons why third-party vendors, particularly small businesses, are targeted by cybercriminals. They may not have adequate cybersecurity infrastructure or security controls in place, and they are often behind on patching vulnerabilities. A recent study by the Ponemon Institute found that three-quarters of small businesses operate without sufficient IT personnel, and only about two-thirds have a designated person responsible for IT.
Furthermore, for many third-party vendors who deal with hundreds or even thousands of client access points and policies, ease of access, not security, is their priority. For convenience, vendors may use only one remote access tool per network and may even share generic credentials among employees. If unsecured, this access creep can snowball quickly, leaving a retail organization with little visibility into the scope of information that is being shared by the organization’s third-party vendors.
Cybercriminals are all too aware of this fact, and they often use spear-phishing techniques to obtain vendor credentials and access to a target company’s network. Once an attacker steals these credentials, they can enter the retailer’s network and look for ways to escalate their privileges, gain additional access points, and move across systems in order to reach valuable assets, like payment card data.
Solution: Robust IAM and MFA
One way to secure your network against cyber attackers who target your supply chain is to implement a robust identity and access management (IAM) solution with advanced multi-factor authentication (MFA).
With a robust IAM system in place, you can manage distinct identity lifecycles for all users, including vendors, partners, and contractors, regardless of whether they exist in your HR system. Onboarding, offboarding, provisioning, and deprovisioning can all be automated, thus reducing the risk of human error and providing better visibility into and control of third-party accounts.
The right IAM platform enables organizations to employ strong access management capabilities to track, audit, record, and monitor all access requests, approvals, revocations, and certifications for both internal and external users and privileged accounts.
Less is more when it comes to third-party access. Provide users with only the access they absolutely need to do their jobs at any time. Modern IAM makes this possible by allowing your organization to implement least privilege access for all users in order to reduce your attack surface and, therefore, the amount of damage an attacker can do in the event of a breach.
As a retail organization, you are likely already familiar with MFA because in order to comply with the PCI-DSS, organizations that handle credit and debit card data are required to implement MFA for non-console administrative access and all remote access in the cardholder data environment. However, to truly protect against today’s sophisticated attacks, we recommend implementing advanced MFA on all privileged accounts, business-critical systems, and third-party access entry points.
Advanced MFA allows an organization to add layers of protection that overcome many of the shortcomings of passwords by augmenting or entirely replacing them. With MFA in place, even if a user makes a mistake and has their password stolen through a phishing attack, the attacker still would not be able to gain access without the second and/or third authentication factor.
Advanced MFA also enables risk-based authentication, which presents users with authentication options appropriate for their individual risk levels. This adds security where needed, without unnecessarily burdening users.
There is no doubt that retail attacks are on the rise. And while many breaches can be traced back to password weaknesses and human error, all too often these attacks exploit vulnerabilities in your supply chain. The solution is a comprehensive security program that includes robust IAM and advanced MFA.