Time and time again, retailers prove to be a popular (and easy) target for hackers. The tangible and intangible costs for an e-commerce site that’s been breached can escalate quickly. In this post, we'll explore the issue, and outline some solutions.
Earlier this year, Fast Retailing, Asia’s largest retailer, acknowledged hackers likely gained access to the personal information of nearly half a million customers. The breach occurred after an unauthorized login on the company’s e-commerce site.
When data breaches like this occur, not only are the customers and their personal information at risk, but also the e-commerce site itself. That’s because breaches can create huge spikes in bot traffic on login screens as hackers cycle through stolen passwords. Site performance for legitimate customers will likely suffer, and the hackers may change user names and passwords, so some customers won’t be able to log in at all.
The tangible and intangible costs for an e-commerce site that’s been breached begin to escalate quickly. There’s the cost to quarantine and mitigate the breach. Then there’s the immediate lost revenue from customers that can’t use the site. And the public relations nightmare that will ensue is sure to drive off many customers for good. Any long-term loyalty that’s been established has likely gone out the door.
Difficult to Keep Up with Regulations and Sophisticated Attacks
The proof of just how successful cybercriminals are at stealing information from retailers exists on the dark web—where large quantities of payment card data go on sale every day. But just what makes the retail industry such an enticing target?
It begins with the fact the overwhelming majority of retailers do not comply with the PCI data security standard established by the payment card industry and leading banks in the U.S. Analysis by SecurityScorecard in 2018 found that about 91 percent of retailers do not comply with the standard.
While it’s possible for a retailer to have a strong security posture without achieving compliance, given that compliance with PCI-DSS can be a competitive differentiator, the majority of that 91% likely feels that their security posture won’t measure up to the compliance requirements. They are also probably having trouble trying to keep up with cybercriminals, whose attacks are constantly getting more sophisticated.
E-commerce and brick-and-mortar retail stores are also inviting to cybercriminals because they process a massive number of financial transactions and store large quantities of customer payment card data. Retailers that operate stores also have many endpoints connected to the Internet that can be hacked. Throw in the large staffs and high turnover rates that most retailers have to deal with, and it’s even easy for employee accounts to be hacked by phishing campaigns and other malware.
What Can Retailers Do?
It’s critical to start with a holistic inventory and risk assessment of your applications so you and your IT partners can make well-informed decisions about the security measures you need to deploy. Afterward, continuous security monitoring is vital to ensure you can address any new security threats that emerge.
Cybercriminals know small retailers don’t often have the resources to thwart hacks. And it’s difficult for a retailer of any size to focus on IT security—it’s not part of their core expertise. That’s one of the reasons why any size retailer should consider storing customer data in the cloud.
Reputable cloud platform hosting providers utilize the latest security technologies and are constantly staying up-to-date with evolving cyber-threat tactics. They are much more prepared to protect data than a retail business—the viability of their business depends on security.
Also, train all of your employees to be aware of the sensitive data they handle and how their actions can easily open the door to that data. Make sure they use systems and applications that automatically encrypt sensitive data. Employees should also use strong passwords that do not match their personal passwords and be able to recognize malware, such as phishing attacks, so they don’t accidentally click on malicious links.
Limiting access to websites employees don’t need to visit during work hours will also minimize possible access by a hacker. Another key protocol to enforce is to never leave laptops, tablets, other hand-held devices, and portable storage devices unattended. It’s sort of like never leaving your luggage unintended at the airport. You just never know who might attempt to steal it or inject something harmful.
PCI-DSS Compliance: A Good Place to Start
Going through the PCI-DSS compliance process is a good place to start in terms of providing a baseline to assess your security posture. Even if you don’t pass, you can determine what you need to do in order to strengthen your security posture. A helpful primer is our blog, PCI DSS Compliance 101: What You Need To Know.
As you go through the process, you will likely need to deploy security tools that help you maintain compliance on a day-to-day basis. Many IT teams keep MOVEit from Ipswitch in their toolbox to assure secure file transfers. You can download this whitepaper to learn how MOVEit helps you implement the seven key security controls required of file transfer operations in order to assure compliance with PCI-DSS.
Taking the steps to achieve compliance and improve your security posture is critical. In addition to protecting customer information, it’s also important for retailers to protect their own corporate information as well as the sensitive information of employees. The damage that can be done in those areas can be just as devastating as when customer information is breached.
Jeff Edwards
Jeff Edwards is a tech writer and analyst with three years of experience covering Information Security and IT. Jeff has written on all things cybersecurity, from APTs to zero-days, and previously worked as a reporter covering Boston City Hall.