The retail and consumer products industry faces an increasing number of sophisticated cyber-attacks from nation-state cyber-attackers, criminal cyber-attack-groups, and politically and socially motivated hackers, often planning, coordinating, and implementing cyber-attacks in an integrated manner on a national, multi-national, or global level.
Supply chain cyber-attacks, where malicious actors breach third-party service providers to execute attacks on companies utilizing that service, are becoming more frequent across nearly all industries, including retail. The supply chain attack vector became prominent in 2018, and that trend is continuing in 2019.
Unfortunately, a new report by BDO Cyber Threat Intelligence*, says the global retail industry has not made sufficient investments in their cybersecurity policies, plans, procedures, and methods of defense, especially with their respective supply chain partners. As a result, the average cost of a cyber data breach in the retail industry continues to climb every year and so does the average cost of cyber liability insurance coverage. Further, more and more companies are facing major lawsuits from their own shareholders, consumer protection groups, and federal and/or state government agencies for their negligence in providing an adequate information security program for their organization, often resulting in significant financial losses and negative impacts to their brand’s reputation.
In the past decade, the retail industry has undergone major shifts worldwide due to the rise of the internet. As a result, the burgeoning e-commerce industry has significantly impacted the “classic retail” as enormous digital platforms like Amazon, eBay, AliExpress and TaoBao significantly accelerate the pace of digital transformation. This increased reliance on the internet has also opened the door to ample vulnerabilities for cybercriminals. The BDO report includes several examples of high profile retailers that have been subject to attack.
Data breaches multiply
Financial information—especially credit card numbers—are considered a highly lucrative reward of a successful cyberattack because they can be quickly monetized (i.e., turned into cash or a cash equivalent), and therefore continuously traded on the Darknet. Consequently, prices for this kind of information have seen a relatively big spike. Globally, this has become an even bigger issue, because many breaches tend to be discovered in the very late stages of cyberattacks—and, in many cases, only after large amounts of data have already been stolen. According to research from IBM and the Ponemon Institute in 2018, breached organizations took an average of 196 days to detect the breach. Furthermore, between 2017 and 2018, the breach rate in the retail sector multiplied by 2.5 as 26 percent of companies reported being breached more than once.
Britain’s Information Commissioner’s Office (ICO) reported in Q1 2018 a total of 957 incidents affecting the retail sector in the U.K., which represents a 17 percent increase over the numbers reported back in Q3 2017. As a result, governments became stricter about enforcing data security regulations, which meant harsher requirements and heavy fines to those who failed to comply. For example, in early 2018, the U.K. mobile retail firm Carphone Warehouse was fined £400,000 because of a data breach that occurred back in 2015 and compromised the personal data of about 10 million customers. To date, this is one of the largest fines ever issued by the ICO.
In 2004, the Payment Card Industry (PCI) created the Data Security Standard (DSS) to increase security controls around credit card information and reduce credit card fraud incidents, but almost 15 years later, many retailers still are not PCI-compliant. The report notes that the retail industry is decentralized and complex, incorporating many different technologies such as artificial intelligence (AI), the internet of things (IoT) and blockchain, and is constantly shifting between e-commerce, social commerce9and even e-commerce with software-as-a-service (SaaS).
Research analyzing about 1,400 U.S. retail domains from October 2017 to March 2018 found that more than 90 percent of retailers failed to pursue at least four PCI DSS key requirements, and an astonishing 98 percent of them struggled to withhold the key security requirements to maintain secure systems and applications. To further illustrate the problem, just before that period, other researchers found a sample of about 1,600 AWS S3 buckets misconfigured, which exposed sensitive data to malicious intent.
Additionally, a study published in February 2019 found that 64 percent of insider threats are a result of human neglect (i.e., human error or lack of security awareness amongst employees). Another study stated that 83 percent of the companies reviewed reported they had an incident where employees accidentally exposed customer or business data. The report says the lack of cybersecurity prioritization in the retail industry has become an executive management and board-level issue—many companies continue to deploy poor cybersecurity strategies or no strategy at all, which critically exposes the retail business environment to malicious intent that can cripple retailers and cause significant financial losses.
One form of attack unique to the retail industry is PoS skimming. These devices glean credit card and pin data from cards physically swiped during purchase. In the past, these devices were bulky, conspicuous and hard to install, but they have advanced and become much smaller, easier to conceal and easier to install in recent years.
A flaw in Oracle’s PoS system for example affected more than 300,000 payment systems worldwide. Recently, in early February 2019, U.S. restaurant chain Huddle House revealed hackers targeted a third-party provider’s PoS system and used its remote assistance tool to deploy info-stealing malware at multiple locations.
Mobile point-of-sale (MPoS) devices could easily become targets, too. In August 2018, researchers detected vulnerabilities with common MPoS vendors, determining most could have enabled malicious actors to steal sensitive information from the devices. In March 2018, while investigating a large PoS malware campaign, researchers identified a new and sophisticated variant of a PoS malware dubbed “PinkKite” that included built-in persistence mechanisms. The new strain, which has an exceptionally small footprint of less than 6KB, obfuscates its activity by encoding stolen credit card details via a doubleXOR encryption, making it harder to detect.
Business Email Compromise (BEC) scamming, often called “spoofing,” is one of the most widespread forms of cyberattacks in recent years. BECs (also known as “Man-in-the-Email” or CEO/CFO attacks) are carried out through a variety of social engineering methods and tools. These types of attacks appear to be growing, with stolen funds rising by 136 percent since December 2016.
Retailers are also at risk because consumers can be attacked by fraudulent websites impersonating merchants. Attackers often lure targets to the fake websites via different methods such as phishing emails, spear phishing, etc. Once accessed, the websites serve a malicious payload such as an exploit or malware.
Helping retailers thrive and stay secure
The number of global ransomware attacks alone doubled in 2018 compared to 2017, as attackers began more effectively targeting critical business systems, according to Verizon’s 2018 Data Breach Investigations Report. While coming up with a focused business strategy amid disruption and increased cyber risk is already tough for any business, it’s even more so for mid-market retailers saddled with greater resource constraints. In fact, just 37 percent of mid-market retailers say they are actively thriving today, while more than half (54 percent) say they’re merely surviving, and 9 percent admit to struggling, according to BDO’s Retail Rationalized Survey
When it comes to which retailers are thriving, the report says a lot of it comes down to technology adoption and digital transformation. An overwhelming majority of pure play e-commerce businesses (84 percent) are thriving, meaning they’re profitable and experiencing robust growth. Meanwhile, more than half of traditional retailers (including big box, department store, discount and specialty retailers) are just surviving, as they catch up to optimizing physical assets and bolstering online and attractive price offerings.
It is clear that e-commerce and other digitally-enabled offerings with appropriate information security will become a greater part of retail business. Nearly half (48 percent) of retailers expect their digital investments to increase their revenue by 1-9 percent in the next three years, and 18 percent expect them to drive revenue growth of 10 percent or more, according to BDO’s 2019 Middle Market Digital Transformation Survey. Forty percent, meanwhile, expect digital investments to increase their profitability by 1-9 percent, and 27 percent expect them to grow profits by 10 percent or more. Taking intentional steps toward a clearly defined digital transformation strategy will therefore be critical.
As digital transformation becomes a core part of retailers’ strategy, they’ll have to prioritize threat-based cybersecurity in tandem. Threat-based cybersecurity is a forward-looking, predictive approach. Instead of (or in addition to) focusing solely on protecting critical data assets or following the basic script of a generic cyber program, threat-based cybersecurity concentrates on investments in the most likely risks and attack vectors based on an organization’s unique threat profile. For example, this framework looks different for a pure play e-commerce entity than for a hybrid e-commerce or specialty retailer because the most likely attack vectors are different for each. Threat-based cybersecurity approaches go hand in hand with innovation, as security serves as the backbone to digital transformation—and can even be an innovation catalyst.
Gregory Garrett, Head of U.S. and International Cybersecurity for BDO says taking on digital transformation initiatives like adopting an emerging technology, investing in a new technology or even building a new technology are key to not only increasing operational efficiencies, but also to bolstering cybersecurity, as both security and privacy should be embedded into the initiative’s design and architecture.
“When an organization overhauls its IT infrastructure, its security risks undergo an overhaul, too. Old vulnerabilities may be mitigated or even eliminated, while new ones are introduced,” Garrett explains. “The process of implementation will require a fresh look at how data is accessed and used, and can help retail companies shift their security resources accordingly, in conjunction with an external threat monitoring system.”
*The BDO Cyber Threat Intelligence (CTI) team brings together top information security experts from the U.S. and Israel with extensive information technology and cybersecurity experience from the military, intelligence, law enforcement, public, and private sectors to assist clients in understanding both the constantly changing cyber threat landscape and the complex cybersecurity regulatory environment to make well-informed business decisions on how best to invest in cybersecurity and data privacy.