Top Retail Cybersecurity Challenges

E-commerce lets retailers use customer data and segmentation to deliver unique customer experiences. That’s why the industry eagerly pursued digital transformation. Unfortunately, that customer data also creates new vulnerabilities that weren’t part of traditional brick-and-mortar retail.

The retail industry’s move to e-commerce benefits both buyers and sellers. Market and consumer data provider Statista reports that in 2020 alone, more than two billion people purchased goods or services online, pushing online sales past $4.2 trillion U.S. dollars worldwide. Shopping apps make it easy to shop from virtually any device, which is convenient, of course — but it also increases the number of endpoints. Hackers take advantage of this expanded attack surface to the detriment of retailers and customers. In August, just ahead of the holiday shopping season, Help Net Security published the following retail sector statistics for 2020:

• 82% of U.S. retailers experienced increased fraud attempts during the pandemic.
• Promo abuse (46%) and account takeovers (43%) did the most damage.
• 26% of global retailers say fraud significantly damages their profitability.
• 34% of global retailers reported losing 5-10% of e-commerce revenue to fraud.

The independent infosec site also pointed out that retailers and consumers have divergent views on fraud:

• 55% of retailers say they’re confident they can prevent e-commerce fraud, but only 34% of consumers feel the same way.
• 33% of American shoppers expressed growing concern about online shopping security.
• 45% of online shoppers in the U.S. expect retailers to have even more difficulty preventing fraud in the coming year.

Then, as the 2021 holiday shopping season approached, retailers faced an additional issue: the widely publicized global supply chain crisis. Says Help Net Security, “From website outages to online fraud, security incidents lead to loss of sales and unhappy customers. Given the widespread impact of the global supply chain crisis, the impact of a single cyber attack on a retailer in Q4 could be devastating.” 

These numbers are cause for concern, but numbers alone don’t tell the whole story. Both retailers and customers view the rewards of e-commerce as worth the cybersecurity risks, so we wanted to take a closer look at what those risks are. 

Top Retail Security Threats

Cybersecurity threats are continually evolving, but these dominate retail right now.

Inside information theft People provide credit card numbers, addresses, and other information for online purchases. Companies shouldn’t assume that external malicious actors are the only ones interested in stealing customer data. In fact, according to the Verizon 2020 DBIR report, 30% of 2019 data breaches involved internal personnel. 

E-skimming Online shopping is regulated by the Payment Card Industry Data Security Standard (PCI DSS), an infosec standard for processing branded credit cards. PCI DSS compliance doesn’t guarantee buyers and sellers are protected against fraud, though. In e-skimming, for example, cybercriminals place a skimming code on e-commerce payment card processing web pages. The code captures credit card and other sensitive data used on the controlled domain. The Cybersecurity and Infrastructure Security Agency (CISA) reports that, “This threat has impacted e-commerce companies in the retail, entertainment, and travel industries as well as utility companies and third-party vendors,” and, “is also commonly targeting third-party vendors such as those who provide online advertisements and web analytics.”

Credential stuffing In late December, Help Net Security reported there were more than two billion credential stuffing attacks in the previous 12 months, a 98 percent year-over-year increase. This tactic uses known username and password combinations on multiple websites. Users often reuse login credentials across accounts, so if bad actors get one set, possibly through phishing, they can be used to access other sites and make fraudulent purchases. 

Phishing This social engineering tactic, associated with more than 20% of data breaches, is one of the biggest cyber threats businesses face because it targets and manipulates human behavior. The FBI’s Internet Crime Complaint Center (IC3) reported that phishing was the most common attack by far in 2020.

Ransomware Uptime is critical to online commerce. If a retailer’s network is down, customers can’t complete purchases. Ransomware, a form of malware, can be used to steal and make public — or even erase — data if the company attacked doesn’t pay a ransom. This happened to Italian fashion giant Moncler in December. The ransomware attack interrupted operations and resulted in data — current and former employees, suppliers, consultants, partners, customers — being released on the dark web.  

DDoS attacks In September 2021 distributed denial of service attacks (DDoS) increased 200% month-over-month. This was due in part to the global Meris botnet, but over the previous year the retail industry saw more monthly DDoS attacks than any other industry. The majority of the attacks (61.6%) were directed at U.S. firms. 

Point-of-Sale Systems Use of POS systems grew as people moved away from cash transactions at the outset of COVID-19. Transactions made via POS hardware (e.g., Square) and mobile apps (e.g., Venmo, Cash App) leave credit card numbers vulnerable — unless they’re encrypted. Unencrypted data is vulnerable to thieves as it travels from the buyer’s phone to the merchant payment processor. Merchants can’t guarantee payment data is secure if point-to-point encryption (P2PE) isn’t used. As the name implies, P2PE shields data from unauthorized outsiders from phone to processor. 

Addressing Cyber Threats with Retail Security Solutions

Online commerce changed the retail business for the better, even though it comes with risk for all involved. Retailers can’t dictate security policies for customers, so what can they do to keep customer information safe once it’s in their network? 

They can deploy cloud-based security. 

Reliable, robust network security begins with CloudConnexa, enabling a zero trust network — so employees only have access to the resources they need and only authorized users can access systems holding sensitive data — with built-in firewall and IDS/IPS, access control, authentication, and threat intelligence reporting that allows network administrators to adjust a company's security posture and policies as needed. OpenVPN is on a mission to make cloud security accessible to businesses of all sizes. Getting started isn’t just easy — it’s free. Get your three free connections now.