Just a few days have passed since Black Friday – the busiest discount shopping day of the year where retailers are competing to offer the best possible deals and bargains.
But this is also the time of year where savvy cyber criminals see an opportunity. Last year, the Carbon Black Threat Analysis Unit reported that organisations saw a 20.5 percent increase in attempted cyber attacks between November and December 2016. This seasonal period is a goldmine for the latest generation of hackers to steal customer credentials as well as being the cause of damage to a retailer’s reputation.
So, how can retailers safeguard from cyber-attack for future Black Fridays?
Privileged access management must take centre stage
In order to beat the competition and incentivise consumers to come in store, many bricks and mortar retailers will increasingly be offering a digitised ‘retail theatre’ experience. Moreover, online retailers will expand their offerings. Privileged access security has to protect both the front-end devices – such as tills – as well as the back-end IT infrastructure. The Internet of Things (IoT) and rapid adoption of cloud services are bringing a whole new threat landscape to the shopping and sales experience. In-store retailers are increasingly looking to mirror the ‘Amazon effect’ in their shops, where customers can use phones as coupons to pay or whereby sensors and smart beacon technologies can predict whether a shopper is going to make a certain purchase or not. With a greater proliferation of devices and indeed data now stored in a physical shop, there are more ‘ways in’ for hackers to infiltrate the network.
For online retailers, the challenge remains to stay one step ahead when it comes to protecting customer data and keeping web properties up and running. To stay secure this festive season, retailers need to invest in privileged access security. What this allows is something that goes a step above typical perimeter defences; the ability to monitor, recognise and lock down activity that can potentially affect site uptime or data exfiltration.
This doesn’t need to be a burdensome challenge and can be broken down into simple stages. Firstly, retailers must look to eliminate irreversible network takeover attacks as best as they can. Secondly, it is essential that on-premise cloud infrastructure accounts are controlled and secured. To do this, retailers must vault all critical infrastructure accounts and automatically rotate passwords periodically after every use.
Undertaking all of the above is of escalating importance, especially in the online retail sector where brands are entrusted to store more data such as credit card details and addresses. Finally, retailers should look to learn from other sectors. Many businesses across a range of industries from banking to manufacturing are hiring a team of ethical hackers or red teams to regularly test critical systems. To protect from hackers, you have to think like one.
These tactics have to be top of mind if retailers want to stay one step ahead and keep critical customer beyond busy seasonal discount times.
It’s all about education
Before new privileged access security measures are implemented however, education has to take place – for both retailers and also consumers looking for the best deals
Our own findings from CyberArk’s annual Threat Landscape report revealed that only 39% of IT decision makers working in retail would reward employees who helped to prevent a security breach in 2018. This lags behind IT & telecoms at 62% and healthcare at 42%. Clearly, this sector has to innovate and learn how to incentivise a culture of cyber security best practice. Brand reputation and retaining a solid customer base depends on it.
How can this be changed? Typically, the retail sector has lagged behind other sectors, as it often employs IT contractors rather than in-house staff to be upskilled and trained in cyber security best practice. The fight against cyber-attacks has to involve all employees, right from the staff on the shop floor (who are now interacting with more analytics-based technology more than ever before) through to the chief technology officers behind major online brands. Basic training in ‘cyber hygiene’ principles is a must to ensure that all employees are equipped to deal with cyber-attacks before they happen and not let malicious hackers into the network.
A greater understanding in ‘cyber hygiene’ can also be applied to shoppers this Black Friday. Many fall victim to phishing scams. Emails or ads that look like they are from their favourite retailers may actually lead through to malicious websites or fake domains. If a deal looks too good to be true, the chance are it is. Consumers should think twice about saving their credit card details on a site. As criminals look to hack many retailers this Black Friday, it is safer in many instances to not save sensitive details.
Unfortunately, hacks on high profile brands are commonplace. It is not a question of ‘if’ but ‘when’. Post Black Friday and in preparation for next year, retailers must ensure that they have taken every measure possible to safeguard against cyber-attack. Quick and convenient deals to bring in the customers should not be at the expense of security or good cyber hygiene.
EMEA Technical Director
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.