The recent Macys.com data breach has served as another warning that the retail space remains one of the most targeted industries for cyber criminals. No surprise, given the amount of personal information provided in an online transaction.
In the Macy’s breach, web skimmer malware was discovered on the Macys.com website, collecting a small number customers’ payment card information. The attack was linked to Magecart, an umbrella group made up of various cybercriminal affiliates that is known for injecting payment card skimmers into ecommerce websites.
And while we’ve seen quite a number of top U.S. retailers fall victim to data breaches, don’t be deceived into thinking small businesses are immune to these threats. In fact, according to recent CNBC research, 43 percent of cyber attacks target small businesses, and only 14 percent of these businesses are prepared to defend themselves.
It’s safe to say….retail, we have a problem.
Tougher to Combat
Over the course of the last decade it has become quite clear that consumer-serving industries have become the most appealing sectors to attack and the interface between the customer and a retail outlet is lucrative grounds for cybercriminals. And there are several fronts through which these attacks are occuring: through the physical point-of-sale or ecommerce gateway, the retail location and its supply chain, or the customer endpoint. This multi-front assault approach is creating new prevention, detection and response strategies.
Statistical data always helps shed some light on just how serious a problem cyber attacks have become in the retail sector. Here’s a few eye-popping numbers:
- Worldwide spending on cybersecurity is forecasted to reach $133.7 billion in 2022. (Gartner)
- Data breaches exposed 4.1 billion records in the first half of 2019. (RiskBased)
- 500 million consumers, dating back to 2014, had their information compromised in the Marriott-Starwood data breach made public in 2018. (Marriott research)
The tactics for cybercriminals appear to be continually evolving as do their methods for specifically attacking retail. On just about any report you happen to look at, the retail industry is topping the list for sectors attacked most frequently. It is clearly time to give cybersecurity a more serious look in 2020. It is vital today to fully understand the risks involved, along with the steps that can be taken to mitigate them, no matter the size of your operation.
There are a multitude of steps retailers can take but we list just a few here, with help from Intellias, a custom software engineering company that specializes in cybersecurity.
- PCI DSS compliance: The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organisations that handle credit cards. PCI compliance demonstrates retailers have control over the payment card information they process and take steps to prevent data theft and fraud. It is required by law in many US states and European countries - readers should verify the regulatory status in their own region - which means any retailer that isn’t currently in line with PCI needs to take immediate steps to do so. The penalties for non-compliance are as high as $100,000 every month or $500,000 per security incident.
There are different levels of PCI compliance and any retailer who takes payments for goods or services on the internet, even if that actual transaction is outsourced, must go through some level of assessment.
- Same threats, different approaches: While new cybersecurity threats are coming, companies should still pay attention to existing vulnerabilities throughout 2020. Instead of leaving known vulnerabilities untouched, treat them as being just as dangerous as newly discovered ones.
It’s always more costly to fix something later, so protect your business security by solving even minor issues.
- Data protection: With increasing cloud adoption, data protection will become even more of an issue. While the cloud is the future of ecommerce, it also brings unknown bugs and a high risk of mistakes. The newer the technology, the bigger the chance hackers will find out how to breach it before it can be fixed.
All the above is why data protection will remain one of the top priorities for retailers in 2020. It will also push businesses to create more data security governance programs to prevent data breaches in private clouds. Retailers that fail to make cybersecurity a priority in 2020 are playing catch with a grenade - clearly a game with potentially devastating risks.