Why Is Retail Cyber Security So Weak?

Uploaded on 2019-07-09 in BUSINESS-Services-Financial, FREE TO VIEW

Retailers are particularly vulnerable to cyber hacks that prey on human error. Research by SecurityScorecard found retail is the worst ranked industry when it comes to defending against social engineering attacks, which involve hackers tricking employees into divulging sensitive information through practices such as vishing or phishing.

The very nature of the retail industry makes it a soft target for organised crime gangs.

“The ecosystem for the underworld is working so hard to maintain and prosper from the various mistakes that us humans make,” says Fouad Khalil, head of compliance at SecurityScorecard.

Julian Burnett, VP of global markets at IBM’s distribution sector, says the attack surface of the retail industry is particularly large because of the people-heavy nature of it.

“There are lots of staff interacting with many customers, exchanging lots of money, and using lots of tech to achieve it, which means you have got a heady cocktail of risk,” says Burnett, a former CIO at House of Fraser and CTO at John Lewis and Sainsbury’s.

Social engineering is a particularly common means of attack within retail because there are so many staff that can be targeted, who are often inexperienced or temporary.

IBM’s ethical hacking group X-Force Red has found younger staff are particularly susceptible to inadvertently giving away data that is commercially sensitive.

Social Media Engineering
Sensitive data is left all over social media, says Burnett. “We see a particularly significant proportion of younger people in the workforce being largely ignorant to the risks they are taking because they have grown up feeling much more trusting and safe in digital contexts.”

Burnett says the type of information they can inadvertently share includes pictures with a security badge in view, or laptops openly displaying sensitive information on the screen.

Hackers can also exploit the customer service-led nature of the retail industry to steal information through social engineering.
Florence Mottay, chief information security officer at Dutch food retailer Ahold Delhaize Europe says ‘vishing’ (voice phishing) is one of the most popular tactics employed by social engineers in the retail world.

“In a vishing attack, social engineers call a company impersonating someone else looking for sensitive information on customers, associates, or digital products,” says Mottay. “Since customer service is key within retail, victims of social engineering might unknowingly aid attackers over the phone while they are under the impression that they are just doing their jobs.”

The large physical footprint many retailers have adds an additional layer of vulnerability to their businesses as well.
Burnett says that during his time working at retailers there were instances of fake engineers arriving in shops, who installed devices into vulnerable ports on equipment.

Internal Threats
A further human weakness that can be exploited is the deliberate selling of commercially sensitive information.
Recent research by Deep Secure has found that a surprisingly large number of employees would be willing to sell off their company’s information. Just £1,000 would be enough to tempt 25% of employees to give away company information, according to the research.

The human vulnerabilities of a retailer’s cybersecurity operation are numerous, but this does not mean they are impossible to guard against.

Chris Pritchard, a consultant at cybersecurity firm Pen Test Partners, says it is difficult to train staff to avoid them falling victim to social engineering-based cybersecurity attacks.

“If an attacker is prepared to take the risk and appear in person, physically to attempt to gain access to an office, or factory then, if done properly, that’s hard to prevent,” says Pritchard. “But as most attackers like the [telephone or email based] spray and pray method because it’s the least risky, it’s easier to prevent.”

Staff training and education should be the first line of defence against social engineering attacks.
“From a best practice perspective I would focus on training as number one,” says Khalil. “Bring into the light the different angles the attackers are taking to steal personal information.”

Education
“Awareness and education go an awfully long way to improving any organisation’s stance in the face of cyber-crime,” says Burnett. “It is about behaviours and recognising risk and learning not to inadvertently share sensitive information that could be put alongside other information that can be used to create a persona for those prepared to launch an attack.”

Mottay says Ahold Delhaize puts every staff member, whether at corporate or store level, through different types of security awareness training to educate them about social engineering attacks and how to spot them.

“Through simulated phishing and social engineering exercises, our users get trained in a fun and constructive way,” says Mottay. “Awareness exercises are just like fire drills; we conduct them on a regular basis on every aspect of information security - and social engineering is part of these exercises.”

Burnett advises retailers take care to ensure educational programmes are effective for those who are only working at the company for short time frames such as seasonal workers at Christmas.

This training could include warning younger staff about the potential dangers of posting pictures of them at work on social media websites. 

It is more difficult to stop disgruntled staff from leaking commercially sensitive information, but systems can still be put in place to try and stop such scenarios.

“I would encourage companies to think about monitoring the output of the company on the many channels we use in big business,” says Burnett.

This could include monitoring who is saying what and keeping an eye on what attachments are being shared via email.

“The level of sophistication in monitoring is improving and increasing all the time,” says Burnett. “Applying a level of analytical insight above and beyond monitoring can help you understand the risk profile of an individual and their propensity to act.”

Unfortunately, there is no such thing as an entirely flawless cybersecurity defence. But there are many things that can be done to minimise risk.

The retail industry is such low hanging fruit for organised crime that it is likely cyber-attacks will only rise further and become ever more sophisticated. Retailers would be wise to do all in their power to ensure they cut out the basic human errors that are opening the door to cyber-attacks.

Essemtial Retail:        Image: Nick Youngson

You Might Also Read:

Banks And Retailers Track How You Type, Swipe And Tap:

« Improving Electric Power-Grid Security
Police Forensic Firm Has Paid Ransom »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Cyber Conflict Studies Association (CCSA)

Cyber Conflict Studies Association (CCSA)

Cyber Conflict Studies Association (CCSA) is a non-profit organization dedicated to leading a diversified research agenda in the field of cyber conflict.

Teradata

Teradata

Teradata is a leading provider of enterprise big data analytics and services. Applications include Cyber Security Analytics.

Japan Network Security Association (JNSA)

Japan Network Security Association (JNSA)

JNSA's goal is to promote standardization related to network security and to contribute to greater technological standards in the field.

Business Continuity

Business Continuity

Business Continuity delivers integrated IT solutions for cybersecurity, virtualization, cloud platforms and operational security solutions.

LUCY Security

LUCY Security

LUCY is the answer when you want to increase your IT security, maintain your cyber security awareness, or test your IT defenses.

Innovation Cybersecurity Ecosystem at BLOCK71 (ICE71)

Innovation Cybersecurity Ecosystem at BLOCK71 (ICE71)

Innovation Cybersecurity Ecosystem at BLOCK71 (ICE71) is Singapore's first cybersecurity entrepreneur hub.

QI ANXIN Technology Group

QI ANXIN Technology Group

QI ANXIN specializes in serving the cybersecurity market by offering next generation enterprise-class cybersecurity products and services to government and businesses.

Secured Communications

Secured Communications

Secured Communications has developed the only unified secure communications platform trusted by public safety and counter terrorism professionals around the world.

ThreatReady Resources

ThreatReady Resources

ThreatReady reduces an organization’s risk by delivering cyber security awareness training based on the latest, state-of-the-art learning science to effectively drive long-term cyber-safe behavior.

LANCOM Systems

LANCOM Systems

LANCOM Systems is the leading European manufacturer of secure, reliable and future-proof networking (WAN, LAN, WLAN) and firewall solutions for the public and private sectors.

Singtel Innov8

Singtel Innov8

Singtel Innov8, the venture capital arm of the Singtel Group, invests in and partners with innovative technology start-ups globally.

Bittnet Training

Bittnet Training

Bittnet Training is the leader in the IT Training market in Romania. We develop the IT skills of IT professionals as well as those who wish to start a career in IT.

Womble Bond Dickinson

Womble Bond Dickinson

Womble Bond Dickinson is a transatlantic law firm, providing high-quality legal experience and outstanding personal service from key locations across the United Kingdom and United States.

Cloudbrink

Cloudbrink

Cloudbrink is purpose-built to deliver the industry’s highest performance connectivity to remote and hybrid workers, anywhere in the world.

Dryad Global

Dryad Global

Dryad Global offers a comprehensive suite of maritime intelligence solutions, including a best-in-class situational awareness, planning and security system and industry-leading cyber protection tools.

Tanzania Industrial Research and Development Organization (TIRDO)

Tanzania Industrial Research and Development Organization (TIRDO)

TIRDO is a multi-disciplinary research and development organization.