BY JULIE A. PALM
Sleep Savvy examines the risks retailers face and ways you can protect your business from online criminals
Target. Ebay. Neiman Marcus. Home Depot. It’s an impressive list of category-leading, innovative retailers with loyal customers. But it’s not a group you want to be part of.
Each one of those retailers has been the victim of a large, high-profile cyberattack that resulted in the theft of shoppers’ personal information, followed by a dip in retail revenue and loss of public trust.
Cybercriminals love retailers, who collect massive amounts of personal information, plus credit card, banking and other financial data from shoppers every day. The 2017 IBM X-Force Threat Intelligence Index lists retail among the top five most attacked sectors.
Nearly a third of retailers lost revenue due to cyberattacks in 2016 and a quarter lost customers or business opportunities because of those attacks, according to the 2017 Midyear Cybersecurity Report from Cisco, a San Jose, California-based technology conglomerate.
Point-of-sale systems and websites are ripe targets for hackers, who can breach them and capture information they later can sell to identity thieves. But there are other ways criminals can attack your business. They can send nefarious emails that trick an employee into clicking on a suspect link, installing ransomware that locks every file on your computer network until you pay up. Or a disgruntled former employee can take over your social media accounts, sending out offensive and embarrassing messages to all your followers.
“Our adversaries are becoming more and more creative in how they architect their attacks,” says Steve Martino, vice president and chief information security officer for Cisco. “While the majority of organizations took steps to improve security following a breach, businesses across industries are in a constant race against the attackers. Security effectiveness starts with closing the obvious gaps and making security a business priority.”
Two trends are heightening the threat to retailers—the personalization of the shopping experience and the move to online sales.
“As retailers seek to fully implement personalization by tracking and integrating data from various devices, such as smartphones, tablets and point-of-sale systems, the customer experience becomes more seamless and pleasing. However, the more data a retailer collects and integrates, the more vulnerable it becomes. Retail is already a prime target, and as its data repositories grow, it offers a data-rich environment ever more attractive to the cybercriminal,” writes Michelle Alvarez, a threat researcher and editor for IBM Managed Security Services in Somers, New York. Her comments appear in a 2016 report titled, “Security Trends in the Retail Industry: Attackers Are Shopping for Low-Hanging Fruit.”
Smaller retailers—“where the basic security measures (identify, protect, detect and recover) have not been performed”—are especially vulnerable, Alvarez says.
Pirating a treasure trove of data
As we mentioned earlier, one of the most significant threats to retailers is a data breach, in which criminals steal personal information (credit card numbers, email addresses, birth dates, etc.) and then sell the data to identity thieves. Such attacks often come through POS systems and websites. Regardless of the entry point, they are devastating to the customers or employees whose information has been stolen and are damaging to companies in terms of bad public relations and legal liability, if a company didn’t take prudent steps to protect the data.
Across all sectors, retail accounted for 8.2% of data breaches in 2016, according to the 2017 Internet Security Threat Report from Symantec, a provider of security products headquartered in Mountain View, California. That compares with 44.2% of data breaches in a broad sector Symantec calls Services. The Services sector is No. 1 on the list of sectors experiencing breaches; retail is No. 4.
There is some good news on the data breach front, according to IBM and Symantec, in that both the number of data breaches and the average cost of a data breach are on a slow decline. But that news is offset by findings that the size of the average breach is growing—up 1.8% in 2017 to an average of 24,000 records stolen, according to the annual Cost Data Breach Study sponsored by IBM and conducted by the Ponemon Institute, an independent research group with headquarters in Traverse City, Michigan.
Symantec notes that much of the identity theft damage already has been done, with more than 7 billion online identities stolen in the past eight years, “almost the equivalent of one for every person on the planet.” But that hasn’t stopped hackers from gobbling up more and more data in each breach. “In 2016, more than 1.1 billion identities were stolen in data breaches, almost double the number stolen in 2015,” Symantec reports.
Easy entry points
Email continues to be a favored “doorway” for cybercriminals, who typically use it to deliver malware (viruses, worms, adware, spyware, etc.) that infects a computer network. They also employ email as phishing expeditions (fraudulent emails that seek personal information like passwords).
Email malware attacks against retailers declined from 2015 to 2016, but even with that drop, a stunning one in 135 emails to retailers contained malware in 2016, according to Symantec. And one in 2,419 emails to retailers was a phishing attempt.
Symantec points to a recent rise in a particular email scam, the business email compromise, or BEC, in which a fake email ostensibly from the chief executive officer or other senior manager instructs the recipient (a bookkeeper, accountant, controller or even chief financial officer) to transfer or send money to a bank account or vendor account that looks familiar.
Think of a BEC, also called “whaling,” as a more sophisticated version of the infamous Nigerian prince rip-off. The FBI estimated in February 2017 that criminals may have stolen as much as $3 billion worldwide using BECs since January 2015—that’s $3 billion in just two short years. Symantec estimates 400 businesses are targeted by BEC scams daily.
Websites, of course, are another easy entry point for criminals. Overall, security experts say, the number of cyber incidents targeting websites has been on a decline. “However, web attacks are still a big problem, with an average of more than 229,000 being detected every single day in 2016,” according to Symantec.
Companies appear to be doing a better job protecting their sites from intrusion. Although a distressing 76% of websites scanned in 2016 contained vulnerabilities, Symantec found that the percentage of sites with “critical” vulnerabilities dropped to 9%, down from 15% in 2015 and 20% in 2014.
Holding you hostage
Companies across sectors are increasingly at risk of ransomware—from highly targeted attacks on one victim to widespread outbreaks like 2017’s WannaCry and NotPetya. In a ransomware attack, thieves lock targets out of their files through encryption and demand ransom, typically to be paid in bitcoin or other digital currency. Sometimes the files are unlocked after payment; sometimes not. Criminals can use distributed denial of service, or DDoS, attacks in a similar way, shutting down a website or another part of a business—perhaps the POS system—and demanding payment.
“The risk posed by ransomware and other extortion attacks is of growing concern across all industries. Retail is no exception,” Alvarez says.
Cybersecurity Ventures, a research firm and publisher based in Menlo Park, California, estimates that a business fell victim to ransomware every 40 seconds in 2017 and predicts the pace of attack will speed up to one business every 14 seconds in 2019. One reason thieves like to target businesses rather than individuals: The average ransom amount went from $294 in 2015 to $1,077 in 2016, but when companies are hit and multiple computers on a network infected, the ransom request can be for thousands or even hundreds of thousands of dollars.
IoT is a new way in
If we haven’t given you enough to worry about yet, the rise of the internet of things also poses a risk to retailers.
Smart devices that connect to the internet, collect data and anticipate users’ needs make life easier, but also are highly vulnerable to attack.
Consider this: “In June (2016), security researchers found that over 25,000 CCTVs (internet-connected closed-circuit TVs) were used to carry out a days-long DDoS attack against the website of a small U.S.-based jewelry shop,” Alvarez says. “Not only are retailers’ websites susceptible to IoT botnets, then, but the CCTV cameras installed in their brick-and-mortar stores can be compromised and used in IoT botnets to attack other targets.” The hackers had harnessed CCTVs in countries around the world for the attack on that one store’s website.
Alvarez continues: “There are lots of excellent new uses for IoT in the retail space, for example detecting shoppers’ location and behavior in stores. Harnessing and analyzing that kind of information help retailers deliver a smarter shopping experience to consumers. If we don’t build security into these applications, however, they might well have a negative impact on both the retailer and customer.”
Retailers also would be wise to ensure that the IoT devices they sell—from sleep trackers to smart beds—aren’t susceptible to attack and won’t put consumers at risk of hacks after the devices are purchased and taken home.
Free security tools for your business
You can spend a small fortune on cybersecurity but you don’t have to. There are plenty of free tools that can help protect your company against threats.
Steve Morgan, founder and chief executive officer of Cybersecurity Ventures in Menlo Park, California, recommends several tools especially helpful to small businesses in an Oct. 9, 2017, blog post on Entrepreneur.com. They include:
- Avast Free Antivirus (award-winning anti-virus protection)
- Ransim (ransomware simulator that shows a computer network’s vulnerability to attacks)
- Weak Password Finder (susses out weak employee passwords)
- SiteCheck (scans for “malware, website blacklisting, spam injections and website defacements”)
- ZoneAlarm Free Firewall (“manages and monitors all incoming and outgoing traffic and shields users from hackers, malware and other online threats”)
- ProtonMail (“secure end-to-end encrypted email accounts”)
Tips to keep your company safe
Here’s a checklist of policies and practices you can use to protect your networks and devices from cyberattacks.
- Use “multiple, overlapping and mutually supportive defensive systems,” advises Symantec, a provider of security products headquartered in Mountain View, California. These include firewalls, plus anti-virus and malware protection.
- Create a company policy for employees regarding computer, internet and email usage and security. Update it annually to address current threats.
- Employees should enable two-factor authentication when available—it’s offered on most email and social media apps.
- Make sure operating systems and software are up to date on all devices, including desktops, laptops, tablets and smartphones. Updates issued by providers often include security patches.
- In addition to backing up files and data on the company network, require employees to regularly back up any work-related files and information on their personal devices.
- Ensure sensitive information (e.g., confidential employee information like Social Security numbers, company data like bank routing numbers, and customer information like credit card numbers) is encrypted while being transferred and stored.
- If you have Wi-Fi in your stores, make sure to use the current WPA2 standard.
- Make sure your IT staff receives alerts for new vulnerabilities and potential threats and installs patches as soon as possible. Similarly, IT teams should monitor intrusion detection tools so breaches are detected quickly.
- If you are a small retailer without an IT team, use a reputable outside company that specializes in cybersecurity to ensure your protection is up to date and effective.
- If you allow customers to create accounts on your website, require them to create strong passwords. Lock any account after three to five failed login attempts. “Make error messages returned for all types of failed logins identical so attackers can’t tell whether a valid user ID has been used but a wrong password entered, or vice versa,” recommends IBM Managed Security Services in Somers, New York.
- Require employees to use strong passwords and to change them regularly. Employees shouldn’t share passwords or reuse them for different accounts. In general, passwords should be at least 10 characters long and include a mix of letters, numerals and symbols.
- Delete suspicious emails, particularly those that contain links or attachments. If you think a link might not be genuine, type the URL directly into a browser to ensure you are going to a legitimate website.
- Be wary of emails—especially those coming from inside your company and those from regular vendors or customers—that ask you to do something outside normal procedures and practices.
- Never reply to a suspicious email. If the email comes from someone you know and you want to double check its authenticity, draft a new email to the supposed sender, pulling the person’s email address from your own address book or your company directory instead of hitting “reply.” Or try something old-fashioned: Pick up the phone and call the person.
- “Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content,” Symantec cautions. “Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.”
- To combat business email compromise, or BEC, scams specifically, the FBI advises companies to confirm changes in vendor payment locations and fund transfers using two-factor authentication, meaning verifying the request by phone or requiring a second person to sign off on such actions.
- “Restrict access to POS system computers or terminals to prevent users from accidentally exposing the POS system to security threats on the internet,” IBM recommends. “POS systems should only be used online to conduct POS-related activities, not for general internet use,” IBM says.
- Don’t allow remote access to a POS system or require two-factor authentication.
- Segment POS networks. “Some companies choose to have one or two computers whose only role is to connect to POS machines. These machines are locked down to certain users and have a whitelist of internet websites they can contact.”
- Physically protect POS systems by disabling USB ports, putting card readers in highly visible, secure locations—and bolting them to counters.
- Don’t rely on default passwords that come with the systems. Use complex passwords and change them regularly.
Sources: Cybersecurity Ventures, ERPScan, FBI, Hitachi Systems Security USA, IBM Managed Security Services, Symantec, Travelers
Another level of protection
After you’ve protected your networks and devices and instituted strong cybersecurity policies for employees, you may want to take a final step of buying insurance.
Traditional business policies typically don’t cover cybercrime. In fact, San Francisco-based CyberPolicy, which advises companies on purchasing such coverage, estimates only 3% of small businesses carry insurance that protects against losses from cybercrime.
A comprehensive policy should cover both your direct costs and third-party costs. Direct costs include customer notification and credit monitoring, legal and PR services, recovery and restoration of corrupted and destroyed data, and reimbursement of lost income. Third-party costs are things like litigation and settlement expenses related to losses customers and vendors suffer if you unintentionally fail to protect their sensitive information. Separate crime policies, which generally cover financial losses from robbery, burglary and forgery, often cover the cybertheft of money through phishing and other means.
Check with your insurance agent or a broker who is well-versed in cyber insurance policies to make sure you have comprehensive coverage.
Julie A. Palm is chief wordsmith at Palm Ink LLC in Winston-Salem, North Carolina. She has 25 years of experience as a writer and editor for newspapers and magazines and as a publications director. She is a past editor in chief of both Sleep Savvy and BedTimes magazines. She can be reached at firstname.lastname@example.org.