This article is for the Professionals
Sign up to Inside Retail Professional now for only $4 for your first three months.
That's an 85% discount plus you’ll get FREE access to all Masterclasses during Retail Week. 5 retail industry leaders like you’ve never seen them before.Already a professional? Log in
In order to better protect your business from a cyber-attack, here are some of the areas that cybercriminals commonly look to exploit along with solutions to help minimise your vulnerability.
Cloud security and data protection
A surge in online activity has forced retailers to scale their digital capabilities and adopt cloud solutions to help store their data. These new tech solutions often have unknown risks and bugs that can be exploited by cyber criminals to steal data. To prevent this, you need to ensure that you prioritise data security and governance when adopting cloud solutions to mitigate the risk of a data breach.
POS system attacks
Point of sales systems are often the weakest link in a retailer’s network infrastructure due to security updates and patches often being overlooked by owners who opt for basic antivirus software that doesn’t meet a high security standard. Cyber criminals are always looking for the path of least resistance and targeting these systems gives them easy access to install malware and steal financial data stored in your system’s temporary memory. They can also use keyloggers to record keystrokes in order to capture card data before it’s encrypted.
To help prevent these sorts of breaches, you should strive to achieve real-time visibility of your POS system in order to stop any suspicious or unnecessary activities that may be harmful. Another solution is to install technology that can whitelist processes that are authorised, and detect and shut down any other process before execution.
Supply chain attacks
Retailers tend to work with a number of vendors to support different aspects of their operations but with this comes an increased cyber security risk as even a single vulnerable access point at one vendor can lead to a supply chain attack, jeopardising a number of your systems and networks.
Supply chain and third-party attacks are rising and highlight just how careful you need to be when dealing with information security. Security audits of external providers and partners can help you stay on top of any vulnerabilities that may be exploited in the future by malicious actors along with ensuring third party suppliers are compliant with the latest regulatory framework.
According to a report by Imperva, a quarter of the internet traffic is made up of bad bots. Bad bots mimic legitimate users in the way that they interact with websites, making them harder to detect and prevent. They enable high-speed abuse, misuse, and attacks on websites, mobile apps, and APIs. Cyber criminals can utilise bots to carry out attacks such as denial of inventory, scalping, scraping and credential stuffing to name a few.
Different types of bot attacks
Denial of inventory
In this type of attack, the bot adds items from an online store to the cart, but never completes the purchase. The result is that inventory gets used up, and legitimate shoppers may get an “out of stock” message.
Similar to denial of inventory attacks, scalping consists of bots purchasing limited edition items that are on sale for a finite period of time to prevent legitimate users purchasing them and proceeding to sell them for a higher price.
Web scraping is an automated bot threat where cybercriminals collect data from your website for malicious purposes, such as content reselling and price undercutting.
During credential stuffing attacks, malicious bots take stolen credentials (usernames and passwords) from one site and attempt to log in to other sites. Credentials are typically obtained after a massive data breach, and the stolen data is either published online or sold.
To prevent a bot attack, retailers should utilise CAPTCHA or block outdated user agents or browsers; block known hosting providers and proxy services; investigate all traffic sources and suspicious spikes in traffic; monitor for failed login attempts by users and finally pay attention to public data breaches involving leaked login credentials that might be used against your website in a bot attack.
Basic cyber hygiene principles
Along with paying attention to the area’s most at risk, cyber security has some basic hygiene principles that you can follow to help further protect yourself and your customers’ personal and financial information.
Basic password hygiene and multifactor authentication can go a long way towards a better-protected system. Passwords to your website’s backend and warehouse systems should be rotated at the very least every 60 days and should be at least eight to 10 characters long, have at least one number, one capital letter, and one special character.
Some common examples of multifactor authentication include an SMS message, phone call, or authenticator app to verify a browser login. Other verification factors could include personal questions, or even a physical object such as a security token or a bank card. Consider which option makes sense for your business, and ensure all staff are aware of why the process is in place and how it works.
No shared accounts
Every staff member should have their own account for your retail store’s backend, with their own unique user ID and password, so that there is no need to share passwords between staff members. Any shared accounts should be removed and replaced with individual accounts, and each individual account should have its password updated regularly.
The same should be true of any external IT, supplier, or web development support staff. If you have five external support staff, all staff must have a unique ID and password with MFA enabled for each person. This means that every time someone accesses your store’s backend, you can track exactly when, where, and who it was accessed by.
Train your team to spot the risks
All staff members must be made aware of the risks presented by cyber-attacks, and to be given the appropriate training to combat them. For example, compromised business emails are a very common and persistent threat to organisations big or small.
Storytelling by sharing examples based on the roles and responsibilities of your staff members is an effective way to grow cyber safety awareness. Constructing your training around scenarios your employees can actually visualise and will give them an appreciation for the huge consequences a cyber security attack can bring.
For example, when training finance and accounting teams, try using case studies of businesses that have been caught up in an email compromise that has led to funds being transferred to fraudulent bank accounts.
An attacker might use a technique called typosquatting, where the scammer uses a lookalike name. Google.com might become Goog1e.com or Gooogle.com, with the scammer hoping the victim may miss the spelling mistake and assume the email is legitimate.
In order to deeply ingrain the importance of cyber security into your business, staff should have a good understanding of the different types of cyber-attacks and how they can happen. Some of the most common forms of attack include malware, phishing, ransomware, trojan, keystroke logging, an insider threat, drive-by download, spear phishing, and person-in-the-middle attacks. Ensure your team understands each type of threat, and has a clear idea of what an attack might look like for your specific store.
Without the right training in place, it’s far more likely that staff would overlook these small inconsistencies and open a malicious link and with scammers getting more and more sophisticated, the risk is only increasing over time.
The goal is to embed cyber security awareness deep into the very heart of your retail business, so that you and your staff are better equipped to stop attackers before they get a chance to bring your store to its knees.