Holiday shopping is still happening even in this pandemic year — and not only online. Although the typical Black Friday and Cyber Monday crowds never appeared, the National Retail Federation expects brick-and-mortar retailers to reach $550 billion in holiday sales in November and December.1 This month, shoppers who are tired of staying home and are encouraged by the arrival of the COVID-19 vaccine could again choose to hit nearby retail stores for some last-minute gifts for friends and family.
Although e-commerce sites are frequent targets of cyberattacks, few people think twice about the safety of shopping in a store. But brick-and-mortar shops also need to be cyber smart because cybercriminals do target offline retailers. In August 2019, supermarket chain Hy-Vee disclosed a point-of-sale (POS) system security breach that exposed the payment details of 5.3 million payment cards.2 The popular retail chain Target was the victim of a POS attack in 2013 that exposed the payment card data of 40 million holiday shoppers.3
How Do Cyberattacks and Data Breaches Hurt Brick-and-Mortar Retailers?
Data hacks like these not only tarnish brands, but they also have huge financial costs. Cybercriminals used POS malware to steal the transaction data of 40 million Home Depot customers in 2014. This year, Home Depot paid $15.5 million to settle claims over the data breach.4
Why Do Hackers Target Brick-and-Mortar Retailers?
To prepare their networks adequately against cyberthreats during the holiday shopping season, brick-and-mortar store owners need to know why hackers target retailers.
Retailers collect personal and payment details of their customers, such as names, addresses, and credit and debit card data. Hackers target retailers for this sensitive information gathered during sales transactions. Hackers can sell payment card data and personally identifiable information (PII) for millions of dollars in underground markets.5
Hackers also attack businesses to extort ransoms after compromising their data or disrupting their operations. Business owners often pay the ransom so that the cybercriminals will take down stolen data from leak sites and restore operations. Malicious actors may also target retailers for cyber espionage purposes.6 They may seek competitive secrets about supply chain and distribution networks, pricing, and financial information.
What Makes Brick-and-Mortar Stores Vulnerable to Cyberattacks?
The five most common vulnerabilities that make storefront retailers easy targets for cybercriminals are:
1. Unsecured POS Systems
Hackers can easily exploit an unpatched, unsecured POS system with malware designed to steal payment card and financial data. Sophisticated malware can also move laterally and infect a retailer’s IT network and critical databases.
2. Legacy Computer Software and Outdated Business Applications
It’s not unusual for retailers to run their systems and processes on legacy software. Using outdated or unsupported software and applications is a security risk. If there are vulnerabilities in legacy software, no patches or security updates will be available for them, leaving a retailer’s network vulnerable to major attacks.
3. Uninformed, Inexperienced Employees
Employees can turn into liabilities instead of assets if a retail store owner fails to train them in cybersecurity best practices. Some of the human errors that weaken a retailer’s security posture are unauthorized use of the company’s digital resources, like using devices for non-work purposes, and storing sensitive information in data sticks without password protection. Cybercriminals are also aware of these potential weak links, and they deploy phishing and social engineering tactics targeting employees to infiltrate networks.
4. Insider Threats
The retail industry has a high employee turnover rate, and it also relies on seasonal employees during busy periods like the holiday shopping season. Disgruntled former and current employees can steal sensitive information and sell it themselves or be lured by hackers to grant backdoor entry into a retailer’s network.7 A PwC report estimates that current and former employees are the likely sources of 30% and 26% of security incidents affecting organizations, respectively.8
5. Third-Party Risk
Retailers provide suppliers, distributors, contractors, and consultants with trusted access to their ecosystem. The security practices of these third-parties might not be robust enough. The PwC report cited above attributes 19% of security incidents to third-parties. Sophisticated attack vectors that gain access to an affiliate’s network can also spread to the retailer’s assets.
How Can Brick-and-Mortar Retailers Protect Themselves Against Cyberthreats?
Retailers need to ward off cybersecurity threats not just to protect their customers’ sensitive data and PII but also to ensure business continuity. To secure their critical assets and avoid falling victim to a cyber incident during the busy holiday shopping season, these are the steps that brick-and-mortar retailers should take.
1. Protect POS Systems with Efficient Endpoint Security
While PCI-DSS principles go a long way in protecting customer card data, an endpoint security solution like ColorTokens Xprotect provides more meticulous protection to retailers. Xprotect enables security teams to lock down infected POS systems using application whitelisting technology that allows only authorized processes to run. Enabling process lockdown can protect POS systems from zero-day attacks, file-less malware, advanced persistent threats (APTs), and ransomware.
2. Train Staff and Manage Third-Party Risks
Retailers should educate their staff about cybersecurity best practices to make them aware of device usage policies, data encryption requirements, and phishing attacks. Store owners can manage third-party risks by verifying the security posture of affiliates. They should bring onboard entities only after they complete the required cybersecurity certifications.
3. Control Access with Zero Trust Security
Retailers need to implement stringent data access controls to protect against known and unknown threats. Adopting zero trust principles is a proactive security approach. It minimizes the attack surface and limits access to data and applications only to authorized and authenticated users. ColorTokens Xtended ZeroTrust™ Platform helps retailers comply with regulatory mandates and protects their networks from insider threats.
4. Gain Visibility into Network Traffic
Without visibility into East-West server traffic, it is almost impossible to detect hackers once they gain access to the network. ColorTokens Xshield provides granular visibility and control over network communications and server traffic. With cross-segment traffic visibility, a retailer’s security team can detect suspicious behavior and inspect affected systems or applications. Complete visibility also simplifies PCI-DSS compliance and reduces the scope of audits.
5. Isolate and Protect Critical Assets with Micro-Segmentation
Retailers should secure sensitive and critical assets — such as POS systems, cardholder data, servers, CRM, and databases — by isolating them with the help of micro-segmentation. In the event of a breach, the security team can isolate these critical assets and block lateral movement, effectively reducing the attack surface. ColorTokens Xshield enables software-defined micro-segmentation that creates logical segments without complex rules and configuration.
Since people still ventured out to shop on Black Friday and Cyber Monday, brick-and-mortar stores should be prepared to see holiday shoppers in their shops. Retailers should also prepare to protect their brands and their businesses by adopting the proactive zero trust security model, which encompasses micro-segmentation, granular access control, and continuous monitoring of network traffic. Zero trust security can help retailers reduce their attack surface and protect their networks from inside and outside threats.