Retailers are paying more attention to cybersecurity and increasing spending on data protection, but technology and threat vectors are evolving sufficiently fast that investments and effort haven’t truly translated into a more secure operating environment. Progress on one front or against one type of attack is frequently counterbalanced by new threats emerging elsewhere.
This year is likely to bring more of the same, suggested cyberexperts. Many are predicting that retailers will continue to be pressed to stay ahead of cybercrooks and online threats—and even holding ground will require resolve. The consensus seems to be that retail organizations can maintain their current level of protection against online threats, but only if they don’t take their foot off the gas. Specifically, retailers might give weight to the following broad areas of cyber risk identified by experts in interviews and recent analysis.
1. Align security strategy with reliance on third-party providers.
In an examination of holiday risks for retailers, Forrester analyst Allie Mellen noted that ransomware attackers like to hit always-operating environments like hospitals because they offer the best chance for a payday, and that retailers “fall right into this bucket” with its reliance on continuously running production and 24/7 customers.
And pay they do. A survey by ThycoticCentrify released in late 2021 revealed that 83 percent of organizations hit by a ransomware attack give in to attackers’ demands. Ransomware attacks were behind the exponential increase in cyberattacks in 2021, with some estimates putting the growth in global ransomware attacks at 600 percent.
Increasingly, though, cyberattacks like ransomware can impact retailers without being the initial target. Third parties are playing a growing role in supporting digital retail operations, especially as retailers made a quick pivot to online during the pandemic. While important business assets, vendors can also present a threat to security.
Third-party providers and cloud-based solutions are frequently relied upon for a host of omnichannel services, from running loyalty programs to supply chain tracking. With their deep level of access, infiltrations can go undetected by traditional tools to detect anomalous network behavior.
The infamous SolarWinds hack in December 2020 was an example of the danger and a “moment of reckoning,” according to Microsoft Corporate Vice President of Security Vasu Jakkal. He said the attack, in which trojan viruses were distributed to customers through a trusted platform update, was not an outlier—and he warned such attacks were going to become more sophisticated in the years ahead. “This is going to be the norm,’’ he told ZDNet in 2021. It’s estimated that 30 percent of organizations impacted by the attack didn’t even have a direct link to SolarWinds.
Retailers have traditionally focused attention on protecting their internal systems and processes, but vulnerability now hinges on the security of others. Retailers must account for interdependencies by more closely scrutinizing the security of their software supply chain and third-party providers. Experts advise more testing of software updates before they arrive and caution against immediately installing updates that might contain malicious code. In short, adopt a zero-trust model.
Increasingly complex and digitized supply chains offer a way to attack retail organizations, and it is made more attractive because they often limit security testing to the immediate network environment, according to John Sawyer, director of red team services at IOActive. He is one of several cyberexperts making the case that companies should expand penetration testing to the software supply chain in 2022 and identify risks through adversary simulation to spot hidden problems.
2. Strike the right balance between enhanced security and customer ease-of-use and recognize security as the foundation on which many future sales strategies must be built.
When it comes to customer‑facing security, the results of a new survey suggest that retailers may think they’re in a no-win situation. Retailers, restaurants, and hospitality businesses were surveyed by Hanover Research for FreedomPay and Cornell’s Center for Hospitality Research, and 91 percent think customers deeply care about cybersecurity. Another 86 percent believe strong cybersecurity increases customer loyalty.
However, results of the Cybersecurity Attitudes and Usage Survey also suggest security’s potential downside. Some 65 percent of retail companies think customers are annoyed by extra security measures, and 67 percent believe that customers demand easy-to-use systems.
The report recommends that merchants ensure software and firmware are always up to date, to lobby for government involvement in fighting cyber threats, and to make cybersecurity visible for customers. More money may also be needed. The balancing act between security and convenience requires strategic investment, but half of the retailers and other companies surveyed admit to stagnant IT security budgets.
When considering security investments, retailers should factor in the role that a customer’s confidence in cybersecurity is foundational to emerging sales strategies.
Case in point: There is a growing interest in location data sharing via smartphone, by which a retailer accesses customers’ geographic locations in a store, tracks their movements, and permits a store’s mobile app to push meaningful, personalized services to customers. Such targeted offerings are more valuable and useful for both customers and retailers, and “a successful personalized retail offering improves customers’ loyalty,” noted a study by the Australian Retailers Association in October 2021 titled Customers’ attitudes toward in-store location sharing prompts and its influence on purchase decision making.
One obstacle is that personal data sharing with retailers makes customers concerned about the loss of privacy. A study by PwC in 2018 found that 87 percent of US customers doubt if retailers are effectively able to manage their customers’ personal data, and half do not trust using retailers’ new technologies such as location data tracking. “Thus, it is crucial to reduce customers’ privacy concerns if retailers want their customers to share their location data,” concluded the Australian Retailers Association study.
How do you get there? Robust cybersecurity is one of the key factors in helping retailers capitalize on this and other innovative sales strategies. Building trust is the key to encourage customers to grant location sharing, and “One way to build trust is to communicate to customers that the retailer sets cybersecurity and privacy as the forefront of business strategy and implements robust governance and privacy protection policies,” the report explained.
3. Map cybersecurity metrics to relevant business objectives.
Cybersecurity metrics offer a critical pathway to continuous improvement and help illuminate vulnerabilities that can result in data exploits, but it’s a problem when organizations rely exclusively on what it can measure to guide activities, warned Noah Simon, senior director of product marketing at Axonius, in a recent security industry webinar “Cybersecurity Metrics: The What, Why, and How of Measurement.”
Simon advocates an idea that is popular among industry leaders—that organizations include on their metric dashboards the metrics that are needed but are not available, and to mark that in some manner to signal an area of elevated risk. “For many companies, identifying gaps is a great place to start,” said Simon. “Putting together a laundry list of items that can’t be measured today—but should be—is an important starting point.”
As for cybersecurity metrics themselves, Simon explained that focusing on the why is incredibly important:
- Is the metric to show the strengthening of a security posture?
- To demonstrate that the security team is getting more efficient?
- To show a specific initiative is having positive results?
He said he sees a need for more metrics gathering in areas that impact the business as a whole. “Metrics need to be more about business impact and less specific to only the security program,” he said. They should also be driven by what executives want to measure and what they care about. Incident cost is a commonly used and illuminating metric, which may be calculated as the time to fully detect and resolve an incident multiplied by the combined salary costs of the staff involved in investigating the incident.
4. Lift cybersecurity awareness to match exposure.
Just about every large organization and major employer in every industry is relying more on remote workers. According to Unisys’ 2021 Security Index, hybrid and remote work became “the new normal” in 2021, with nearly two-thirds of workers (62 percent) working remotely at least part time. Many workers who can are likely to continue remote work even after the pandemic, and there are suggestions that their level of security awareness needs to improve to prevent putting their employers at risk. “The survey identified a widespread lack of consumer awareness on avoiding and addressing online threats,” the survey report concluded.
Among the findings—39 percent of people report not being wary of clicking on suspicious links, and 45 percent have downloaded or installed software not approved by their IT department. That can be a problem, because while most organizations have security controls in place, there are still risks or holes that can be created by downloading unauthorized software or apps. “Everyday employee tasks like opening an attachment can have serious consequences if employees aren’t paying attention to the source,” warned Leon Gilbert, senior vice president and general manager for Unisys’ Digital Workplace Solutions.
Remote workers may not even need to be at their home office desks to pose a risk. According to the Cyber Center for Security and Analytics at the University of Texas at San Antonio (USTA), hacks on smart devices increased during the pandemic. USTA’s Elias Bou‑Harb said remote work is a boon to hackers who can move from an exploited connection to a smart device to a computer that logs into an organization’s networks.
Some analysts express surprise that despite more breaches touching people individually, they haven’t grown much more vigilant about security processes when functioning as employees. Some suggest that organizations should be investing more in training to help employees know what they should and shouldn’t be doing, and to be aware of the risks so they can alert security teams if they spot anything suspicious. As such, many advocate putting processes in place that simplify reporting.
5. Think about 2030 risks while mitigating 2022 threats.
In its Project 2030 whitepaper, analysts from Europol’s European Cybercrime Centre and Trend Micro note that in the coming age of the Massive Internet of Things (MIoT) and 5G, “Threats aimed at things will have billions more connected targets,” and successful cyberattacks will result in disruption to manufacturing and logistics, transportation, and retail, among other industries. Even appreciation of “insider threats” may need to evolve. “Hitherto understood to refer to a human’s risk to an organization, the insider threat of 2030 could just as easily be an object or an algorithm.”
Compounding the 2030 cyber challenge will be growth in the burgeoning Crime as a Service (CaaS) market. “We may expect to see illicit retail of AI-enabled tools that offer individuals with little or no specialist technical skill the opportunity to run a cybercriminal enterprise,” according to the report.
These and other future risks can be obscured, however, by myriad current challenges that tend to drive cyberdefense strategy, according to Rik Furguson, vice president of security research at Trend Micro. As companies have been moving away from data center centric usage patterns to cloud usage patterns and exploring new ways to conduct business and new ways to communicate, “Security response is in this constant firefighting mode.”
While companies can’t ignore the threats in front of them, they also need to see how future predictions of cyber threats match up against retail operations. This vision allows a company “to see which technology areas are worthy of more strategic investment, which require further planning, and maybe even areas where you don’t need to focus as much as you perhaps thought you did,” Furguson advised during a 2021 RSAC conference presentation, “Scenarios for the Future of Cybercrime.”