Cybersecurity Retail Risk Trends to Watch for Now and in 2023
Cybersecurity attacks against businesses are unrelenting, and while retail and ecommerce typically focus on fraud prevention, they’re often targets of other digital attacks as well. For example, the 2022 Verizon Data Breach Investigations Report (DBIR) documented 241 confirmed retail data breaches in 2021, resulting in stolen credentials, personal information, and payment data. At the same time, 56% of Merchant Resource Council members reported phishing attacks in 2022, which can lead to data theft, malware attacks, and fraud.
These cybercrimes have costly consequences for businesses. The average cost of a data breach worldwide in 2022 is $4.35 million, a figure that could easily put a smaller retailer out of business and create budgetary problems for a larger retailer. These numbers show why it’s so important for ecommerce businesses and retailers to maintain a culture of security that includes — but also goes beyond — fraud prevention.
A focus on security is important for retailers of all sizes, even small ones. It’s always been clear that fraudsters and criminals prefer to target businesses that they suspect have weak or outdated security, which usually means smaller businesses that lack the resources to have a large in-house security team. For example, the DBIR found that of 620 documented incidents against retailers, 157 targeted companies with fewer than 1,000 employees, compared to 68 incidents aimed at retailers with more than 1,000 employees (the size of the other 404 companies wasn’t known).
Among confirmed breaches at retailers whose size was known, 54 companies had less than 1,000 employees, compared to 35 larger companies. Smaller retailers, therefore, can’t assume that their size or lower profile compared to major retailers will protect them. There is no “security through obscurity” for B2C companies.
Common cybersecurity attacks on retailers
The DBIR lists system intrusion, social engineering, and web app attacks as the most common attack patterns involved in retail data breaches in 2021. Once attackers made it into their victims’ systems, their most common actions were hacking and launching malware — especially malware designed to scrape payment data from web apps. This kind of attack can lead to costly brand damage and loss of customer trust. 84% of online shoppers in 5 countries surveyed by ClearSale in March 2021 said they would never shop again with a website that allowed a fraudster to use their credit card information.
Data-scraping malware can be avoided with continuous website scanning and security to prevent installation of malicious code and to remove any malware as soon as it’s detected. Malware prevention also relies on employees who are educated about email threats and how to avoid them.
Provide security awareness training for retail employees
Social engineering attacks can take many forms, including multiple varieties of phishing. One common mode of attack is to impersonate a professional service that many businesses rely on, like Microsoft, Gmail, or a shipping company. The attackers send emails that include the company logo, a display name that appears to come from the real company, and a request to log in for a policy update, password change, or some other “critical” task. Then they steal the credentials to commit fraud, spread malware, or steal protected information.
Encourage your employees to report any suspicious emails to your security team before they click on any links or open any attachments. When your security analysts find phishing emails, they can save them to use in training so that your employees can see exactly what to look out for and what types of attacks are trending now.
Review your access control management policies and practices
The pandemic pushed many retailers to a work-from-home model for some or all of their employees. The result is that people may be accessing company systems from a variety of devices, over many different networks. This approach can increase the risk that an attacker — perhaps someone who launched a successful phishing attack or who intercepted a communication over a public Wi-Fi network — can access those company systems and move between them causing damage and stealing data.
If your company has policies on what types of devices and networks employees can use to log in to work, it might be worth reviewing them to see if they need updating. If your business has no such policy, it’s time to start creating one. Ideally, your employees would only use company-issued devices and log in over a company VPN. At a minimum, they should avoid working over unsecure Wi-Fi networks and make sure their home router’s default password has been changed.
Your company’s IT person or team can also review who has access to each of your company’s systems and then set appropriate controls based on job role or department. For example, your warehouse team does not need access to your company’s financial database, and your entry-level employees don’t need access to your executive team’s files. Setting these controls and removing employee’s access completely when they leave the company can prevent intrusions from spreading and avoid internal breaches.
It’s also wise to periodically review the settings on all your company’s software, operating systems, cloud storage, and hardware to ensure that access is private and limited to the employees who are authorized to use it. More than 10% of 2021 breaches were caused by errors including misconfigured cloud storage, per the DBIR.
Preventing attacks that can lead to data breaches, fraud, and brand damage requires an ongoing commitment to thinking about security and talking about it with your employees. While retailers are rightly concerned with preventing transaction fraud, it’s important to build and maintain a company culture focused on the full range of security awareness and best practices.