The retail industry has experienced a seismic shift in recent years, instigated by the COVID-19 pandemic and fueled by other industries rapidly digitizing their organizations. Adapting their businesses to e-commerce models was a lifeline for many retailers, but it also came at a cost: the broader the attack surface, the greater the vulnerability. Retail is ripe for the picking; it’s one of the most transactional spaces and has growing databases filled with sensitive customer information, including credit card data and personally identifiable information (PII).
No time of year is more precarious for retail organizations than the holiday season, which runs past Q4 and into Q5 (January) - attempted ransomware attacks spike about 70% in November and December. As consumers press ‘Buy Now’ across a flurry of websites and swipe their cards or use their phones to check out at brick-and-mortar stores, holiday grinches, a.k.a. threat actors, are on a spree of their own.
However, the truth is that the retail calendar never slows down, and security must now be a priority for these businesses 365 days a year.
The Post-COVID Retail Landscape
While April 2020 saw e-commerce reach an unprecedented high of almost 19% of retail sales, its share has since settled at 15%. Though lower than its peak, this level remains significantly above pre-pandemic figures, suggesting a long-term trend of increased online purchasing. In the post-pandemic world, retailers have created an environment where e-commerce and in-store shopping work together, producing a ‘halo effect‘ in which opening a new physical store boosts online traffic by about 37%.
Additionally, by continuing to offer a popular pandemic service – buy online, pickup in-store (BOPIS), retailers can increase profits as more than 60% of people who use the service make extra purchases when they arrive at the store.
Why Retailers Are Attractive Targets
To maximize the omnichannel experience and extract all the benefits, retailers have had to expand their IT environments to incorporate numerous systems, data sources, and IoT devices. At the same time, websites, mobile apps, point-of-sale (POS) systems, and payment gateways bring vulnerabilities. A heavier reliance on third-party vendors for payment processing, logistics, and marketing introduces even more security risks. These reasons alone are enough to tempt hackers, but they are far from the only factors.
Limited cybersecurity resources are an industry-wide problem. When examining the IT budgets across eight major sectors, an IANS and Artico Search’s Compensation and Budget survey found that, on average, 11.6% was allocated to security needs. While tech sector security teams were afforded nearly 20% of the budget, retail teams were only given 7.2%. This lack of resources makes it challenging to implement robust security measures and effectively respond to attacks.
More transactions equate to more data. Retail businesses process a large number of transactions every day. In the US alone, there was an average of 1,739 transactions per second, totaling 150.15 million daily transactions in 2022. Each transaction captures multiple pieces of sensitive customer data which must be protected by law, including names, addresses, email addresses, and credit card information, which cybercriminals can hold for ransom, leak on the dark web, or use for other criminal acts.
Leading Threats in the Retail Industry
Retail businesses face a myriad of cybersecurity threats, and as technology advances, so do the tactics of hackers seeking to exploit vulnerabilities for financial gain – the motivation behind 98% of attacks against retail organizations. The most prominent retail cybersecurity threats include:
Fraud: Threat actors can commit all types of fraud using stolen credit card information. Card-not-present fraud alone cost retailers almost $6 billion in 2022. Hackers can use stolen data for identity theft, to fraudulently order new credit cards, or to open new loyalty accounts. Generous retail return policies have also led to a rise in return fraud.
Ransomware: The retail and wholesale industries were the third most impacted by ransomware attacks. Despite continually ranking as one of the top industries targeted, few retailers can adequately disrupt an attack, with over 70% of victims reporting hackers encrypted their data. These attacks cripple businesses – only 9% recovered in one day, while 21% took over a month.
POS Vulnerabilities: Hackers can install skimmers to capture credit card data or install malware on a POS system to steal data and gain remote access to systems. In addition to being vulnerable to memory scraping, threat actors can use network sniffing tools to capture data that’s transmitted between the POS system and other devices.
Supply Chain Risks: Supply chain risks for retailers stem from an extensive network of suppliers and partners. Criminals can exploit weaknesses anywhere along the chain to gain unauthorized access and compromise the retailer’s systems, potentially leading to data breaches and operational disruptions.
The Cost of Breach for Retailers
IBM Security’s annual Cost of Data Breach Report paints a bleak picture. Over the last three years, the global average data breach cost has increased 15% to $4.45 million. In the consumer goods sector, breaches cost an average of $3.8 million; retailers spent an average of $2.96 million. Beyond the financial impact, businesses can face legal repercussions and reputational damage, not to mention days, weeks, or months of operational disruptions.
Growth Makes Retail Cybersecurity Essential
Retail is facing a double-edged sword today – accelerated growth and business opportunities create a growing attack surface and exponentially more vulnerabilities. The increasing threat landscape demands a comprehensive cyber security strategy. Implementing a layered security approach that includes firewalls, intrusion detection systems, strict access controls, and data encryption is crucial but not enough. Constant monitoring and vigilance are essential to identify and neutralize threats before they can cause significant damage.
This is where managed detection and response (MDR) solutions come into play. MDR services provide 24/7 security monitoring backed by a team of cybersecurity experts who actively hunt for threats, analyze suspicious activity, and respond to incidents quickly and effectively. By outsourcing security needs, retailers can achieve peace of mind and focus on what they do best: serving their customers and driving business success.
Threats against the retail industry will only become more sophisticated in the coming years. Taking a proactive approach to security and investing in the right solutions now is the only option for retailers who want to thrive in the future.