Report: Retail Sector Under Cybersecurity Siege

A report issued this week in advance of the holiday season by IntSights, a provider of a cybersecurity service that surfaces threats on the Dark Web, estimates that organized retail crime (ORC) is now costing retailers approximately $30 billion each year.

While those costs include outright theft from retail stores, a significant percentage of those losses are the result of theft of credit card data, said Charity Wright, a cyber threat intelligence advisor for IntSights.

Those cyberattacks manifest themselves in two primary forms. The first is known as carding operations, which involves the use of a stolen credit card to acquire prepaid cards. Those prepaid cards are then sold at a discounted rate on the Dark Web, resulting in goods and services being fraudulently acquired from e-commerce sites. This is the fastest-growing cybersecurity threat, said Wright.

The second major cybersecurity threat is aimed at point-of-sale (POS) systems. While the number of cybersecurity incidents involving POS systems has dropped in the last year, thanks to Payment Card Industry (PCI) compliance requirements and the adoption of EMV chip technology, memory-scraper trojans that are designed to scan, grab and exfiltrate bank card data from POS systems remains the top cybersecurity threat overall, according to the report. Cybercriminals continue to target POS systems because many retailers still do not use end-to-end encryption (P2PE).

Most retailers continue to struggle with cybersecurity issues because razor-thin profit margins across the sector make it difficult to find the funds required to mount a proper defense. Many retailers, for example, can’t afford to invest in a managed security service given cost constraints, noted Wright.

At the same time, however, retailers have never been more aggressive in terms of creating digital experiences for customers that involve significant investments in IT. Retailers know it’s only a matter of time before they are going to be required to address this issue as part of data privacy initiatives that are sweeping the globe, such as the General Data Protection Rule (GDPR), added Wright.

The Insights report advises retailers to focus on six control objectives:

  1. Build and maintain a secure network and systems
  2. Protect cardholder data
  3. Maintain a vulnerability management program
  4. Implement strong access control measures
  5. Regularly monitor and test networks
  6. Maintain an information security policy

Additionally, retailers are advised to migrate data to secure infrastructure and make sure POS systems are encrypted, train loss prevention specialists on how to identify cybersecurity attacks, make sure they are meeting all compliance mandates and monitor threats on the Dark Web, where the cybercriminals gather. As it turns out, cybercriminals not only share tips and tricks with one another on the Dark Web, Wright said, they often also will identify potential targets.

Retailers would also be well-advised to pool their cybersecurity expertise to address these issues, Wright added. However, given the highly competitive nature of the retail industry, she noted many retailers are reluctant to share cybersecurity information for fear of disclosing any potential weakness to rivals.

Obviously, far too many retailers are playing a cybersecurity percentage game. Retailers know they will incur losses because of cybersecurity attacks. They are just hoping those losses don’t become large enough to tip them any further into the red.

Michael Vizard

Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 745 posts and counting.See all posts by mike-vizard