Industry Professional

Retail Under Fire

What makes enterprise-level merchants vulnerable to cyberattacks?

  • By Miguel Gracia
  • Nov 01, 2017

A recent data security report, published by Thales, revealed that 62 percent of all retailers worldwide have experienced a data breach within the past year. This alarming report provides evidence that retailers are prime targets for cyberattacks, and hackers have shifted the focus to exploit any system housing sensitive customer information that is not properly protected regardless of a company’s size.

While it can be almost impossible to predict how cyberattacks will evolve, understanding current cyber trends and vulnerabilities can greatly help retailers to swiftly improve their cybersecurity posture and significantly reduce risk. Read on to learn about the top three threats affecting the retail industry today and what can be done to neutralize or eliminate risk altogether.

Cloud and IoT

Over the past few years, many enterprise retailers have adopted technologies to streamline outdated business processes and greatly improve the customer experience. While popular technologies like cloud-based applications and other connected devices can certainly help an organization evolve towards a more convenient, customer-centric purchasing model, but it can also create additional data security vulnerabilities where traditional security tactics are no longer effective.

To mitigate the risk of exposing data in clear text throughout a growing system, it is important to take time and understand the overall data flow for sensitive information, such as how information enters the environment, what networks it traverses (data in transit), which applications or people handle the data and how data is being stored (data at rest). Once the information flow is understood endto- end, a multi-level security strategy can be identified to protect it.

A sound multi-level security strategy is made of three components:

A diagnosis. Identifying the data protection challenges and clearly understanding how it can affect a business.

A guiding policy. Defining what must be done at from a high-level to counter act the identified data security challenge.

Coherent actions. These are the objectives and assigned resources dedicated to executing the objectives within the guiding policy to achieve the strategy.

What is the best approach to a multi-level security strategy for sensitive data? Most industry experts agree, it is an approach using a combination of data tokenization, Point-to-Point Encryption (P2PE), standard data encryption, proactive data flow analysis (what worked previously might not work today), continuous training for handling sensitive data and proactive vulnerability monitoring and patching.

Using tokenization alone won’t keep a hacker from breaching a system, but can drastically reduce a data breach impact. Tokenization works by replaces sensitive data, like credit card numbers, with a valueless token useless to a criminal seeking to steal credit card information.

When combining data tokenization with P2PE, a solution that protects sensitive data with encryption the moment it’s captured throughout the full lifecycle, an enterprise can prevent the use of sensitive data for fraudulent activity in the event that a retailers system or network is breached.

PoS Malware

Point-of-Sale (PoS) malware is designed to extract credit or debit card data from a retailers POS environment and then send it back to a command-and-control (C&C) server run by hackers. In recent months, there have been a number of POS attacks around the globe that convinced users to open malicious documents that automatically download malware locally. This malware is then spread across the enterprise’s network to take over POS systems and other applications.

Keeping software up-to-date and restricting internet access are great first steps in protecting POS systems, but ultimately devaluing sensitive data and implementing a solid multi-level security strategy remains the best defense against cybersecurity threats for the enterprise.

Skimming

EMV Chip and PIN adoption has grown significantly over the past year; shockingly not all retailers have adopted the two security tactics. According to experts, the uneven rollout has not gone unnoticed by hackers. There is available data (reports, videos online) for creative ways used by hackers to implement skimming devices at selfcheckout lines. These hacking methods are being executed using organized methods.

Effective data security requires a proactive and practical multilevel security strategy. Implementing P2PE/EMV technology for credit card transactions eliminates the impact associated with device skimming. Hackers are very creative and will continue to evolve their methods to expose and steal valuable information for maximum disruption or profit. The more vigilant and proactive businesses remain about data security, the better they will be at identifying these threats and mitigating attacks.

This article originally appeared in the November 2017 issue of Security Today.

Featured

  • Human Risk Management: A Silver Bullet for Effective Security Awareness Training

    You would think in a world where cybersecurity breaches are frequently in the news, that it wouldn’t require much to convince CEOs and C-suite leaders of the value and importance of security awareness training (SAT). Unfortunately, that’s not always the case. Read Now

  • Windsor Port Authority Strengthens U.S.-Canada Border Waterway Safety, Security

    Windsor Port Authority, one of just 17 national ports created by the 1999 Canada Marine Act, has enhanced waterway safety and security across its jurisdiction on the U.S.-Canada border with state-of-the-art cameras from Axis Communications. These cameras, combined with radar solutions from Accipiter Radar Technologies Inc., provide the port with the visibility needed to prevent collisions, better detect illegal activity, and save lives along the river. Read Now

  • Survey: 84 Percent of Healthcare Organizations Spotted Cyberattack in Last 12 Months

    Netwrix, a vendor specializing in cybersecurity solutions focused on data and identity threats, surveyed 1,309 IT and security professionals globally and recently released findings for the healthcare sector based on the data collected. It reveals that 84% of organizations in the healthcare sector spotted a cyberattack on their infrastructure within the last 12 months. Phishing was the most common type of incident experienced on premises, similar to other industries. Read Now

  • Keynote Speakers Announced for ISC West 2025

    ISC West, hosted in collaboration with premier sponsor the Security Industry Association (SIA), unveiled its 2025 Keynote Series. Featuring a powerhouse lineup of experts in cybersecurity, retail security, and leadership, each keynote will offer invaluable insights into the challenges and opportunities transforming the field of security. Read Now

    • Industry Events
    • ISC West
Most   Popular

Featured Cybersecurity

Webinars

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3