Retail Under Fire
What makes enterprise-level merchants vulnerable to cyberattacks?
- By Miguel Gracia
- Nov 01, 2017
A recent data security report, published by Thales,
revealed that 62 percent of all retailers worldwide
have experienced a data breach within the past
year. This alarming report provides evidence that
retailers are prime targets for cyberattacks, and
hackers have shifted the focus to exploit any system housing sensitive
customer information that is not properly protected regardless
of a company’s size.
While it can be almost impossible to predict how cyberattacks will
evolve, understanding current cyber trends and vulnerabilities can
greatly help retailers to swiftly improve their cybersecurity posture
and significantly reduce risk. Read on to learn about the top three
threats affecting the retail industry today and what can be done to
neutralize or eliminate risk altogether.
Cloud and IoT
Over the past few years, many enterprise retailers have adopted technologies
to streamline outdated business processes and greatly improve
the customer experience. While popular technologies like cloud-based
applications and other connected devices can certainly help an organization
evolve towards a more convenient, customer-centric purchasing
model, but it can also create additional data security vulnerabilities
where traditional security tactics are no longer effective.
To mitigate the risk of exposing data in clear text throughout
a growing system, it is important to take time and understand the
overall data flow for sensitive information, such as how information
enters the environment, what networks it traverses (data in transit),
which applications or people handle the data and how data is being
stored (data at rest). Once the information flow is understood endto-
end, a multi-level security strategy can be identified to protect it.
A sound multi-level security strategy is made of three components:
A diagnosis. Identifying the data protection challenges and clearly
understanding how it can affect a business.
A guiding policy. Defining what must be done at from a high-level
to counter act the identified data security challenge.
Coherent actions. These are the objectives and assigned resources
dedicated to executing the objectives within the guiding policy to
achieve the strategy.
What is the best approach to a multi-level security strategy for
sensitive data? Most industry experts agree, it is an approach using
a combination of data tokenization, Point-to-Point Encryption
(P2PE), standard data encryption, proactive data flow analysis
(what worked previously might not work today), continuous training
for handling sensitive data and proactive vulnerability monitoring
Using tokenization alone won’t keep a hacker from breaching a
system, but can drastically reduce a data breach impact. Tokenization
works by replaces sensitive data, like credit card numbers, with
a valueless token useless to a criminal seeking to steal credit card
When combining data tokenization with P2PE, a solution that
protects sensitive data with encryption the moment it’s captured
throughout the full lifecycle, an enterprise can prevent the use of sensitive
data for fraudulent activity in the event that a retailers system
or network is breached.
Point-of-Sale (PoS) malware is designed to extract credit or debit
card data from a retailers POS environment and then send it back
to a command-and-control (C&C) server run by hackers. In recent
months, there have been a number of POS attacks around the globe
that convinced users to open malicious documents that automatically
download malware locally. This malware is then spread across the
enterprise’s network to take over POS systems and other applications.
Keeping software up-to-date and restricting internet access are
great first steps in protecting POS systems, but ultimately devaluing
sensitive data and implementing a solid multi-level security strategy remains
the best defense against cybersecurity threats for the enterprise.
EMV Chip and PIN adoption has grown significantly over the past
year; shockingly not all retailers have adopted the two security tactics.
According to experts, the uneven rollout has not gone unnoticed
by hackers. There is available data (reports, videos online) for creative
ways used by hackers to implement skimming devices at selfcheckout
lines. These hacking methods are being executed using organized
Effective data security requires a proactive and practical multilevel
security strategy. Implementing P2PE/EMV technology for
credit card transactions eliminates the impact associated with device
skimming. Hackers are very creative and will continue to evolve their
methods to expose and steal valuable information for maximum disruption
or profit. The more vigilant and proactive businesses remain
about data security, the better they will be at identifying these threats
and mitigating attacks.
This article originally appeared in the November 2017 issue of Security Today.