Preventing Cyber Crime in the Retail Sector

Date: 20 June 2017

Featured Image

INTRODUCTION:

Cyber criminals are posing an increasingly significant risk to businesses’ bottom line.  In 2016, cyber security breaches cost UK businesses almost £30 billion; that's staggering.  PwC's annual Global State of Information Security Survey 2017 showed that retail and consumer businesses were affected by, on average, more than 4,000 security incidents in 2015.  16% of those surveyed admitted to losses of $1 million plus due to these incidents.   A worrying 95% of breached records originated from either retail, government or technology in 2016!  So, what can you do as a retailer to reduce the impact of cyber attacks on your business?

This post will share some insights into how you can: 

  • Understand how exposed retail businesses are to cyber crime. 
  • Prevent a cyber attack from impacting your business.
  • Take steps to improve your cyber security posture. 

Cyber Attackers Love Retail.  Yes.  Whilst the retail industry in 2016 suffered fewer cyber security breaches than the previous year, such as the big attacks on Target and Home Depot, it was still too many.  It’s relatively straightforward to assert that the retail sector continues to remain in the cross hairs of cyber attackers.  There is no shortage of retail related attacks.  However, a number of recent high profile attacks on major retailers globally has led them to take action.

Two, of the many, examples include:

  • Sports Direct: September 2016.  Hackers attacked Sports Direct last year, stealing the personal data of more than 30,000 staff members, and possibly their National Insurance details.  The company was slow in reporting the breach to the employees that had been affected, waiting a full 3 months following the breach.  Their reason?  There was 'no evidence that the data had been copied'.

  • Three: March 2017.   The well-known mobile phone organisation were the target of a major breach earlier this year.  A stolen employee's password led to the data of 200,000 customers' being compromised.  Three believes those responsible were after new handsets, not anything more sinister, but the company had suffered a similar breach two years ago.  But that wasn't all.  Three also saw another issue where customer account details, call history and data usage was affected and whilst this wasn't a breach, as such, procedures failed to comply with data protection legislation.

  •  Debenhams: May 2017.  Data from 26,000 customers' of Debenhams Flowers were exposed following a malware attack through the e-commerce site, Ecomnova.  This breach highlights the possible vulnerabilities of working with third parties and demonstrates how important it is to ensure that any third party you work with complys with data protection regulations.


As always, Point of Sale systems (PoS), payment card processing systems and other end terminal devices remain the easiest of targets for attackers to compromise.  Furthermore, attackers are attracted to the vast amounts of personally identifiable information that the retail sector collects.

So, How Do You Prevent the Retail Cyber Attack:

In a retail set up, a number of different types of checks are needed at the technical level in order to ensure the security of a network.  Because of the complexity of terminals, devices and servers/ desktops, it’s increasingly complex to ensure that all elements are hardened to provide a stricter level of security.

For instance, due to the use of PIN Entry Devices in a restaurant/pub, it’s very important to perform a security health check of the network including tills, payment devices and the network components.  Based on the implementations, a number of technical checks are recommended, or industry standard practice, to ensure data is safe whilst in transit.


Some points CMA considers when assessing retail clients:

  • The first question: it’s one of Cyber Management Alliance’s first question when we start client engagements.  "Do you know who has privileged access to your networks and systems?”  The first question can be the longest one to answer.
  • Configuration management: assess the security of devices and the network to determine whether they are configured to decrease the threat surface.
  • Targeted Penetration Tests: assess the platform by analysing and testing for any weaknesses that could be used to attack the devices or hosts on the network including assessments of configuration to connect to wireless networks, wired networks, or any other entry points. Ensure you use elite penetration testers like CREST approved Check Team Leaders. 
  • Capture the transactions on the network using a number of techniques.  This could be due to data leakage through misconfiguration PIN Entry Devices, or any terminals installed on the local network, or man in the middle attack vectors.
  • Attempts to get on the PED (PIN Entry Devices) and see the data before the details are encrypted, or any such attempts to bypass device security in general.
Note: Technically, one of the biggest threats to the retail industry is RAM-scraping malware and it has been discovered to be present in some of the most high-profile retail data breaches of the year, and several new families of RAM-scrapers aimed at Point-of-Sale (POS) systems were discovered in 2014.

 

But We Are PCI Compliant So We Are Secure, Are We Not?


Although there are regulations in regards to payment (PCI DSS) industry, there are several more improvements needed to ensure security is part of the software lifecycle from the start (before design) through to the last phase (implementation).

Take Action Now!

The threat of cyber attacks is so real that an insurance firm has recently gone on record to say that “Cyber attacks now present such a danger to global business that governments should step in to cover the risks.”

Doing nothing is not an option.  Attacks from malicious insiders and hackers will, not could, increase in frequency and complexity.  As a result, businesses will increasingly start to hurt as these attacks begin to affect the bottom line and erode the trust of customers.

Most importantly - ensure you provide the appropriate cyber security training to the non-technical senior executives, and more technical trainingto the technical folks.