Retail is one of the most targeted industries for cyberattacks. Malicious actors are often financially motivated, so what better industry to target than one that involves constant monetary transactions? And, as retail Security becomes more reliant on technology, cybercriminals are finding more ways to exploit the industry.
There are more than just goods for sale
While you might shop for clothes, homeware, appliances, or stationary, attackers use retailers to shop for data. COVID meant that most shopping purchases, if not all, were done online – e-commerce spending in the US rose by 44% between 2019 and 2020. However, the shift to cyber shopping (which was already becoming increasingly popular before the pandemic) means retailers use more complex, digital environments to collect and store customers’ personal and financial data. Such information is extremely valuable to cybercriminals due to its black-market value. Additionally, retailers are in fierce competition to attract customers and constantly seek to enhance the user’s experience. Doing so, however, requires the use of big data. It is, therefore, no wonder that the retail industry is a large target for data theft as there is a treasure trove of information that attackers can steal and sell on the dark web.
Worldwide lockdowns meant physical shopping was prohibited, but thankfully we had access to endless stores online. But what about a cyber lockdown? Ransomware attacks cause the victim’s systems to shut down, preventing operations from being carried out. In 2020, as Ransomware can have a significantly greater impact during busy times, such as Black Friday and Cyber Monday, in which consumers spend billions of dollars in a single day. Operational disruptions, even for just a few hours, can cause major losses in sales. On top of this are the remediation costs, which, in the retail industry, are estimated to be almost $2m.
Hardware attackers are inclusive – no one (or industry) is immune. Hardware attack tools, known as Rogue Devices, can carry out further harmful attacks, including data theft and ransomware, while operating under the radar of existing security software, such as NAC, EPS, IDS, and IoT Network Security. Several vulnerabilities within the retail industry expose it to hardware-based attacks, compromising retail security. One such vulnerability is the high employee turnover rate, as retailers often hire seasonal workers. Short-term employment means workers have little loyalty to the company and, thus, are more inclined to carry out an attack. When it comes to hardware-based attacks, an employee can easily compromise data by downloading it onto a USB thumb drive and walking out the door.
The digitalization of the retail industry means there is an increasing number of entry points. Hardware attacks require physical access, and with an average of five devices to every employee in retail, malicious actors have several access points to exploit. Internet of Things (IoT) devices are becoming more widely adopted within retail, further expanding the attack surface; IoT devices are more accessible, less secure, and provide an entry point to the entire network.
Despite this digitalization, one cannot ignore the vulnerabilities present within traditional stores. As in-person shopping starts to resume, an attacker can slip in with the crowd and covertly attach a malicious device to one of the computers at the check-out.
The supply chain is another vulnerability bad actors exploit. The retail industry relies heavily on its suppliers, and data sharing is crucial in enhancing the interconnectedness between the various entities. However, this means every supplier becomes a target as each one could provide an attacker with access to valuable information. Further, a large supply chain means more entry points, thereby increasing the retailer’s vulnerability.
Size Zero Trust
Zero Trust (ZT) is a concept that enhances enterprises’ security posture. Often, ZT is recommended as a solution to tackle the challenges faced by the retail industry. Based on the principle of “never trust, always verify”, every user and asset is treated as suspicious. Rather than inherently trusting insiders, the Zero Trust Architecture (ZTA) verifies and validates every entity that requests network access. The main security protocols of ZT are microsegmentation and the principle of least privilege, which both seek to limit the impact of an attack, should one occur. While ZT does strengthen cybersecurity efforts, hardware attack tools manage to bypass the model’s security protocols due to a lack of Layer 1 (Physical Layer) visibility. Instead, we suggest adopting a Zero Trust Hardware Access (ZTHA) approach to enhance existing ZT efforts.
Sepio’s Hardware Access Control (HAC-1) solution provides the Layer 1 visibility required for ZTHA. The HAC-1 solution calculates a digital fingerprint of all hardware assets (IT/OT/IoT), meaning every device gets detected for what it truly is, not just what it claims to be. Such visibility allows for the effective enforcement of the ZT security protocols, thereby enhancing the overall ZT approach. Additionally, the comprehensive policy enforcement mechanism of the HAC-1 solution, combined with its Rogue Device Mitigation capability, means that any unapproved or rogue hardware is blocked instantly, preventing any hardware-based attacks from occurring.
With HAC-1, retailers are protected on Layer 1, and existing cybersecurity investments are put to better use thanks to greater visibility.