With so many people cooped up indoors for months, online retail has been just about everyone’s best friend: retailers of all sizes — from large corporations to local mom and pop stores – have used their web and mobile applications to deliver food, orchestrate curbside pick-ups, and of course, there’s been plenty of online shopping happening.
But shoppers aren’t the only ones frequenting retailers. Cyber criminals are also targeting online retail, and those ecommerce sites that aren’t up on retail cybersecurity may find themselves the targets of a breach.
This can be particularly devastating for smaller businesses — according to the Ponemon Institute’s most recent Global State of Cybersecurity in Small and Medium-Sized Businesses report, attacks on smaller businesses are increasing, and they’re also increasingly sophisticated, with attackers relying on deception-based attacks like phishing. The problem is, smaller retailers don’t have the funds to bounce back from an attack like a big chain can. If a local store offering curbside pick-up through their new app is targeted, a breach might bankrupt them, whereas a big box store might be able to absorb the hit and move on.
For this reason, it’s important to head off attacks before they happen, rather than simply wait to respond. Fortunately, cybersecurity tools like SecurityScorecard can help ecommerce sites shore up their retail cybersecurity before a breach occurs.
Common retail cybersecurity challenges
Because of the nature of their business, retailers face unique cybersecurity issues; they take money and ship goods, so there are often many places where bad actors can slip into the process and try to grab information, money, or goods for themselves. Below are five common cyber challenges faced by retailers.
1. Stolen customer information
Brick and mortar stores are often robbed for their registers, and ecommerce is much the same — most cybercriminals who rob stores are after money, even if they’re robbing an online store. The retail industry is often targeted by criminals who want to get their hands on customers’ credit and debit card numbers as well as other payment information. As payment styles have changed, so have attacks (cards are no longer present in all transactions anymore, so now criminals try to get other sorts of data, like customers’ personal information and passwords). This can take the form of credit card fraud, attempts to breach point of service systems, or even shipping fraud to steal goods that were legitimately purchased and route them elsewhere.
2. Attacks on web applications
As retail has moved transactions to web applications, so have cyber attacks moved to the web. Attackers have targeted vulnerable web infrastructures with a variety of attacks, ranging from distributed denial of service (DDoS) attacks — attacks in which bad actors use multiple computers to overwhelm a server with fake traffic — to malware to SQL injections, which inject malicious SQL commands into a site’s existing scripts. Any of these can shut a site down to legitimate customers.
3. Unpatched vulnerabilities
Despite being good, commonly accepted cyber hygiene practice, it’s important to face facts: software often goes unpatched. That’s a big problem; if there is an unpatched vulnerability in your ecommerce web app, a criminal who finds it will definitely use it to gain access and perform some of the attacks mentioned above: like SQL injections (but also PHP and local file injection).
- Leaked credentials: Every industry worries about leaked and stolen credentials — 30% of attacks on SMBs include stolen credentials — and that’s no different for a retailer, many of whom have systems that allow customers to log in. If a bad actor targets a customer by stealing their password or leaking their credentials, they can then steal that customer’s personal information. They might be able to steal payment information, or simply personal information.
- Increased phishing attacks: Phishing attacks and other social engineering scams are on the rise right now across all industries. Ponemon found that 57% of attacks on SMBs were phishing scams. Phishing can take several forms when it comes to retail — phishers might go after your customers, pretending to be from your organization in an attempt to obtain their personal information, payment information, or credentials. Phishers may target your employees in an attempt to get them to download malware or gain unauthorized access to data.
How SecurityScorecard can help
The best way to understand how an attacker is thinking of breaching your organization is see your security from the outside. SecurityScorecard’s Ratings allow you to do that by offering easy-to-read A-F scores. Our readings map your risk across10 groups of risk factors, including web application security, network security, leaked information, and patching cadence.
We let you see where your organization is most at risk — if something hasn’t been patched, if stolen credentials are being sold, or if your web application is being targeted. Then we tell you what steps you need to take to secure your site and network so that your data, and your customers’ information, are safe and protected.