By Anthony Stitt, GM of security, Cisco ANZ. There is no question that individuals and organisations alike are determined to avoid falling victim to cyber-attacks, even if it’s to ensure they are free from client backlash and loss of business. For retail organisations, public backlash has the potential to destroy brand reputation, customer trust and ultimately their transactions at the register. In Cisco’s mid-year Cybersecurity Report (MCR), the retail sector is highlighted as being particu
larly exposed to cyber-attacks because “… attacks on retailers often involve the exposure of customer financial data or other personal information, they receive media attention and require outreach to consumers.”
In fact, the MCR highlights that should a retail organisation become a victim of an attack or data breach, their brand reputation may be impacted more significantly than other industries such as healthcare or utilities. This is because customers have greater choice and “…if they perceive that a retailer is careless about security, they can easily switch to others.”
The majority of high-profile retail data breaches or cyber incidents have occurred in the US, and similar countries, who have not traditionally had the chip-and-pin protection as the normal process or standard, therefore point of sales (POS) systems have been targeted to extract credit card information. This lack of protection has allowed cyber criminals to take advantage of this weakness, however, the US retail industry is finally catching up on utilising better POS security. In Australia, we take for granted the routine and widespread use of chip-and pin, alarmingly though for one US retailer they were breached through a third-party facilities management company, via their vulnerable POS infrastructure, and once inside the network the criminals had full access.
As retailers continue to digitise and take advantage of the growing digital economy, in line with industries throughout Australia, by moving to greater online sales, the stakes are being raised in exposure to cyber-attacks. Websites are vulnerable or subject to an increasing amount of distributed denial-of-service (DDoS) attacks, with business-critical operations able to be disrupted. Recent global cyber-incidents, WannaCry and Petya malware outbreaks, affected the business operations of many organisations – including global retailers.
Similarly, several supply chain organisations that support retail businesses were also affected, with delivery organisations A.P. Moeller-Maersk, FedEx and TNT, and consumer goods businesses Mondelez International, Reckitt Benckiser and Mars Inc, all cited in media reports as suffering detrimental impacts due to these malware outbreaks.
Australian retailers have not been exempt from exposure, with David Jones and Kmart cited in the media, as far back as 2015 for having customer data breached through a website being compromised, plus an external privacy breach of customer data through an online product order system. The 2017 Cisco Security Capabilities Benchmark Study revealed retailers are equally concerned with targeted attacks (38 per cent of responders) and insider exfiltration of data (32 per cent of responders), with the study determining that “To detect sophisticated targeted attacks, like APTs or phishing attacks, retailers need to distinguish between normal and abnormal traffic patterns, which can vary by day, week, or shopping season.”
These attacks are often what is called ‘server-side’, which means strong patching practices and abilities, good network segmentation and ensuring visibility is as extensive as possible, are key measures to help prevent susceptibility to such attacks. Historically, the consensus was that protection trumped detection and response. This is only true if you are able to block 100 percent of attacks, which no organisation is capable of achieving. Sure, an organisation will seek to block as much as possible but how do you find the things you’ve missed? Visibility, that is, into the activity occurring in your network.
Can you answer: Who’s connected? Which devices are communicating? What operating systems are being used? Which applications are running? Are there any traffic patterns? Essentially, everything that is happening on you network.
In breach investigations, 45 percent of organisations spent over six figures to determine ‘what happened’ and were never able to come to a definitive answer. Ironically, understanding ‘what happened’ allows you and your organisation to respond in a reasonable timeframe, which ultimately ensures a minor system compromise does not escalate into a large-scale breach in the future.
Managing operational security is an ongoing problem for retailers, as with every organisation trying to protect themselves. The short supply of skilled security professionals and high cost of IT staff are barriers to this better operational security, with “twenty-four percent of the retail security professionals saying they see a lack of trained personnel as a major obstacle to adopting advanced security processes and technology.” This is made worse by the security and IT staff that retailers do have being inundated with work. The 2017 MCR highlighted that only 45 per cent of legitimate incidents are being remediated, which just creates more alerts and increases the downhill spiral.
According to the MCR, “when staffing is an issue, automated security solutions become more important. Automation can help fill the gap caused by staffing shortfalls—for example, solutions that allow for the automatic segmentation of an infected device to a quarantined location. This way, the infection can’t spread and the device will no longer have access to confidential information.”
Cisco is also seeing a high uptake of software defined wide-access networks (SD-WAN) in the retail sector because it allows IT resources to minimalise time on mundane tasks like configuration, policy enforcement and implementing security controls. This allows an organisation to invest in threat hunting, reviewing legitimate incidents and properly implementing the protect-detect-respond feedback loop that is the basis of every security model.
Finally, we are seeing a shift in many organisations, especially retailers, to recognising the vital importance of the network for virtually all digital enablement and aspirations. A strong network for digital enablement should value strong cybersecurity capabilities as an enabler, rather than a cost to business. For example, Cisco’s Cybersecurity as a Growth Advantage report found that about over a third (35 per cent) of retail organisations had already made this mental shift.
The value in retail projects being enabled by good cyber security skills outweighs the costs by a factor of four. The study found CIO’s and CFO’s will allocate resources to securing these projects. Retail digital use cases include in-store analytics, checkout optimisation, out-of-stock optimisation, remote experts, endless aisles, theft and physical security like cameras, and smart lockers.
Access exclusive analysis, locked news and reports with Inside Retail Weekly. Subscribe today and get our premium print publication delivered to your door every week.