Top Threats Faced by Retailers During the Holiday Season


Business Security

While it may be too late to introduce sweeping changes to your security policies, it doesn’t hurt to take a fresh look at where the biggest threats are and what best practices can help to neutralize them.

Retail in Danger: The Top Threats Faced by Retailers During the Holiday Season

The holiday shopping season has truly begun. As retailers focus on fighting for an estimated turnover of 1.5 trillion dollars this year (and that’s just the U.S.), their hard work could be in vain if not enough attention is paid to cybersecurity.

For what? Because these are the best and worst of times for retail IT teams. The busiest time of year for customers is also magnet for cybercriminals. And while it may be too late at this point to introduce sweeping changes to your security policies, it doesn’t hurt to take a fresh look at where the biggest threats are and where best practices that can help neutralize them.

Why retail, why now?

Retailers have long been subject to special treatment from cybercriminals. And the busiest shopping period of the year has long represented a golden opportunity to strike. But why?

  • Retailers hold highly monetizable personal and financial information about their customers. Just think about all those card details. It’s no surprise that 100% of retail data breaches analyzed by Verizon over the past year were financially motivated.
  • The holiday shopping season is the most important time of year for retailers from a revenue perspective. But that means they’re more exposed to cyber threats like ransomware or distributed denial of service (DDoS) attacks designed to extort money by denying service. Alternatively, competitors can launch DDoS attacks to deprive rivals of vital customer base and revenue.
  • Being the busiest time of the year, employees, especially overworked IT teams, are more focused on helping the business generate as much revenue as possible rather than monitoring for cyber threats. They could even change internal fraud filters to allow larger purchases to be approved without scrutiny.
  • Retailers are increasingly relying on digital systems to create omnichannel commerce experiences, including cloud-based enterprise software, in-store IoT devices and customer-facing mobile apps. In doing so, they (often unintentionally) expand the potential attack surface.

Let us not forget that one of world’s largest data breaches ever recorded took place and was announced during the 2013 holiday season, when hackers stole 110 million customer records from US retailer Target.

What are the biggest cyber threats against retailers this holiday season?

Not only must retailers defend a attack surface, they must also face an increasing variety of tactics, techniques and procedures (TTP) emanating from a determined set of adversaries. The attackers’ objectives are either to steal customer and employee data, extort/disrupt your business via DDoS, commit fraud, or use bots to gain a competitive advantage. Here are some of the top retail cyber threats:

  • Data breaches This could come from stolen, hacked or phished employee credentials or exploitation of vulnerabilities, especially in web applications. The result is major financial and reputational damage that can derail growth plans and revenues.
  • Digital skimming (i.e. Magecart attacks) occur when malicious actors exploit vulnerabilities to insert skimming code directly on your checkout pages or through a third-party software/widget provider. Such attacks are often difficult to spot, meaning they could cause significant reputational damage. These accounted for 18% of retail data breaches last year, according to Verizon.
  • Ransomware is one of the top threats to retailers, and during this busy season, threat actors may step up their attacks in the hopes that more businesses will be willing to pay to recover and decrypt their data. SMEs in particular are in the crosshairsbecause their security controls may be less effective.
  • DDoS remains a popular way to extort and/or disrupt retailers. Last year, the sector was on the receiving end almost a fifth (17%) of these attacks, an increase of 53% year-on-year (YoY), with peaks spotted during Black Friday.
  • Supply chain attacks could be intended for a digital provider like a software company or even an open source repository. Or, they may go to more traditional professional services or even cleaning companies. Violation of the target was made possible when hackers stole an HVAC provider’s network credentials.
  • Account takeovers (ATO) are generally activated by stolen, phished or hacked credentials. This could be the start of a major data breach attempt, or it could target customers, in credential stuffing or other brute force campaigns. Typically, malicious bots are used here.
  • Other malicious bot attacks include scalping (where competitors buy in-demand products to resell them at a higher price), payment/gift card fraud, and price suppression (allowing competitors to undercut your prices). Malicious bots include about 30% of all internet traffic today, with two thirds of UK websites unable to block even simple attacks. There was an estimated 50% increase in bad bot traffic during the 2022 holiday season.
  • Apis (Application Programming Interface) are at the heart of the digital transformation of retail, enabling more connected and seamless customer experiences. But vulnerabilities and misconfigurations can also An easy path for hackers to customer data.

How Retailers Can Defend Against Cyber ​​Risks

In response, retailers must balance security with employee productivity and business growth. This is not always an easy calculation, especially as the high cost of living puts ever greater pressure on the pursuit of profit. But this can be done. Here are 10 best practices to consider:

  • Regular staff training: It goes without saying. Make sure your employees can detect even sophisticated phishing attacks and you will have a practical last line of defense in place.
  • Data Audit: Understand what you have, where it is stored, where it circulates and how it is protected. This must in any case be done as part of GDPR compliance.
  • Strong data encryption: Once you’ve discovered and classified your data, apply strong encryption to the most sensitive information. This should be done on an ongoing basis.
  • Risk-based patch management: The importance of software patches cannot be underestimated. But the number of new vulnerabilities released each year can be overwhelming. Automated risk-based systems should help streamline the process and prioritize the most important systems and vulnerabilities.
  • Multi-layer protection security: Consider anti-malware and other features at a server, endpoint, email network, and cloud layer as a preventative barrier against cyberthreats.
  • XDR: For threats that manage to bypass preventative controls, ensure there is a powerful extended detection and response (XDR) system operating across multiple layers, including supporting threat hunting and incident response.
  • Supply Chain Security: Audit all vendors, including digital partners and software vendors, to ensure their security posture aligns with your risk appetite.
  • Strict access controls: Password managers for strong, unique passwords and multi-factor authentication are a must for all sensitive accounts. Together with XDR, encryption, network segregation and preventive controls, they form the basis of a Zero Trust security approach.
  • Disaster Recovery/Business Continuity Plan: Reviewing plans will help ensure the appropriate business processes and technology tools are in place.
  • Incident response planning: Make sure your plans are watertight and regularly tested, so every stakeholder knows what to do in a worst-case scenario and no time is wasted responding to and containing a threat.

For the vast majority, if not all, retailers, PCI DSS compliance will also be an essential business requirement. View this as an opportunity rather than a burden. Its detailed requirements will help you establish a more mature security posture and minimize risk exposure. Technologies such as strong encryption can also help reduce the costs and administrative burden of compliance. Happy Holidays.

Leave a comment