The Retail sector against cyber attacks

Oct 26, 2022 | cybersecurity

According to the Esade Creapolis barometer “The challenges in Retail 2022: New perspectives and opportunities for the sector”, 62% of retailers, 20% more than in the 2021 barometer, express the need to rely on technology to improve the customer experience that is created through each interaction with the company, that is, its customer journey, becoming the fastest growing concern in the sector.

SMEs in the retail industry are the ones that have seen the viability of their business most endangered by cyberattacks, 43% of them according to the conclusions of the Ranking of Cybersecurity of SMEs prepared by Hiscox coinciding with the Cybersecurity Month that It is celebrated this October.

This ranking also shows that, on the contrary, small and medium-sized companies dedicated to financial and business services are the ones that best manage the cybersecurity of their businesses, retail companies are in seventh position.

Likewise, as the Interface blog points out, several studies were synthesized and concluded that 84% of the cyberattacks that occur in this industry include system intrusion, social engineering and attacks on basic web applications. In 87% of the cases the actors are external, and in 13% internal. Of the compromised data, 45% corresponds to credentials, 27% to personal data, 25% to payment data and 25% to other types of data.

In this delicate scenario, retailers need to develop several basic security policies:
• Restrict access to data as necessary.
• Encrypt sensitive data sent over open public networks.
• Periodically test security systems and processes.
• Manage threats to mobile devices (define policies and implement specific management solutions).

Additionally, companies need to have broad visibility and control across all environments; and they must monitor and respond to a rapidly changing threat landscape.

Prestashop Studio

In the latest survey carried out among Prestashop Million Club stores, which brings together stores that generate more than one million sales per year, it reveals that 46% of merchants have been the victim of a cyber attack. In the case of Spain, the figures exceed the world average, since one in two affected merchants (53%) had to deal with various types of attacks. 60% of those surveyed consider that the number of attacks is growing.

Most reported being attacked by malicious bots (60%), followed by DNS server attacks (50%), ransomware attacks (30%) and SQL injection (30%). Likewise, 10% experienced a Denial of Service (DoS or DDoS) attack and another 10% declared having suffered a change in the appearance of the web. These attacks are the most common, but merchants have had to deal with other less frequent but very real attacks. Thus, 20% of them speak of other threats such as database deletion and a significant increase in traffic volumes.

Consequences of the attacks and measures

The main consequence of these cyberattacks was the unavailability of the service (for 80%), and only 20% of stores suffered data theft, and 10% kidnapping of customer data. Likewise, 61% of the attacks are resolved in less than a day, 20% in an hour and 25% in half a day, highlighting that one out of every two attacks required an action to stop it, and the remaining 51% needed a more complex strategy to limit its impact, leading traders to conclude that this is a threat to be taken seriously.

Among the solutions, 51% hired an external service provider to solve the attack, 39% installed security patches and 25% installed a backup, and only 2% of those affected worldwide resorted to payment of a ransom to stop the attack. 22% have resorted to other strategies, such as analyzing traffic with a web agency, closing the online store or blocking attacks before hackers could take advantage.

The results also show that only 18% of merchants who have already been attacked have applied a minimum of five different measures, while this figure rises to 29% for those who have never been attacked.

Even though one in two merchants have never been attacked, cybersecurity remains a top challenge for 90% of respondents and a top priority for 24%. Being a serious and complex topic, even for digital players, 69% of merchants plan to outsource their cybersecurity management.

Safety recommendations

Controlled access to PII with well-configured permissions. The principle of least privilege access is key: all identities should have only the minimum permissions necessary to perform their intended tasks.

Scaling based at events during shopping peaks. This rapid scaling can minimize website latency and optimize customer shopping experiences, but it can also be very powerful in the hands of an attacker. This is why implementing least privilege is critical to all serverless features of major public cloud providers.

Introduce improvements in the internal application of identity and access management (IAM). Enforcing least privilege on all systems is necessary, as enforcing multi-factor authentication for all employee access to a cloud environment can provide an additional layer of security by reducing the risk of credential theft. If we think that by compromising an unprotected work identity with sensitive access to cloud resources, an attacker can be allowed to gain access to those resources.

Embedded application secrets. E-commerce sites are built on top of each other, integrating with payment services like Paypal or similar. When building their e-commerce applications, developers can sometimes leave credentials, passwords, keys, or tokens embedded in the code, exposing them to potential attacks. Across DevOps pipelines and eCommerce software supply chains, all secrets must be managed securely and rotated programmatically to reduce risk.

Vulnerabilities in the e-commerce website. Without the proper layers of security, retailers are vulnerable to attacks such as distributed denial of service (DDoS), SQL injection, and skimming, which can disrupt business and allow attackers access to valuable customer data.

Soffid can help you to protect your data, shall we talk?

(2) ITdigitalsecurity
(3) Inese


Related Articles