It’s no revelation to say that compliance and security are not synonymous, but recent events have reinforced the maxim. Adhering to even the strictest data protection standards is no longer enough to protect retailers from increasingly sophisticated cyber threats.
Instead, complete compliance needs to be paired with strategic, resilience-focused cybersecurity practices to combat risks facing retail today: third-party threats, identity management, and the challenge of long-term investment.
Compliance Does Not Equal Security
Regulations like PCI DSS 4.0 are critical, but they don’t cover the whole risk landscape, especially with expanding digital operations and third-party dependencies.
The fact that we haven’t seen any payment card data stolen in retail breaches speaks well for PCI DSS, but it can also be attributed to payment card tokenization or perhaps the breaches highlight how other sensitive data is not treated as seriously. Retail businesses need to acknowledge the damage that can be done without payment card data, as personally identifiable information can still be sold on the dark web, and used in fraud or social engineering attacks which can ruin people’s digital lives.
Companies should continue to optimize PCI DSS compliance and improve as they go. But to be truly “safe” in a highly digitized retail environment, they are going to have to do a lot more than that.
Retail is a Prime Target for Attackers
Due to its data-rich environment, heavy reliance on uptime and patchwork quilt of legacy and modern technology, retail is increasingly targeted by financially motivated cybercriminals.
Sectors like healthcare face the same dilemma. Unable to sustain operations for even a few minutes without critical digital assets, these sectors are likely candidates to cave under pressure when a ransom note comes in.
Last year, a full 60% of retailers opted to pay the ransom, which speaks to the fact that time is a key issue in mitigating these attacks. Many estimate the cost of downtime to be as high as $16,700 per server, per minute. This forces retailers into a fight-or-flight mode where they assume the cost of the ransom will be less than the cost of being offline and bringing old systems back online – if backups even exist.
While practical in a sense, this only tells attackers that retailers will cave easily and are easy targets for subsequent attacks. Nearly 80% of all companies that pay the ransom get hit again.
Retailers are tantalizing targets because their reputations, customer base, immediate profits, and future sales are on the line when data gets exfiltrated and systems come to a stop. Attackers know this is perfect leverage for extorting a ransom payment.
Third-Party Risk Critically Impacts Retail Security
Increasingly breaches are originating from trusted external vendors. Retailers must treat third-party security as an extension of their own.
While many large retail chains may have sufficient cybersecurity practices, attackers know that policing all third parties for enterprise-level security is not something that makes the list for busy corporate SOCs. They take advantage of these blind spots and trusted channels to sneak in through sub-optimal processes or less-protected vendors.
Companies need to watch out for software supply vendors, especially. They are another highly prized aim for threat actors as one coding compromise upstream could give them access to any number of software clients downstream, including retailers of all sizes and scopes. Applying regular software updates is a security best practice, but what happens if the update mechanism is compromised? While certainly difficult to do, if an attacker is able to infiltrate the release pipeline, the payout for them is huge.
A less challenging avenue for using third parties to access your systems is social engineering. Social engineering techniques often look to take advantage of the human desire to please and be helpful. When there is a disconnect between two companies, it is easier to abuse processes, pose as a member of the client company and ask for a password reset to compromise valid accounts.
It’s necessary today for organizations to vet third parties like they were taking full responsibility for their risk, because they are. PCI DSS 4.0 makes this very clear, expanding the scope of accountability to include critical IT service providers. This means subjecting all vendors, suppliers, and external parties to security scrutiny before engaging in business, giving them only minimal access after signing the contract, and monitoring their activities at all times.
A Strategy of Zero Trust & Identity Management
Identity management must go beyond efficiency. Least privilege, just-in-time access, and zero-trust policies are core to resilience.
When configuring access policies, operate on the principle of least privilege. Always deliver just the minimum permissions feasible to accomplish a task. Do this for internal employees, contractors, and temporary partners alike. Retailers ought to leverage just-enough and just-in-time approaches, along with adaptive access policies and an assumed-breach stance.
Security as a Business Strategy
Cybersecurity should be treated as strategic infrastructure, not just a compliance expense or technical issue.
The biggest mistake companies can make is to make security solely a matter of money. It shouldn’t be left to the mercy of “what’s left over” after other areas have been addressed. Instead, it should come first in boardroom budget decisions, as cybersecurity is the most reliable “insurance” in business today.
Seeing security as a strategic imperative, not a nice way to go above and beyond, should form the foundation of progress culture at any competitive organization today. To do otherwise ignores the devastating effects one critical hit could have on the revenue of an enterprise and leaves companies paying far more for clean-up than they ever would have for caution.
Final Thoughts
As attacks on retail continue to hit close to the mark, retailers need to take adequate – not token – precautions.
This means going back to the drawing board if necessary and reassessing their long-standing third-party risk management practices. We are seeing entire re-architecting of environments after a breach – which with the benefit of hindsight should have been done to avoid the breach. Retailers should look to learn from each other to combat the common enemy.
Next, they should align identity management with zero trust principles (just-in-time access, principle of least privilege, immediate access revocation for old vendors and employees).
Retailers should swap compliance-only philosophies with proactive cybersecurity strategies that work against today’s sophisticated attacks, going beyond minimum compliance alone.
And lastly, retail safety is found in fostering a culture where continuous security improvement is expected and emulated from the top down. Encourage internal-external transparency where appropriate and make an attitude of zero trust – towards employees, vendors, suppliers, and software alike – inherent.
To retailers’ surprise, third parties are going to understand. It’s not personal – it’s policy. And it is these policies that are going to ultimately save savvy retailers from being the next targets of an attack.
