Retailers aren’t the only ones who benefit from the holiday shopping season. Cyberattacks cost retailers more than $30 billion annually, and losses often mount during the highly profitable holiday season.
How much money is at stake? In 2018, more than 165 million people spent $6.2 billion over the Black Friday weekend, and an additional $7.9 billion on Cyber Monday. With the retail industry putting up numbers like these, it’s not surprising that there were 76.4 million malware attacks and 797,607 phishing attacks in December 2018 alone, according to research by SonicWall Capture Labs.
Retail CISOs have the responsibility of protecting their entire infrastructure -- from POS systems to online customer databases -- against attacks this holiday season. As Black Friday kicks off the holiday shopping rush today, the Morphisec team felt it would be valuable to look at the state of retail cybersecurity from the customer perspective.
That’s why we commissioned Morphisec’s 2019 Retail and POS Cybersecurity Threat Index, a survey administered in Q3 2019 to 1,000 U.S. consumers aged 18+ and weighted by age, region, and gender. Understanding the risks from malicious actors facing retailers, and how customers perceive your work as CISO can only help make a case for protecting your company from advanced persistent threats.
Consumer Perception About Security Drives Wallet Share
Nearly one in five U.S. consumers (18%) have been victims of a retail cyber attack, according to Morphisec data. This mostly takes the form of data breaches, which in the last 12 months have included popular department stores like Macy’s, Bloomingdales, Lord & Taylor, and Sak’s Fifth Avenue.
Going back even to 2014, when Target was breached because of an unsecured partner login, retailers are a prime target for cybercriminals. These and other high-profile data breaches at retailers have created an environment where customers are leery of retailers.
In fact, nearly 7 out of 10 (67%) of consumers don’t believe retailers have done enough to secure their technology infrastructure. In fact, a 2018 Thales report found that nearly half of all retailers were victims of cyber attacks last year, so it’s really no surprise that such a significant portion of the population lack trust in the cybersecurity of the stores they are planning to shop with this holiday season.
Our findings also show that over half of consumers (51%) say their trust in a retailer’s cyber defenses influences if they shop with them. This is somewhat in line with previous research, which found that 37% of cyber attacks cause brand reputation loss for companies with consumers.
It means that the cybersecurity risk to retailers this holiday season extends beyond potential investigative, audit, software, crisis management, regulatory, legal and customer compensation costs. It could have longstanding impacts on consumer brand perception.
What’s also important to note here is that consumers are often left in the dark when their data has been compromised — unless breaches are covered by the mainstream media. In fact retailers often are too, at least for a period of time.
It takes most companies six months to detect a data breach, even major ones, says Ponemon Institute. There also is no federal law that notifies customers when they’ve been affected by data breaches, although at the state level this is a different story. (Although it took until 2018 for all 50 states to have privacy laws protecting citizens).
As we enter the peak shopping season, nearly 70% of customers say they believe threat levels will be higher this year versus last holiday season. Its likely shoppers are also aware of the increasing number of new ways hackers can target consumer transactions and payment data through multiple touchpoints they now have with retailers (in-store, online-sites, mobile apps, email, etc.).
And their worries are substantiated. Past research has found that cyber attacks specifically usually peak on Cyber Monday and remain elevated through the end of the year, posing stark risks for those avid shoppers hunting doorbuster deals before they end.
‘Tis the season for scammers apparently, and it’s the ordinary ‘Joe’ buying gifts for family and friends who suffer. UK-based IT group, Dimension Data, studied the spike in cyberattacks during the 2017 holiday season and found that the average consumer lost anywhere from $50 to $5,000 per incident. Talk about spoiling the festive mood.
Threats Facing Customer Financial Data
While setting up skimming fraud within physical retail outlets used to be a widespread practice, advancements with in-store POS systems and chip cards have made these schemes less fruitful for criminals. Instead, fraudsters have moved skimming to the digital landscape with online or e-skimming, which poses a threat to online shoppers by inserting a skimming code on a retailers’ checkout page to grab credit card information.
Fortunately, it looks like shoppers are aware of this new threat, with 66% of consumers noting they are more concerned with fraudsters trying to skim their credit card information online. That was considerably more than the 34% of consumers that were worrying about fraudsters attempting to target them through skimming their credit card information in-store.
However, that doesn’t mean that internet-connected POS systems aren’t vulnerable to other types of more advanced online threats. Take for instance, the malware-wielding attackers that stole payment card data by infecting the Forever 21 POS systems for over seven months in 2017.
POS systems have not only become a target of choice for notorious cybercrime groups like FIN6, Carbanak / FIN7 and FIN8, but POS malware kits can be purchased on the cybercrime underground so even those without skills and infrastructure can set up shop.
These types of advanced POS attacks aren’t reserved for the retail industry only. In fact, nearly 90% of cyberattacks on the accommodations and restaurant industries involve POS intrusions. However, when it comes to consumer perception, they certainly believe retailers may be most susceptible to these new types of advanced POS attacks.
In fact, 4-in-10 consumers believe retail POS are the most susceptible to cyberattacks, followed by POS systems within the restaurant industry (26%), other industries (18%), the sports entertainment industry (8%), and the hotel industry (8%).
Modern POS environments are rife with entry points for attacks, from phishing emails and web exploits on employee computers to vulnerable third-party suppliers, and attackers are increasingly targeting all of these vulnerabilities.
What Can Retailers Do to Mitigate Risk?
The threat environment is only going to remain fraught with risk for retailers and holiday shoppers. Cybercriminals will always target the holders of large amounts of sensitive data, whether that is payment card data or personally identifiable information.
This holiday season, retailers need to mitigate the risk of a breach that could interfere with their busiest time of the year. This includes training their employees at the in-store and ecommerce level to understand best practices, as well as deploying the kind of solution that prevents attacks from happening in the first place.
The benefits of doing so far outweigh the costs, especially when it comes to consumer trust and long-term business success. As consumers trust you to keep their data safe, so too will your business grow.