Despite the awareness that they’re a favorite target among cybercriminals, many retail outlets continue to struggle with cybersecurity. According to a survey by ACI Worldwide, 53 percent of retailers do not have a common set of fraud prevention or payment security capabilities within their organization.
An escalating problem
Security concerns will increase as more shoppers turn to mobile devices to make purchases, which are expected to increase by 40 percent over the next five years, meaning retailers will need to protect multiple purchase endpoints. Unfortunately, cybersecurity tools, such as fraud prevention software, aren’t a priority for many retailers, according to Robert Herjavec, founder of the Herjavec Group, which provides cybersecurity products and services to enterprise organizations.
“Most retailers struggle with narrowing margins,” he explains, “and security isn’t always seen as an accepted budgetary line item.”
But it’s time for that attitude to change, Herjavec contends — especially when considering how devastating a data breach or other incident can be to a business. Yet the type of attacks that typically get the big headlines aren’t in fact the leading the concern for retailers looking to better their cybersecurity practices.
“We can talk about ransomware, phishing attacks, visibility across endpoints, and they are all important,” Herjavec says. “But outside of the standard threats, there are really two things that should keep retail businesses up at night: lack of awareness and brand credibility.”
Social engineering, which relies on technological, psychological and physical techniques to trick the end user into breaking security protocols, is a popular tactic used by hackers. Employees, vendors and customers are fooled into believing an email is real — a letter from management or a special offer from the store — and click on a link or open an attachment that is instead loaded with malware and can lead to a data breach. Once customer information is compromised, corporate reputation can end up being viewed as less credible.
Awareness begins with educating team members about these vicious communications and how to avoid falling victim. At the same time, retailers should take advantage of the technology available to better prevent these attacks. Fraud prevention software is one such tool; another option is artificial intelligence.
Big data vs. fraud
“One of the greatest challenges we face in identifying modern threats is trying to find the abnormal or criminal activity across large quantities of normal behavior,” Herjavec adds. “The issue is one of big data — being able to find that cyber needle in the haystack of data.”
Data logs hold all the information and communications with the network, and that’s where IT departments find the anomalies that signal an attack. However, this requires two things: manpower and technology to comb through thousands of logs, knowing what good and bad data looks like.
“Through the advancement of big data analytics, we can better target abnormal behavior, perform faster queries with advanced algorithms, and identify more complex behavioral patterns,” explains Herjavec. But most retailers aren’t absorbing the vast amount of data logs in their environment. Third party vendors, such as Managed Security Service Providers — who support logging, alerting and correlation of data — can play an important role in improving best security practices and alerting businesses to potential dangers.
It’s not all bad news
Compliance is driving improved behavior, according to Herjavec: “PCI security standards are technical and operational requirements set by the PCI Security Standards Council to protect cardholder data. The standards apply to all entities that store, process or transmit cardholder data, with guidance for software developers and manufacturers of applications and devices used in those transactions.”
All companies that accept credit card transactions are required to abide by these standards. Failure to do so results in fines and the ability to accept credit card payments in the future. Cybersecurity may not come easily, especially for small retailers; it can be hard for them to commit the time, personnel and financial resources required for a comprehensive security system.
“Cybersecurity isn’t just a one-time expense,” Herjavec offers in response. “Businesses need to cover the basics in order to be compliant, particularly with the PCI DSS standards. [They] should engage a knowledgeable security partner who can help them prioritize their technology needs.”