Cyber security challenges of moving retail online
Written by Elad Ben-Meir, vice president of marketing, CyberInt
UK retailing is going online and mobile. According to industry estimates, UK shoppers will spend roughly £67 billion online in 2017, of which around £27 billion will be via mobile devices.
Although online spending is still slightly less than a fifth of total UK retail spending – which in 2016 was about £358 billion – it is rising fast and eating up an increasing slice of High Street profits. It is also estimated that the mobile phone shopping market will grow by roughly a quarter this year. And this new style of shopping is about to revolutionise British retailing by delivering the IT industry's long-awaited promise of ‘Any3’, the ability to deliver anything, anywhere, at any time.
As we see more of traditional retailers’ business move online and go through a digital transformation, they will be racing one another to secure a claim on the industry's new cyber future. This means streamlining their operations and delivery systems by digitising them wherever possible to reduce overheads sufficiently to be able to compete in the new digital marketplace, where a cheaper price is only a click away.
But developing complex new online payment systems, operating with new partners, moving more operations onto the cloud and dealing with larger numbers of online customers is now putting a huge strain on retailers’ IT resources. When those resources are sufficiently stretched, holes could begin to appear in their security posture.
Unfortunately, all this is taking place at a time when cyber criminals are becoming ever more ambitious, particularly in the retail sector. In addition to well-publicised cyber attacks over the past sixteen months such as the NHS, JD Wetherspoon and Tesco Bank hacks, there have been growing numbers of largely unreported attacks on retailers and their clients. These frequently involve increasingly ambitious ransomware demands or the theft and fraudulent use of customers' financial details.
Deprived of their traditional shopfront marketing, retailers are increasingly turning to online marketing avenues such as social networking. But this move online also offers new opportunities for cyber crime. Last year saw organised cyber criminal gangs creating counterfeit ad links and web pages offering everything from fake free McDonalds hamburgers to fake free British Airways flights. All the customer had to do was to fill in some personal details, which the cyber criminals were then free to exploit for identity theft and financial fraud.
This year, cyber criminals are becoming even more devious. Research carried out by CyberInt reveals that almost two per cent of social media comments and postings with an embedded URL are malicious. Other forms of cyber fraud that retailers should be aware of include cross-site scripting, where malicious code is injected into a trusted website using cross-site scripting (XSS), and ‘click-jacking’ – concealing hyperlinks beneath legitimate clickable content which, when clicked, leads a user to unknowingly perform actions such as downloading malware.
When extending their online marketing capacity or entering into partnerships with other organisations, retailers should correspondingly extend their traditional security perimeters well beyond their internal security system. Even when streamlining their operations by utilising cloud service providers, retailers often expose themselves to more substantial risks which should be managed as part of their security strategy.
In order to protect their outer security perimeters across social networks and extended communications networks, retailers must employ a more pro-active form of cyber defence. They must keep abreast of the cyber criminals’ methods and likely targets by constant monitoring of the Dark Web and by securing their social networking operations.
Red Team Automation must also now be seen as a core part of any major retailer’s cyber security strategy. A ‘Red Team’ traditionally works in a covert manner, testing an organisation’s weakest points using the same techniques used by organised cyber criminals. The automation of this process deploys specialist software designed for continuous testing. Utilising Red Team Automation, chief information security officers can identify weaknesses in their defences and act to fix them before they are exploited by cyber criminals. Companies can then be certain they are taking the right steps and buying the most appropriate technology products to reinforce their security perimeters. Where necessary, they are then in a position to combine this with appropriate and effective awareness training – a key element in any security strategy as the human link is frequently the weakest link.
Techniques previously developed by cyber criminals to target financial institutions are now being increasingly used to hack major retailers. These frequently involve highly targeted scams aimed at key individuals. Often, these are preceded by extensive social engineering of social networks, conference postings and corporate websites, to build a sufficiently accurate portrait of the targeted individual to scam them into breaching their own corporate security by, for instance, clicking on an email link or opening an attachment in a superficially legitimate but unchecked email. Cyber fraudsters have become experts at email and identity scams when trying to install ransomware or other malware onto corporate IT systems.
As retailers push to move much of their operations online as quickly as they can, they must strengthen and extend their cyber security boundaries. Failure to do so could result in significant financial damage and brand damage, together with the inevitable loss of customer and investor confidence.