Just a few weeks before Halloween, Chicago-based candy-maker Ferrara, famous for Nerds, LaffyTaffy and other treats, experienced a
ransomware attack that shut down several of its facilities, making it unable to fill orders during one of its busiest times of the year. This should serve as a warning sign for all retailers as we head into the holiday shopping season, a busy time not only for shoppers and merchants, but, increasingly, for hackers trying to disrupt business and to take advantage of a key sales period.
As online shopping has boomed since the beginning of the COVID-19 pandemic, so have cyber attacks on retailers. In fact, retail is one of the
most attacked sectors, and has also found itself the victim of an increasing number of ransomware and supply chain attacks as consumer information, including credit card numbers and other payment details, are valuable targets. Containing both large amounts of valuable data as well as needing to be online to open up other sales channels and make money, online retailers can experience a double-whammy if an attack compromises their data and also takes them offline–especially during the busy holiday shopping period. Here’s a look at why these attacks are up, and how retailers can protect themselves and their customers.
The sheer increase in online shopping: The COVID pandemic has sharply
boosted both the number of sales and the number of people shopping online, meaning that retailers now have more data than ever. This is a trend that is expected to grow during the upcoming holiday season with 69% of U.S. consumers planning to visit between 2 and 5 shopping websites between Black Friday and Cyber Monday alone, according to data from consulting company
Publicis Sapient. The increased traffic and number of transactions on retail sites is part of what is making the sector more appealing to hackers. The popularity of shopping online makes posing as a shopping website or app an increasingly common way for cyber criminals to carry out phishing attacks; for example, with shoppers eager for deals, it is popular during the holidays for cyber criminals to put up fraudulent websites offering supposed discounts in return for personal details. When this happens on office or business computers or email accounts, it also gives hackers a gateway to large corporate networks, where they can carry out large attacks. Retail-related attacks that steal customer payment data also happen as more consumers shop from phones and mobile devices; 39% of consumers say shop regularly on phones, up from 30% in 2020, according to a
PriceWaterhouseCoopers study. This means they are more vulnerable both to breaches via wifi networks and malicious but innocent-looking shopping apps, like the one hackers launched last year posing as
Adidas, and stealing the personal and payment information of those who used it to buy sneakers.
Scaling up, Quickly: In order to keep pace with consumer demand for buying online and, in some cases, to save businesses whose physical stores have suffered during the pandemic, many online shops opened or scaled up quickly. In many cases, this means they have not been implementing comprehensive cybersecurity solutions along the way. This fast scale-up or establishing of online presence also means that many retailers are relying on outside vendors for services like payment processing, shopping cart functions and other features. This makes retailers–and in turn their customers–vulnerable to supply chain attacks, when bad actors gain access to a service provider, then use that to target its subscribers and clients either directly or indirectly.
Customer Data is Valuable: Globally, 44% of retailers were hit by ransomware, with hackers demanding money in return for returning data or restoring systems, in 2020, according to a report from British IT security company
Sophos Group PLC. Increasingly, customer data has become a currency for hackers, who can sell it online, and retailers are also under increased pressure from
consumers and government regulations to keep their data secure. So bad actors are betting that organizations will pay money to regain access to data encrypted in an attack, especially if there are also threats to sell it, or if an attack also shuts down their shopping websites, manufacturing facilities or any other sites during the busy holiday season when they are relying on doing a lot of business. In fact, about 32% of retail companies have paid ransom, according to the Sophos report, spending an average of $147,810.
Amid these greater threats, here are some steps retailers can take this holiday season:
Training: One of the most common avenues for attacks is phishing, or getting an employee to open an email or download an innocent-looking attachment that installs malware on their device or network and lays the groundwork for an attack. In fact, about 91% of all attacks start with phishing, according to
Deloitte. Training employees in your retail organization on how to better identify these attempts will go a long way in protecting your company, especially as attacks, including ransomware attacks and supply chain attacks, can have far reaching-effects not only on your organization but on other companies and millions of customers. Organizations also need to continue to emphasize the need for strong passwords, and for their employees to actually use existing security measures, like multifactor authentication. These improvements in human behavior, whose power is often underestimated, are just as important as the technological solutions for cybersecurity.
Protect the Right Things: Cybersecurity can be an overwhelming topic to many; with hundreds of solutions advertising a zero-risk approach, it is easy to fall into the pit of spending endlessly to chase the latest program. The task can also turn into an overreliance on metrics that may or may not reflect reality. Instead, retailers, like all types of organizations, need to change their approach and focus on protecting what is truly important to their business, and limiting hackers’ access to that. Cybersecurity decisions are not just for the IT department, they should involve a company’s entire leadership, and be made with business effects in mind. Cybersecurity should be an integrated part of any retail business model. Retailers should also make sure they have strong third-party monitoring systems in place, and understand the threats that come from their own vendors and suppliers.
Prepare for the worst— in-store and online: It is important to have an incident response plan in place, including a well-defined SLA (service level agreement) with a retailer’s cyber security provider, so both parties understand the expectations in the case of an attack or incident. Retailers should have cybersecurity insurance, the same way they need fire insurance. Retailers also need to be careful about assuming ransom payments can solve their problems.
Even if they do resort to paying ransom, that is often not enough to truly recover all of their data; in fact among retail companies that have paid ransom, most never regain up to one third of their encrypted data, according to the Sophos report. Also, only 56% of those retailers were able to restore data from backup systems; this means retailers need to pay more attention to their backup systems as well–not just to protecting their main systems and networks.
As we saw with the candy company attack, cyber attacks are increasingly compromising not just data, but also physical operations. We saw this during this summer’s high-profile ransomware supply chain attack on American tech company Kaseya when a
Swedish grocery chain had to close 800 stores because its cash registers, which rely on regular remote updates, stopped working. So while retailers are expecting a busy shopping season, they need to be extra cautious to make sure they are not only protected against cyber attacks, but actually expect them, and have a plan for staying open, as much as possible, during these attacks.