Bad guys know retailers and businesses are working to stay one step ahead of their sophisticated and malicious attacks. To combat this, hackers are looking to gain access to sensitive information by taking a much easier route: using legitimate credentials to go right inside.
In this week’s Hacker Tracker, Ryan Stolte, cofounder and CTO at Bay Dynamics, joined PYMNTS to shed light on the growing cybersecurity concern of insider threats and how retailers are making big strides in keeping hackers locked out for good.
Whether it’s a legitimate employee who is intentionally misusing their access to sensitive data or a cybercriminal who has figured out an employee’s credentials in an attempt to take advantage of their access, insider threats are one of the biggest security problems facing retailers today.
“Despite all of our attempts at locking down the various ways somebody could attack applications, like a website we are using for eCommerce or a point-of-sale system, one of the major methods that people are using to cause a data breach is with legitimate credentials,” Stolte explained.
“The bad guys realize that we’re getting better at locking the doors, so they have to go after the keys, and really, that’s what those user credentials are.”
Bay Dynamics’ 2016 Pre-Holiday Retail Cyber Risk Report, which details cyber risks posed by permanent, temporary and contract employees within retail organizations, surveyed IT and security professionals in the retail space to identify how much visibility they have into employees’ actions, how quickly they patch vulnerabilities, when they feel the most pressure to secure their organizations and more.
The data revealed that 56 percent of respondents admitted that they do not feel more pressure during the holidays to secure their organizations, which Stolte said indicates that the pressure and awareness surrounding security is now year-round and no longer a “seasonal” priority. Not only are employers keeping a closer eye on the access and actions of their permanent, temporary and contract employees, but the research revealed they are also limiting the access provided to temporary or seasonal employees.
“This year, we’re seeing that the general awareness of what good security looks like has shifted dramatically,” Stolte explained. “People are making substantial progress at securing environments and taking that seriously. The level at which that change has occurred in just a year is big, but it also reflects the awareness just at large in our communities about cybersecurity issues.”
According to Stolte, retailers are starting to realize that cybersecurity doesn’t mean making sure systems are protected just for major shopping holidays, like Black Friday and Cyber Monday, but year-round.
Mobile Dials Up Holiday Cybercrime
The latest holiday shopping forecasts predict that even more consumers will use their mobile devices for purchasing goods this season. In fact, a new report from Skycure revealed that 90 percent of holiday shoppers will use smartphones while in-store this holiday season to access coupons, compare prices and find the latest deals.
“Black Friday and Cyber Monday are a recipe for cyber-scams,” Yair Amit, CTO and cofounder of Skycure, said in a statement. “The first brings large groups of people using their mobile phones to one place. The second attracts people who might overlook security to get a better deal. Unfortunately, mobile threats exist for shoppers whether they’re shopping in a store or on a mobile device from the comfort of their own home or workplace.”
It’s safe to assume that, whichever channel shoppers are flocking to, cybercriminals won’t be too far behind. It’s expected that fraudsters will stake out Wi-Fi connections and set up fake mobile apps, all in hopes of compromising shopper data while they use their smartphones.
“It will take time for customers to fully understand all the security implications of public Wi-Fi networks,” explained Don Duncan, security engineer for NuData Security. “Studies like this help to remind us that public Wi-Fi is not secure and that your data is at risk of being stolen, especially when paired with malicious apps, as in this case.”
Retailers’ Risky Business
Now that the holiday shopping season is in full swing, retailers are facing the opportunity for big revenue rewards, as well as big cybersecurity risks.
The National Retail Federation predicts online sales will surge by 7–10 percent this holiday season, with the proportion of retail sales via eCommerce at the highest it’s ever been. But CrowdStrike is warning retailers not to lose sight of the growing cybersecurity threats that the holiday season is also sure to deliver on.
Ransomware or DDoS attacks can easily bring down an online retailer’s eCommerce sales or knock out a POS system, resulting in frustrated customers and negative shopping experiences.
According to CrowdStrike, retailers that are the most security-conscious have already taken steps to ensure they won’t fall victim to a possible onslaught of cyberattacks during the holidays. These precautions include proactively monitoring environments 24/7 in order to detect irregularities, increasing the use of tools to identify indications of attacks outside of just malware and viruses and making assessments ahead of high-volume shopping times.