The National Cyber Security Centre (NCSC) recently published important cybersecurity guidance to help protect retailers, which comes right as the holiday shopping season is in full swing.
Retail organizations are no strangers to cyber attacks. In fact, some recent large-scale retail industry cyber attacks have included popular brands such as Guess, Under Armour, CVS Health, Home Depot, and Target. While cyber attacks show no signs of slowing down, many businesses and organizations have stepped up by employing best cybersecurity practices and skilled cybersecurity professionals. But, cyber criminals have evolved, too. Let’s learn more about how retailers can protect themselves during the holiday shopping season.
The State of Retail Cyber Crime
In general, about 43% of cyber attacks target small businesses. A data breach is the most expensive form of a cyber attack, and in some cases can cost a U.S. business or organization more than $8 million.
Stores that sell goods and services are especially popular targets, with about 24% of cyber attacks affecting retailers, as Threat Intelligence explains. The same article states that “Many retail businesses are a hybrid of brick-and-mortar and e-commerce. To manage this ecosystem, they use a mix of technologies (e.g. PoS in stores and cloud-based systems for e-commerce). However, this hybridization also creates numerous e-commerce cybersecurity risks.”
According to Forbes, flaws in payment platforms such as Apple and Google Pay have contributed to an increase in the number of data breaches. Additionally, retailers are favored targets for phishing scams, ransomware attacks, data breaches, or supply chain attacks.
The Latest NCSC Cybersecurity Guidance
As NCSC Deputy Director for Economy and Society, Sarah Lyons, explains: “Online shopping is bigger than ever and that’s something to be welcomed — but unfortunately it comes with the risk of shoppers’ accounts being exploited. Businesses have a major role to play in protecting online shoppers, which is why we’ve produced new guidance to help them do so. Following this guidance will allow businesses to help keep their customers safe online as well as protecting themselves from potentially crippling cyber attacks.”
This new guidance from the NCSC is geared toward online retailers, and those “who are at risk of having their brand spoofed by criminals for malicious purposes.” Highlights include:
- How to choose the right type of authentication method, which goes above and beyond password-only security that many retailers are used to. The NCSC highlights the following statistics to support this guidance: 52% of passwords are reused across accounts, and passwords cause the majority (80%) of data breaches.
- How to protect your online brand. This guidance details the concept of a “takedown” — which refers to “the removal of malicious content such as phishing sites.” Retailers have access to step-by-step instructions about how to contact a hosting company or domain registrar if they find their goods and services are being misused or misrepresented online.
The NCSC also includes guidance and best cybersecurity practices for consumers, which include using separate passwords for each account, creating strong passwords that contain three random words, using two-step verification, implementing the latest security updates, and backing up your data and information.
Additional Cybersecurity Resources for Retailers
In addition to the NCSC, it’s recommended that retailers keep these resources in mind:
- The National Retail Federation provides a list of cybersecurity assets, including articles, reports, webinars and more.
- The Federal Communication Commission (FCC) outlines 10 cybersecurity tips for small businesses, which include training employees on best practices, securing Wi-Fi networks, and limiting employee access to certain types of data and information.
- An article from Security Today discusses cybersecurity best practices for retailers. One of the biggest tips is securing the point of sale with the latest security solutions.
- Discover cybersecurity-related free webinars, white papers, blog posts and more from the SANS Institute.
- The Cybersecurity & Infrastructure Security Agency (CISA) provides Cybersecurity Awareness Month Resources, which includes a toolkit and tip sheets.
- Guidance from the U.S. government’s resource, Ready, details the steps you should take to protect yourself and what to do both during and after a cyber attack. While this guidance is targeted toward individuals, it’s also applicable to businesses and organizations.
With the holiday shopping season upon us, and retailers embracing e-commerce and digital payment platforms more than ever, it’s important to employ the latest cybersecurity practices and keep up to date on the latest global guidance. Avoiding cyber attacks altogether may be impossible, but there are valuable steps that retailers can take to greatly minimize their risk.
About the Author:
Michelle Moore, Ph.D., is an academic director and professor of practice for the University of San Diego’s innovative online Master of Science in Cyber Security Operations and Leadership program. She is also a researcher and author with over two decades of private-sector and government experience as a cybersecurity expert.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc
