As is the case any time there is a battle there are going to be losses. The real question is to what degree are those losses going to be deemed acceptable. As the retail sector gears up for this holiday season, it is already apparent cybersecurity casualties are going to be high.
Two recent reports highlight the extent of the challenge. A survey of 239 cybersecurity professionals working in the retail sector conducted by the Ponemon Institute on behalf of Keeper Security, a provider of password management tools, finds only a third believe they have adequate budget to achieve strong IT security, while over half do not. At the same time, 87% of retailers agree that cyberattacks are becoming more targeted, 67% believe attacks are becoming more severe and 61% said cyberattacks are becoming more sophisticated.
Overall, the survey finds 93% of retailers spend less than 20% of their overall IT budget on security. Staffing shortages (91%), insufficient budget (51%) and no understanding of how to protect themselves from cyberattacks (40%) were the most commonly cited challenges preventing fully effective security posture.
The most commonly reported attack methods are phishing (69%), web-based attacks (54%), and malware attacks (40%), with 61% of retailers experienced a cyberattack within the past year. Despite those attacks, however, 50% of retailers report they still have no response plan for a data breach in place.
At the same time, a separate report issued this week by IntSights, a provider of a cybersecurity service that surfaces threats on the Dark Web, notes that retailers are also being increasingly victimized by carding operations, which involve the use of a stolen credit card to acquire prepaid cards. Those prepaid cards are then sold at a discounted rate on the Dark Web, resulting in goods and services being fraudulently acquired from e-commerce sites.
The report also notes retailers because of lack of encryption continue to struggle with cyberattacks aimed at point-of-sale (POS) stemming from memory-scraper trojans that are designed to scan, grab, and exfiltrate bank card data.
Cybersecurity professionals working in the retail sector are counting a lot on a forlorn hope. Despite all their skills and expertise, most of the organizations in the sector are going to incur significant losses this holiday season. Alas, this comes as no surprise. Business leaders across the sector are trying to balance a need to stay profitable in an industry notorious for razor-thin margins against potential losses incurred as a result of a cybersecurity breach. It’s not that those executives are not aware of the risks they face. It’s just they don’t have the resources required to combat the threat. Cybersecurity professionals know this as well, which is why many of them prefer to work in other more lucrative sectors.
The real trouble long term is with each passing year the organizations launching those attacks get richer and larger, which gives them the resources required to develop more sophisticated attacks. The retail industry may not be at the point where cybersecurity attacks are going to completely cripple operations. However, like any host infected by a parasite, it’s only a matter of time before the host becomes too weak to survive in an environment where predators abound. Unless some way is found to more effectively combat those parasites, there may soon come a day when a once-thriving retail sector becomes a shadow of its former self.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.