The industry’s attack surface is expanding as retailers of every shape and size look to boost sales and improve efficiency by harnessing the latest data-driven technologies. Use of big data and sophisticated data warehouse models is growing fast. Also, many retailers are getting into the healthcare and pharmacy businesses, and as such are holding more sensitive data than ever before. Meanwhile, there is a steady shift from cash payments to electronic card payments in developing countries.
Insider threats in retail are also rising. Employee turnover is high, and the typical retailer has many points of insider vulnerability, including seasonal and traditional employees, as well as numerous stores and distribution centers. Many retailers also outsource some of their business processes to third parties.
Trends such as these are giving rise to a new breed of criminals. Instead of stealing money or physical goods from a store or warehouse, these cyber-criminals focus on stealing information — especially the valuable cardholder data that flows between consumers and retailers.
System access by employees and third-party contractors should be tied to job functions and carefully planned and monitored. Access to specific data fields should be carefully planned as well due to the threat of data aggregation (creating sensitive data by piecing together seemingly benign data from various data sources).
Point-of-sale (POS) systems are an increasingly popular point of attack for acquiring transaction data, giving cyber-criminals immediate access to valuable information such as card numbers and personal identification numbers (PINs).
Traditional data sources within the organization are also vulnerable. These include databases containing customer information, as well as intellectual property valuable to competitors, such as planned future store locations and demographic data (e.g., average income or age in a shop’s region).
Some attacks use advanced technology that take advantage of weaknesses in the IT infrastructure. Other attacks are as simple as an insider copying data to portable media and then walking out the door.
Whether an attack is simple or sophisticated, the results can be disastrous. Retailers today must understand the potential threats and take aggressive action to protect themselves and their customers from harm.
