3 Steps For Retailers To Protect Growing IT Systems From Cyberattacks

By Cyril Noel-Tagoe, Netacea

Everyone loves a bit of retail therapy—especially cybercriminals. Ecommerce sites are one of the easiest targets for cyberattacks. Not because they’re less secure (although some are) but because of the stored trifecta of goods, credit cards, and personal data. It’s the perfect environment for bad actors, and it’s no surprise that research confirms this. Retail remains one of the top five most targeted industries. 

But it’s not just virtual stores that are at risk. Brick-and-mortar outlets are also easy targets, mainly via point of sale (POS) malware and card skimmers. Recently, cybercriminals used two strains of malware to steal over 167,000 credit cards from payment terminals using Windows POS. If sold, the data could net upwards of $3 million.

Attackers are making their way from the back end to the front end. No system is immune. Popular self-checkout systems provide criminals with easy physical access to POS terminals where they can install card-reading devices. Suppose the POS system is on the same network as other connected devices. In that case, attackers may use those connected devices as a mechanism to gain access to the POS system.

Self-checkouts also increase the risk of shoplifting, so retailers are collecting more information on customers through cameras and other sensors for loss prevention purposes. However, if not protected, attackers also can use these IoT devices to eavesdrop or spy on stores, employees, or their customers to gain information that can be used for further attacks. For example, instead of shoulder surfing, credit/debit card information could be stolen via cameras. And as we see more cashier-less stores, the advanced security measures that track customers’ every move and keep merchandise safe, themselves become more of a target for attackers.

Malicious bots are an increasingly popular way criminals permeate retailers’ systems. Bots account for a significant amount of internet traffic. In 2021, 80% of eCommerce and retail websites were targeted by bot attacks. That year bot attacks more than doubled, and mobile apps, which consumers use in-store and online, were affected 61% of the time.

Herein lies the problem. More interconnected systems and tracking of customers results in more complex systems, advanced security, and data collection. As a result, more customer information is subject to theft. As retailers introduce more network-connected technologies, they increase their attack surface. Each connected device presents an opportunity for attackers. And once attackers gain a foothold in the network, they will try to pivot to other connected devices in search of valuable data. 

It’s a sticky situation. How can retailers protect stores – virtual or physical - from theft and protect customer data? 

Follow these three steps: 

1. Segment your network. The problem with cyberattacks is once criminals get into the network, they can roam and attack multiple parts of a business. If you segment your network, attackers are cut off immediately, limiting potential damage. It’s akin to a robber breaking into the house via the front door. Then they can’t get into any of the rooms because those doors are also locked. This is an excellent principle to adopt if you are moving toward establishing a zero-trust framework. When you assume every transaction and user is a potential threat, you limit how they can access information or move across the system. 
2. Employ network monitoring tools. Recognizing that someone has infiltrated the network is critical to keeping it safe. Monitoring all user behavior across the network, including your website, mobile apps, APIs, and more can save you up to speed on suspicious activity. Tools such as bot management solutions can detect patterns from malicious bots that steal data – from scraping sites to fraudulent login attempts. Atypical behaviors are flagged and stopped. Choosing a selection that won’t disrupt the user experience is essential. 
3. Establish a threat detection system. Create a formal process for monitoring your systems and networks for threats. Relying on your staff isn’t enough. Threat detection differs between a low-level incident and a full-blown crisis. AI-based threat detection is faster and more accurate than human monitoring. You also want an automated solution with a low false positive rate. Suppose you are looking at bot mitigation solutions. In that case, you must choose a partner with server-side bot management capabilities, ideally one that doesn’t rely on JavaScript and mobile SDKs. This approach isn’t sophisticated enough to fight ever-changing bots that try to reverse-engineer your defenses and outsmart your technology. 

As retailers’ IT systems get more complex, cyber threats grow. Opportunities for attackers to exfiltrate data to sell on the dark web or to scam retailers out of products to resell are omnipresent. From the POS at a brick-and-mortar store to an eCommerce site, retailers have interconnected systems with larger attack surfaces for cybercriminals to stalk. To understand the threats, organizations need to take steps to protect networks. This includes selecting digital solutions that provide a full picture of your estate – from website to mobile to API traffic, and that can analyze patterns and intents in real time. Criminals move quickly and update their tricks all the time. If you aren’t moving fast enough, they’ll outsmart you. And that’s one sales event you want to miss!

About The Author

Cyril Noel-Tagoe is a Principal Security Researcher at Netacea where he researches, speaks, and writes about malicious bots and other cybersecurity topics. Previously a cybersecurity consultant at KPMG, Noel-Tagoe graduated with an MSCi degree in Computer Science degree from the University of Birmingham in the UK.