It’s been a headline year for cyberattacks, and one of the biggest was this summer’s Kaseya ransomware attack. The cybersecurity of up to 1,500 businesses were affected worldwide, with disruption ranging across schools, railways and, in what was perhaps comparatively underreported news, retail.
Hundreds of Coop stores in Sweden for example were forced to close temporarily due to the attack. One of Coop’s suppliers, Visma Esscom, was hit by the IT attack as it uses technology from Kaseya, a software company with headquarters in Miami, USA and Dublin, Ireland.
2021 also saw cyberattacks against the likes of Neiman Marcus, Tesco and Guess. As recently as last week, food retail store Spar had to temporarily close several of its stores in the north of England due to an IT attack affecting its ability to process card payments.
Retail cybersecurity is therefore a hot button issue, and will remain so for 2022. As a report from analytics firm GlobalData on cybersecurity in retail affirms, forward-thinking retailers should “pivot toward a holistic cybersecurity approach to shore up their current position. This approach will also ensure strong future-proofing elements to acknowledge ongoing changes in line with wider growth strategies.”
Future-proofing needs future thinking, and with that in mind Verdict and Verdict Retail present the retail cybersecurity predictions to keep in mind for 2022, as shared by security experts and executives in the field.
Increasing visibility for retail cybersecurity
Steven Rees-Pullman, SVP, Auth0
“The next challenge for retail leaders is securing the raft of new devices and services underpinning their digital transformation. Building trust through monitoring and threat detection is top of mind, especially as retail continues to rank among the top two industries most affected by credential stuffing attacks.
“Since user accounts are very often targets for loyalty points or buying up limited edition merchandise, a big priority will be deploying systems that monitor login behaviour. Traffic spikes and changes in geolocation can both be used to spot an attack before it happens. Trust is massively important and fragile in the digital world, and we’re seeing retailers embrace threat signalling as standard in their customer identity and access management (CIAM) infrastructure.”
“(Also) with customers shopping online more than ever, now is the time for retailers to make the login experience vanish, incorporating technologies that provide a frictionless experience, without compromising security.
“The pressure to attract and convert shoppers, as well as dwindling attention spans, have made first impressions all the more important, and 83% of consumers have abandoned their cart or sign-up attempt due to an arduous login experience. While passwords will still be with us for a while, we’re bound to see continued adoption of social logins and passwordless authentication that encourage account creation, repeat business and conversion.”
Fear the known
Geoff Forsyth, Chief Information Security Officer, PCI Pal
“Stop fearing the unknown and focus on existing threats. Next year, we shouldn’t be focused on seeking out new forms of fraud, but rather focus on the shift and re-emergence of existing iterations. As card-present payments fall farther behind card-not-present, payment webpages are more likely to be compromised by good old fashioned third-party scripts or attacks.
“2021 had an abundance of new payment processes emerge, but across these new vendors we saw an obvious lack of security expertise, which allowed fraudsters to use old tricks to attack vulnerable shoppers. As more and more payments go online, the wider the landscape is for scammers to attack.”
Ransomware and retail cybersecurity
Matthew Roach, Head of i-4, KPMG UK
“Ransomware will be rebranded: As the Emotet botnet has re-emerged following the short-lived law enforcement takedown, there is evidence of collaboration between notorious ransomware gangs that will gather pace next year.
“Most recently, Emotet has been adapted to drop Cobalt Strike onto victim’s systems, and we can expect threat actor groups including Ryuk, Conti and Revil to work together and kick off with new campaigns targeting sectors which have not previously been subjected to such attacks – with their sights set on retail. As well as disabling systems, these threat actors will be aiming to harvest customer credentials to carry out double extortion/secondary fraud attempts at scale. Retailers and ecommerce should ensure their client data is held in an encrypted format to protect against this threat.”
Abandon cart all ye shop here?
Andrew Shikiar, Executive Director, FIDO Alliance
“Fraud is a topic not far from any eCommerce merchant’s mind, but many of the additional authentication methods added by financial services players to boost security leave a lot to be desired, creating a secondary knock-on effect that is damaging the user experience and an even bigger headache for online merchants – cart abandonment.
“In 2022, we predict online merchants and financial services players to start scrutinizing legacy ‘step-up’ authentication methods – such as SMS OTPs and push notifications – and look to new payment and authentication industry innovations that cause less friction. Delegated authentication is one leading example, enabling merchants and wallet providers to combine their own authentication or log-in processes with the EMV 3DS request to approve purchases. This makes the UX for customers super simple, only requiring them to authenticate once to both login and authorise a payment, while offering the highest level of security and meeting 2FA requirements.
“2022 will also see retailers start to assess their cybersecurity strategy in more detail. Without the rush of deadlines for compliance with SCA mandates and the need to quickly bolster on more security to combat fraud in the height of the pandemic, merchants will start to look longer term. While passwords and SMS OTPs may tick the box of compliance today, investing in more robust solutions like delegated authentication and on-device biometrics will safeguard them now and in future, should less secure authentication methods come under further scrutiny and be written out of regulation as not safe enough.”
Patch application flaws
John Smith, EMEA CTO, Veracode
“Web application attacks are the primary method for cybersecurity incidents in the retail sector, with personal or payment data exploited in about half of all breaches. To minimise risk, retailers should continually review and adapt their web security accordingly. Ways to improve include instilling secure coding practices from the outset, scanning applications regularly for flaws and updating software frequently as a matter of course.
“Our research also found that the industry has the second highest rate of high-severity application flaws (26%). Retailers should work with their developers to urgently address software application issues by using API-driven scanning and software composition analysis. Scanning for flaws in open source components offers the most opportunity for improvement in the sector.
“Last but not least, it is crucial for retailers to routinely back up their data and information so that they can return to business as usual if there is a ransomware attack. Developers can also reduce the risk of a credentials management attack by storing encrypted passwords in restricted locations and avoiding hard-coded credentials.”
Trevor Morgan, product manager at comforte AG
“Keep in mind that these supply chain attacks are intended to shut down or severely hamper operations, which gives the organization really bad press and puts pressure on the organization to acquiesce to demands because business grinds to a halt. Businesses in these sectors need to apply data-centric protection to any sensitive data within their ecosystem (PII, financial, and transactional) as soon as it enters the environment and keep it protected even as employees work with that data.
“By tokenizing any PII or transactional data, they can strongly protect that information while preserving original data format, making it easier for business applications to support tokenized data within their workflows. They also need to revisit their enterprise backup and recovery tactics to ensure that they can quickly recover if hackers are able to get into their environment and encrypt their enterprise data.”
Omnichannel – Omicron
Sam Heiney, VP Product at Impero
“Customer self-service options, like self-checkout at the grocery store and contactless check-in and ordering for hospitality organisations, will continue to grow and expand. Unfortunately, we expect more large-scale data breaches as organisations transition from traditional network topologies to the software-defined networks required for top-notch user experiences in this omnichannel, self-service world.”
“Organisations who have already begun the technology transformation embracing secure access service edge (SASE) architecture will see the least disruption next year, giving them a competitive advantage in the marketplace. It will be another unpredictable year with new Covid variants and other surprises, which means centralised cyber security controls that can handle decentralised devices and networks are needed.”
VP Analyst at Gartner, Katell Thielemann
“Unfortunately, whether it’s names, addresses or credit card information, a vibrant community of hackers are constantly attacking consumer-supporting systems to steal data that can be sold and used for nefarious reasons. These attacks have been automated via phishing or botnet campaigns and are relentless.
“As retailers continue to push the envelope with consumer engagement with Augmented Reality and Artificial Intelligence, other forms of data are also being collected and new cybersecurity concerns emerge. An example is virtual fitting rooms to try on clothes. They create a new cyber-physical reality where biometric data is captured. This creates a new opportunity for cyber criminals, and it is inevitable that those systems will be targeted.”