It has been an incredibly challenging period for the retail sector, with a series of seismic events significantly disrupting operations, and fast-changing consumer habits forcing retailers to pursue digital transformation at speed.
These changes have been made all the more difficult by an accompanying rise in cybercrime – both pan-industry and specifically targeting retail. In the UK, it is estimated that, on average, retailers face an attack every eight days. In the most recent Cybersecurity Census Report, 77% of retailers surveyed expected a further surge in the rate of attack.
In order to address what those threats might look like – and how retailers might best prepare themselves for such attacks – Sohpos recently published Industry Secrets: Cyber security for retail. This white paper put a series of questions to two leading experts in the field, Christopher Salgado, CEO of All Points Investigations, and Kostandino Kustas, a cybersecurity consultant at Sophos, looking at the rise in digital, non-physical attacks; physical social engineering attacks; and hybrid attacks – and the new requirements the growing complexity of each is making of cybersecurity strategy.
Cyberattacks and human behaviour
“Social engineering” is the manipulation of human behaviour to trick a targeted individual into divulging information they would choose not to were they to know the true identity or intentions of the recipient. According to Salgado, It has been identified as being a precursor to over 95% of all cyberattacks.
“You need to invest in a robust cybersecurity operation with layered defences that include anti-social engineering tactics,” he advises. “A lot of companies invest resources into impressive software that looks good on paper and makes people feel secure, but doesn’t do anything about the human element, which has been identified time and again as the weakest link in a security chain.”
“The retail sector is unfortunately very heavily targeted,” adds Kustas. “These attacks may not be very large scale, they may be very early indicators of compromise or somebody who has tried their luck to get into these environments. But for them to happen at such a high frequency means that realistically the retail sector should take this as seriously as possible, whether they are direct attacks on infrastructures, or whether they are social engineering attacks.”
The Sophos consultant points to 2021 attacks on Spar and Sainsbury’s as recent high-profile examples where retailers were hit via their supply chain – clear indications that enterprises are only as strong as their weakest link.
“Organisations need to train all employees, contractors and vendors on the dos and don’ts of how to be ‘cyberly’ responsible,” Salgado advises. “This should include social engineering and how and when to report suspicious cyber and physical actions or behaviour. Companies need to implement retrains and make sure that their policies come with teeth. I’ve seen corporations build a policy stipulating that people need to take training. And then the employees just hit the ‘remind me later’ button. Weeks might pass without the training being taken and there are no repercussions.
“Furthermore, your supply chain should be incorporated into this programme. Your suppliers’ security might not be as tight as yours, but they could have access to your systems and therefore represent a huge point of weakness.”
Key steps to tackling cyberattacks in retail
To help retailers and other enterprises in these efforts, Sophos has identified six key steps organisations should adopt when adopting a protection plan. This begins with ensuring you have high-quality defences in your environment. Then, hunting for potential threats and investigating them. The third piece of advice is to harden your IT environment, using various tools to identify points of weakness.
Ensuring you have a cyber-incident report plan in place when or if an attack does happen is essential. Recovery in the face of attack is also accelerated by ensuring you back everything up and practice restoring files periodically. The sixth and final piece of guidance is to never lose sight of the essentials that drive a secure culture, like employee education, and policies for access and authentication.
“At the end of the day, it’s all about making sure you’ve got layered defence in place,” says Salgado. “Crucially, you need to ensure it’s very easy for employees. The more barriers that are created, the more likely employees are to find shortcuts that render your security ineffective.”
