5 Things Retailers Should Know About Cybersecurity
With growing concerns around security, ransomware and retail breaches, there are a few key considerations that retailers should keep in mind when it comes to protecting their organizations.
First, a Quick Overview on Retail and Cybersecurity
Retail has two main types of workers — people with boots on the ground in a store who have to connect to a device that may be managed, unmanaged or shared, and people who work for the corporate or online side of the business. Post-pandemic guidelines mandated that many traditional roles become remote access roles. Dollars earmarked for innovating sales, like for online shopping, now had to compete with securing the remote workforce. Retail’s great “digital transformation” sped up, as did the number of data breaches impacting retail.
The costs that follow a data breach are trending upward year over year. Data breach costs rose from $3.86 million to $4.24 million, according to IBM and the Ponemon Institute’s Cost of Data Breach Report 2021.
50% of retailers experienced a data breach
42% of retailers who were breached experienced brand degradation
40% of retailers experienced an outage that had an impact on revenue
30% of retailers lost critical business data that impacted the business long after the breach
Security Magazine reports that stolen and exposed credentials have risen 300% since 2018. The 2021 Verizon Data Breach Investigations Report observes passwords caused 89% of web application breaches, either through stolen credentials or brute force attacks, making the protection of credentials a high priority.
1. Stay PCI DSS Compliant to Protect Point-of-Sale Devices
Retailers use point-of-sale devices that can store personally identifiable information (PII) customer data, like addresses, passwords, phone numbers and credit card information. Through a process called RAM scraping, attackers can harvest PII data. Retailers must comply with the Payment Card Industry Data Security Standard (PCI DSS), which mandates the use of multi-factor authentication (MFA) to help protect customers from data breaches.
2. Take a Layered Defense-in-Depth Approach with Zero Trust
Zero trust security assumes there will be a security breach, and therefore does not allow access until trust is verified multiple ways through multi-factor authentication and then continuously monitored for anomalies. Defense-in-depth is the concept of building layers of different technology solutions to secure your IT infrastructure. Don’t put all your eggs in one basket when it comes to protecting credentials and trusted access. Anti-virus and firewalls are great, but adding in a separate MFA solution helps retailers stay PCI DSS compliant and serves as the first layer to incredibly secure continuous authentication that can prevent credential attacks and limit lateral movement.
3. Phishing and Social Engineering Campaigns Are a Leading Concern
Attackers can easily access email lists and profiles from the dark web and stage a phishing attack to your retail company. It just takes one curious click to download malware like keyword loggers that can capture credentials not protected with MFA and gain access to systems. CSOonline.com reports that 94% of malware is delivered via email, and phishing attacks account for more than 80% of security incidents. Almost all of these begin by stealing credentials.
4. Third-Party Security Breaches Can Lead To Bigger Retail Breaches
Securing your VPN, devices and endpoints with MFA can prevent fallout from third-party (vendors, contractors, etc.) security breaches by protecting trusted access to critical systems. With adaptive policies Duo MFA can restrict access to applications and data on a need-to-know basis. Other entry points include unpatched updates and zero-day vulnerabilities. Patch your tools and software so that you can prevent unauthorized users from gaining access. Using Duo’s Device Health, you can check the security posture of the devices connecting to your network and restrict access when devices don't meet particular security requirements. Self-remediation tools can help users stay up to date on software.
5. Be Aware of Brute Force and Credential Stuffing
According to a LastPass survey, 91% of respondents acknowledged they reuse passwords. Hackers are well aware of this and collect passwords from credential dumps or the dark web. They then use automated tools to test passwords across different retail sites, known as credential stuffing or brute force. From there they can steal user credentials. Once in, the attack can begin. The 2021 Verizon Data Breach Investigations Report finds 61% of all breaches exploited credential data via brute force attacks, credential stuffing attacks, or credential data leaked and used later. A strong MFA solution can protect against credential stuffing.
PCI extends MFA as a required control for all remote access (console and non-console) into the cardholder environment. Examples of this include virtual private network (VPN), virtual desktop infrastructure (VDI), remote desktop (RDP), Secure Shell (SSH) etc. In addition, PCI also published several supporting documents to help organizations deploy MFA in a compliant manner.
Protecting credentials is a vital component for a retail organization’s successful security strategy. Credentials are often what stands in the way of an attacker and your system. However, by implementing a strong MFA solution like Duo, in which users must present a combination of credentials to verify their identity before being granted access, attackers cannot obtain this data.
In addition to username and password, Duo MFA asks for something you have (like a trusted device, or a software or hardware token), or something you are (like a biometric). Thanks to these additional requirements, MFA is 99.9% effective at preventing that initial foothold. MFA is the start of a good zero trust foundation and will help you achieve security resilience.
Try Duo For Free
With our free 30-day trial, see how easy it is to get started with Duo and secure your workforce from anywhere, on any device.