Retailers, Why Not Give Consumers the Gift of Data Security This Holiday Season?
by: Ross Williams, Critical Start DFIR Leader
Consumers have historically been wary of disclosing their financial information over the internet, but the COVID-19 pandemic pushed more consumers to embrace ecommerce. Consumers spent $791.70 billion online with U.S. retailers in 2020, up 32.4% from $598.02 billion the prior year, according to a Digital Commerce 360 analysis of U.S. Department of Commerce data. Unfortunately, the attack surface for hackers and other malicious actors has also expanded exponentially, and it is easier than ever for cybercriminals to quickly monetize retail exploits or compromises.
The most recent IBM/Ponemon Cost of a Data Breach Report showed that, in 2021, the average total cost of a retail data breach is approximately $3.27 million — more than enough to put many small retailers out of business. What can retailers do to mitigate that risk? Here are a few ideas.
Accept Social Responsibility
Retailers have the largest platforms for engagement with society, which gives them a unique opportunity to help consumers stay protected in a digitally connected world. Companies that are already using subtle—and not so subtle—ways to attract customers can use their platforms to enhance their cybersecurity and build trust with their customers.
Identify Potential Vulnerabilities
Many retailers implement hard code freezes on their customer-facing platforms two or three months prior to the holiday season, and they don’t “unfreeze” those platforms until the first two weeks of the new year. This means that, barring a zero-day exploit or other critical incident, these retailers will not be making any modifications to their code. Errors are common in the rush before code freeze, and they often go un-tested and un-patched. Threat actors are aware of these hard freezes and model their attack plans to align with this time period.
Static application security testing (SAST) and dynamic application security testing (DAST) can help identify vulnerabilities that can make your applications susceptible to attack. Static application security testing (SAST) is a white box method of testing that examines the code to find software flaws and weaknesses such as SQL injection and others listed in the Open Web Application Security Project® (OWASP). Dynamic application security testing (DAST) is a black box testing method that examines an application as it is running to find vulnerabilities that an attacker could exploit.
SAST and DAST are different testing approaches with different benefits, so you should include them both in your application security testing program. They find different types of vulnerabilities, and they’re most effective in different phases of the software development life cycle. While SAST should be performed early and often against all files containing source code, DAST should be performed on a running application in an environment similar to production.
It is important for organizations to enable automated nightly DAS and SAS testing to identify flaws during their sprint cycles. More rigorous review process should be implemented and followed for the final sprint cycles prior to annual code freezes. Key areas of focus should be: payment gateways, API gateways, input fields, and core web code.
Stay on Top of Third-Party Risk Management (TPRM)
Remember the massive Black Friday data breach that impacted one of America’s largest retail corporations in 2013? As many as 40 million payment card accounts, along with the personal information of about 70 million customers were affected. In the end, a refrigeration vendor serving the retailer acknowledged that it was breached. The attackers backed their way into the retailer’s corporate network by compromising the vendor, and the retailer’s cardholder data environment was not sufficiently segmented from the contractor environment. This breach highlights the critical importance of third-party risk management.
Most retailers use third-party software to track data such as dwell time on their sites, click throughs, conversion rates, items in shopping carts, and buyer demographics. You can take a few key steps to ensure that third-party code is secure beyond the perimeter of your network:
- Utilize a TPRM/vendor risk management questionnaire to assess the security posture of the third parties with whom you do business. Large retailers can have up to 1,000 questions on these documents, but if yours is less extensive, here are some examples of areas and key questions it should address:
- Information Security (Does your organization maintain a security program?)
- Data Center Security (Do you work in a shared office space?)
- Web Application Security (How do you report application security vulnerabilities?)
- Infrastructure Protection (Do you use a VPN?)
- Security Controls and Technology (Do you keep an inventory of authorized devices and software?)
- Require your third-party vendors to conduct full code penetration testing on a regular basis (at least twice a year). Even if your own penetration testing includes third-party code, it will not identify threats that extend beyond the perimeter of your network.
- Hastily implemented code can spell disaster. Ensure that your third-party vendors perform nightly testing every time they make a code change and perform integration testing on your end to make sure what the vendor delivered is actually working.
- Threat actors don’t care about compliance, so it is important that your retail data security programs and strategies expand beyond “checking the box”. Implement hybridized security models that cover regulatory, compliance, and cybersecurity best practices geared toward your specific industry.
Train Your Employees
The high employee turnover rate in the retail industry makes cybersecurity training difficult. Here are a few tips to keep your employees from becoming the weakest link in your security posture:
- Educate your employees and security teams on the gaps identified in your penetration testing and how those vulnerabilities could be exploited.
- Retail has the highest susceptibility to password phishing attacks of any industry. You can take steps to protect your employees from phishing emails by implementing multi-factor identification and other security best practices, but also be sure your employees know how to recognize suspicious emails and warn them not to click on any links in those emails.
- Make sure your employees know how to create strong passwords and that they understand the risk of re-using passwords across their personal and corporate accounts.
- Educate your employees on how to protect your digital information assets. They need to understand that accessing customer information is a privilege, and “need to know” access should be practiced at all times. Be sure they know your organization’s policy for protecting information and that they take it seriously.
Above all, make cybersecurity a priority at every level of your organization. Don’t just go through the motions; make concerted efforts to educate, train, and implement impactful cybersecurity operations. Learn the threats that are specific to your organization and vertical. Establish champions in every line of business who carry the message and help drive a security- focused mindset.
You might also be interested in:
You may also be interested in…
- Consumer Education(39)
- Consumer Stories(2)
- Cybersecurity Consulting(10)
- Data Breaches(15)
- Data Privacy(43)
- Incident Response(9)
- MDR Services(64)
- Penetration Testing(16)
- Press Release(66)
- Research Report(9)
- Security Assessments(16)
- Thought Leadership(17)
- Threat Hunting(9)
- Vulnerability Disclosure(3)