Abstract Seafoam Wavy

5 Crucial Cybersecurity Tips for Retailers

Retailers are a popular target for threat actors due to their wealth of customer data and availability of funds. Here are 5 cybersecurity tips to help retailers reduce their risk of attack.

September 20, 2022

While some threat actors engage in cybercrime to achieve notoriety or support a “hacktivism” campaign, the vast majority are motivated by acquiring one of two things: funds or data.

Unfortunately for retailers, their businesses are built on both—making them an attractive target for advanced email attacks like business email compromise and account takeovers. In fact, retailers have an 81% chance of receiving a business email compromise attack each week. And between 2018 and 2022, socially-engineered attacks targeting retail organizations increased by 123%.

Because email is a primary attack vector, defending against email-borne threats must be a top priority. Here are five essential measures retailers should adopt to reduce their vulnerability to email attacks.

1. Require Employees to Participate in Security Awareness Training

Whether an attacker leveraged social engineering to deceive the target or an employee was negligent, the human element was a key driver in more than 80% of data breaches last year. Effective email security involves recognizing that your employees are the weakest link in your cybersecurity chain and then taking steps to reduce opportunities for your workforce to put the organization at risk.

One way to neutralize the human element is to require ongoing cybersecurity awareness training that includes the following:

  1. In-depth reviews of the most common types of cyberattacks (e.g., credential phishing, malware, business email compromise, etc.)

  2. Discussions about unique threats to the organization in particular and the retail industry in general

  3. Phishing tests, in which employees receive realistic but fake phishing emails to learn how to recognize real attacks

Modern cybercriminals are focusing less on compromising networks and more on compromising people. So while fortifying your infrastructure is undoubtedly important, empowering employees with the knowledge and skills to accurately identify malicious emails is also essential to protecting your organization.

2. Enable Multi-Factor Authentication (MFA)

Account takeovers are both relatively easy to execute and incredibly difficult for secure email gateways (SEGs) to detect. And once an account has been compromised, it can lead to invoice fraud, data breaches, and more.

A single password should never be the only barrier between an attacker and unauthorized access to an account. To minimize the risk of account takeover, retail organizations must enable multi-factor authentication (MFA).

Although the terms are often used interchangeably, MFA is different from two-step verification as MFA requires users to provide two different types of authentication factors to verify their identity prior to being granted access. The most common authentication factor categories are:

  • Knowledge factors – Something the user knows, such as a password.

  • Possession factors – Items the user has, such as a mobile device.

  • Inherence factors (more commonly known as biometric factors) – A physical characteristic of the user, such as their fingerprint.

MFA adds an extra hurdle for threat actors, and often introducing just that little bit of friction will encourage attackers to seek other targets.

3. Maintain PCI Compliance

In 2006, the Payment Card Industry (PCI)—comprised of Visa, MasterCard, Discover, and American Express—established the PCI Data Security Standard (PCI DSS). The PCI DSS is a set of regulations designed to ensure organizations that process, store, or transmit credit card information have adopted all necessary controls to protect cardholder data from being compromised.

This includes things like:

  • Not allowing employees to use the same account ID and password they use to access cardholder data to log in to any other software.

  • Requiring employees to use passwords that follow security best practices—i.e., using a password with a length of at least 12 characters and a combination of numbers, uppercase and lowercase letters, and special characters.

  • Creating and enforcing comprehensive policies and procedures regarding employee computer use, physical security, and data security.

The process of obtaining PCI compliance is a great opportunity for you to improve overall data security in your business because it requires you to review how employees handle private customer information. If you identify a potential risk, you can educate employees and make appropriate adjustments to ensure sensitive data stays safe.

4. Stay Up to Date on the Latest Threats

Every successful retailer knows they won’t be in business long if they don’t keep track of the latest industry trends and respond accordingly. Similarly, failing to stay informed of new attack types and emerging cyber threats makes your organization vulnerable to attacks that can lead to costly consequences—possibly even shuttering the business.

Among Chinese military strategist and philosopher Sun Tzu’s most famous quotes is, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Because cybercriminals are committed to constantly finding new ways to penetrate defenses and steal data and/or funds, retail organizations must also commit to staying up to date on the latest cybersecurity trends, industry news, and best practices.

Following innovative thought leaders like Brian Krebs, Rachel Tobac, and Troy Hunt on social media is a great way to get valuable content and unique perspectives on a broad range of security topics. You can also subscribe to a research and data hub like Abnormal Intelligence that provides up-to-date insights on the threat landscape.

5. Create an Incident Response Plan

Unfortunately, when it comes to blocking attacks, the odds are stacked against retailers. While your organization has to be right 100% of the time, threat actors only need to be right once.

If your business does fall victim to an attack, the key to reducing fallout is to have an incident response plan. The actions you take immediately upon discovery of the attack will determine how extensive and expensive the damage will be. Below is an outline of an effective incident response plan:

  • Designate an incident response planning team

  • Classify the type and extent of the incident

  • Complete initial reporting

  • Escalate the incident, as appropriate

  • Inform affected individuals and vendors

  • Investigate and collect evidence

  • Mitigate further risks

  • Execute recovery measures

Your incident response plan should be regularly reevaluated and updated as necessary. With existing threats continuously evolving and new threats appearing almost daily, you must be prepared to respond quickly to any attack.

Protecting Your Retail Organization

Not only are retailers popular targets for attacks that compromise internal accounts, but large vendor ecosystems also make them especially vulnerable to supply chain compromise. Depending on the route a threat actor takes, they can redirect funds, send fraudulent invoices, and/or peruse databases filled with customer credit card numbers and vendor account information. This means that preventing these attacks is of the utmost importance.

In addition to applying the five tips in this article, retail organizations should also take advantage of innovative email security solutions that automatically block malicious emails from employee inboxes. Implementing modern email security technology is the only surefire way to defend your organization against advanced threats.

Learn how Abnormal can protect your retailer from the full spectrum of email attacks. Request your demo today.


Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 09 29 22 CISO Cybersecurity Awareness Month
October is here, which means Cybersecurity Awareness Month is officially in full swing! These five tips can help security leaders take full advantage of the month.
Read More
B Email Security Challenges Blog 09 26 22
Understanding common email security challenges caused by your legacy technology will help you determine the best solution to improve your security posture.
Read More
B 5 Crucial Tips
Retailers are a popular target for threat actors due to their wealth of customer data and availability of funds. Here are 5 cybersecurity tips to help retailers reduce their risk of attack.
Read More
B 3 Essential Elements
Legacy approaches to managing unwanted mail are neither practical nor scalable. Learn the 3 essential elements of modern, effective graymail management.
Read More
B Back to School
Discover how threat group Chiffon Herring leverages impersonation and spoofed email addresses to divert paychecks to mule accounts.
Read More
B 09 06 22 Rearchitecting a System Blog
We recently shared a look at how the Abnormal engineering team overhauled our Unwanted Mail service architecture to accommodate our rapid growth. Today, we’re diving into how the team migrated traffic to the new architecture—with zero downtime.
Read More
B Industry Leading CIS Os
Stay up to date on the latest cybersecurity trends, industry news, and best practices by following these 12 innovative and influential thought leaders on social media.
Read More
B Podcast Engineering 11 08 24 22
In episode 11 of Abnormal Engineering Stories, David Hagar, Director of Engineering and Abnormal Head of UK Engineering, continues his conversation with Zehan Wang, co-founder of Magic Pony.
Read More
B Overhauled Architecture Blog 08 29 22
As our customer base has expanded, so has the volume of emails our system processes. Here’s how we overcame scaling challenges with one service in particular.
Read More