5 Crucial Cybersecurity Tips for Retailers

While some threat actors engage in cybercrime to achieve notoriety or support a “hacktivism” campaign, the vast majority are motivated by acquiring one of two things: funds or data.

Unfortunately for retailers, their businesses are built on both—making them an attractive target for advanced email attacks like business email compromise and account takeovers. In fact, retailers have an 81% chance of receiving a business email compromise attack each week. And between 2018 and 2022, socially-engineered attacks targeting retail organizations increased by 123%.

Because email is a primary attack vector, defending against email-borne threats must be a top priority. Here are five essential measures retailers should adopt to reduce their vulnerability to email attacks.

Whether an attacker leveraged social engineering to deceive the target or an employee was negligent, the human element was a key driver in more than 80% of data breaches last year. Effective email security involves recognizing that your employees are the weakest link in your cybersecurity chain and then taking steps to reduce opportunities for your workforce to put the organization at risk.

One way to neutralize the human element is to require ongoing cybersecurity awareness training that includes the following:

1. In-depth reviews of the most common types of cyberattacks (e.g., credential phishing, malware, business email compromise, etc.)

2. Discussions about unique threats to the organization in particular and the retail industry in general

3. Phishing tests, in which employees receive realistic but fake phishing emails to learn how to recognize real attacks

Modern cybercriminals are focusing less on compromising networks and more on compromising people. So while fortifying your infrastructure is undoubtedly important, empowering employees with the knowledge and skills to accurately identify malicious emails is also essential to protecting your organization.

Account takeovers are both relatively easy to execute and incredibly difficult for secure email gateways (SEGs) to detect. And once an account has been compromised, it can lead to invoice fraud, data breaches, and more.

A single password should never be the only barrier between an attacker and unauthorized access to an account. To minimize the risk of account takeover, retail organizations must enable multi-factor authentication (MFA).

Although the terms are often used interchangeably, MFA is different from two-step verification as MFA requires users to provide two different types of authentication factors to verify their identity prior to being granted access. The most common authentication factor categories are:

• Knowledge factors – Something the user knows, such as a password.

• Possession factors – Items the user has, such as a mobile device.

• Inherence factors (more commonly known as biometric factors) – A physical characteristic of the user, such as their fingerprint.

MFA adds an extra hurdle for threat actors, and often introducing just that little bit of friction will encourage attackers to seek other targets.

In 2006, the Payment Card Industry (PCI)—comprised of Visa, MasterCard, Discover, and American Express—established the PCI Data Security Standard (PCI DSS). The PCI DSS is a set of regulations designed to ensure organizations that process, store, or transmit credit card information have adopted all necessary controls to protect cardholder data from being compromised.

This includes things like:

• Not allowing employees to use the same account ID and password they use to access cardholder data to log in to any other software.

• Requiring employees to use passwords that follow security best practices—i.e., using a password with a length of at least 12 characters and a combination of numbers, uppercase and lowercase letters, and special characters.

• Creating and enforcing comprehensive policies and procedures regarding employee computer use, physical security, and data security.

The process of obtaining PCI compliance is a great opportunity for you to improve overall data security in your business because it requires you to review how employees handle private customer information. If you identify a potential risk, you can educate employees and make appropriate adjustments to ensure sensitive data stays safe.

Every successful retailer knows they won’t be in business long if they don’t keep track of the latest industry trends and respond accordingly. Similarly, failing to stay informed of new attack types and emerging cyber threats makes your organization vulnerable to attacks that can lead to costly consequences—possibly even shuttering the business.

Among Chinese military strategist and philosopher Sun Tzu’s most famous quotes is, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” Because cybercriminals are committed to constantly finding new ways to penetrate defenses and steal data and/or funds, retail organizations must also commit to staying up to date on the latest cybersecurity trends, industry news, and best practices.

Following innovative thought leaders like Brian Krebs, Rachel Tobac, and Troy Hunt on social media is a great way to get valuable content and unique perspectives on a broad range of security topics. You can also subscribe to a research and data hub like Abnormal Intelligence that provides up-to-date insights on the threat landscape.

Unfortunately, when it comes to blocking attacks, the odds are stacked against retailers. While your organization has to be right 100% of the time, threat actors only need to be right once.

If your business does fall victim to an attack, the key to reducing fallout is to have an incident response plan. The actions you take immediately upon discovery of the attack will determine how extensive and expensive the damage will be. Below is an outline of an effective incident response plan:

• Designate an incident response planning team

• Classify the type and extent of the incident

• Complete initial reporting

• Escalate the incident, as appropriate

• Inform affected individuals and vendors

• Investigate and collect evidence

• Mitigate further risks

• Execute recovery measures

Your incident response plan should be regularly reevaluated and updated as necessary. With existing threats continuously evolving and new threats appearing almost daily, you must be prepared to respond quickly to any attack.

Not only are retailers popular targets for attacks that compromise internal accounts, but large vendor ecosystems also make them especially vulnerable to supply chain compromise. Depending on the route a threat actor takes, they can redirect funds, send fraudulent invoices, and/or peruse databases filled with customer credit card numbers and vendor account information. This means that preventing these attacks is of the utmost importance.

In addition to applying the five tips in this article, retail organizations should also take advantage of innovative email security solutions that automatically block malicious emails from employee inboxes. Implementing modern email security technology is the only surefire way to defend your organization against advanced threats.

Learn how Abnormal can protect your retailer from the full spectrum of email attacks. Request your demo today.