1. Commerce
September 21, 2018

Retail industry most vulnerable to cyber attacks, study finds

By Robert Scammell

The retail industry is the most at risk to cyber threats, according to research by cyber rating company SecurityScorecard.

Retail ranked bottom out of 18 industries for social engineering, which sees hackers targeting retailers through baiting, phishing or vishing.

It represents a drop of six spaces from the previous year, reflecting a number of high profile retail data breaches in 2018.

In August, for example, Superdrug customer data was held at ransom after passwords were acquired through other historic breaches and phishing scams.

And in June – less than a month after GDPR came into force – Dixons Carphone Warehouse was hit by a cyberattack that compromised the payment details of 5.9 million customers.

SecurityScorecard’s head of compliance Fouad Khalil believes this vulnerability in retail is largely because of the human element.

“The retail industry is the heaviest in terms of hiring right out of college and very little experienced professionals,” he told Verdict.

“And they tend to fall easily to phishing email scams. The minute they see an email that comes across from a senior level or a critical department or whatever, by default they want to be trusting and they respond and guess what – they open the door.”

Government, non-profit organisations and the legal sector topped the list as those least at risk to social engineering cyberattacks.

Poor application security risks retail cyber attacks

Retail ranked second from bottom for application security – the use of software, hardware and procedures to defend against external threats. Entertainment ranked bottom.

Retailer use of mobile point-of-sales (mPos) devices has increased exponentially in recent years. According to a Capital One report, almost half of retailers interviewed by Boston retailers were using mPos.

Often these systems are integrated into e-commerce platforms, creating an extra opportunity for bad actors.

Khalil believes that technology – and the malware used to exploit them – is being developed faster than the standards are being applied.

The Payment Card Industry Data Security Standard (PCI DSS) didn’t introduce a standard until April this year around mPos devices, despite their use increasing dramatically.

The research also found that over 90% of the retail domains analysed appeared to not be compliant with PCI DSS standards.

Khalil believes that continuous monitoring of security posture, rather than periodic auditing, is the solution.

“You need to follow the data,” he said. “So if organisations don’t have a solid data inventory, they’re behind the ball already.”

The 2018 SecurityScorecard Retail Cybersecurity Report analysed 1,444 domains in the retail industry with digital footprints of 100 or more IP addresses.

Read more: Spotting and avoiding phishing scams so you don’t get hooked

Verdict deals analysis methodology

This analysis considers only announced and completed artificial intelligence deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,