As another busy shopping season kicks into high gear, many of us will head to online retail sites and apps to check items off their holiday gift list. Security leaders should be mindful that if users do their shopping while at work, they are putting sensitive data — and possibly even the corporate network — at risk. That’s because retail industry sites and systems are too often poorly secured.
A recent survey from third-party risk management firm SecurityScorecard found that retail is among the lowest-ranked industries in terms of its security stance. The report looked at 1,444 domains in the industry with an IP footprint of at least 100 and found that retail had the second-lowest app security performance among major sectors, outperforming only the entertainment industry. What are retailers doing wrong?
Why Can’t Retailers Make the Grade?
“This year the retail industry’s security posture fell lower than in years past, both in application security and social engineering,” Fouad Khalil, head of compliance at SecurityScorecard, said in a press release. “To remain competitive, retailers are adopting new payment and digital technologies, exposing them as prime targets for cybercriminals.”
Despite the establishment of the Payment Card Industry Data Security Standard (PCI DSS) in 2004, SecurityScorecard found that many retailers are largely ignoring it. More than 90 percent of the retail domains analyzed indicated noncompliance with the regulation. Retailers in violation of PCI compliance face steep financial penalties if they are breached.
“As organizations assess their compliance with PCI DSS, they must be able to detect, remediate and recover from any threats or vulnerabilities adding risk to unauthorized access to CDE,” said Khalil in response to the findings.
The Customer Experience Trumps Retail Security
Convenience and the user experience have always contributed to poor retail app security, noted Ron Schlecht, managing partner at cybersecurity consulting firm BTB Security.
“The focus is so much on how technology fills or creates business value, that security is oftentimes an afterthought,” he said. “The only true way to get ahead of this issue in this industry and to protect itself from an increasing level of sophistication in attacks is executive buy-in to the issue, as well as a cohesive security strategy at each organization to make this a priority.”
In an extremely competitive sales landscape, retailers still place precedence on what users want, and front-end ease of transaction wins over back-end retail app security. As a result, according to Mike Wilson, chief technology officer (CTO) of PasswordPing, merchants are reluctant to implement security measures that could get in the way of making a sale.
“Any ‘fraud-proof’ e-commence solution would need to include so many obstacles to block bad actors that real customers would find it practically impossible to complete a transaction,” said Wilson. “Many industries are able to apply security solutions that add some friction to their user experience in exchange for better security, but the retail industry knows that their consumers will go elsewhere if it’s not a seamless experience.”
Attackers Exploit Poor Security Awareness in Retail
Retailers have historically displayed little awareness about security. Despite numerous high-profile breaches over the years that have impacted major merchants, that dearth of understanding continues to cause problems.
The SecurityScorecard report noted that social engineering scams that target retailers are on the rise and ranked the industry last in security against such threats. As retail becomes increasingly digital, this trend could become even worse.
“The way we shop has changed drastically in the last few years,” said Migo Kedem, senior director of product at SentinelOne. “Retail is traditionally a low-tech business. The new technology brings new security challenges, and these ‘digital shoplifters’ can’t be simply scared away using security sensors. The current way of life requires a different security approach that can protect your assets from cyberthreats.”
Scott Swenka, an IT security specialist working for a large grocery chain, believes a lack of security-minded leadership is causing the industry to fall behind others when it comes to risk mitigation.
“They lag behind because most public retail organizations have boards that are built out of retailed-based leaders and simply do not have an understanding of technology and how it affects them,” he said.
How Can Retailers Catch Up?
While PCI does not appear to have improved security in retail, regulations that target point-of-sale (POS) systems have the potential to make a measurable impact in the future, said Jim Barkdoll, CEO at security vendor TITUS.
“Regulation will force the necessary cultural shift in how retailers approach security,” he predicted. “Even those that have had a breach tend to relax their focus on security practices after the public attention around their breach wanes, driving long-term security investments lower on their list of priorities. Regulation changes that and will force a continued and consistent adherence to security policies and practices.”
Security leaders at retail organizations can address this problem by practicing secure development and operations (DevSecOps) and monitoring emerging threats in the digital landscape. If developers build retail apps with security baked in from the beginning of the development process, retail systems will gradually become more secure from the ground up.
Data should be encrypted during system communication and storage, and apps should employ authentication between the app and its servers. Apps should also require customer authentication via factors such as one-time passwords (OTP) and biometrics.
As is the case in many industries, most retail organizations prioritize innovation and customer retention before security. But as consumers become more concerned about their own digital security and privacy, retailers must invest in new security technologies and practices and lean on industry experts to help build secure systems.