In today’s fast-paced retail landscape, cybersecurity has become a critical concern for businesses of all sizes.
Anastasia Lou Regen, Partner in Cybersecurity at EY Canada provided valuable insights into the evolving threat landscape and what retailers can do to protect themselves and their customers.
Retailers are disproportionately targeted by cybercriminals, with about 24% of cyberattacks globally aimed at this sector, she says.
“And within that, what we’re seeing is 30% of those attacks are typically phishing, so that would be the common techniques that you would see, such as emails being the most common one, but more and more we’re seeing phone phishing as well as text phishing as part of newer trends,” says Regen.
“The second one would be malware. The third one would be ransomware with approximately 13% of attack and malware being approximately 20%. And then the remaining percentage are spread between 10% denial of service attack and the last one are all other types of threats that we’re seeing in the market.”
She said phishing is essentially a social engineering technique that aims for someone to be able to have you create an action that in turn will help them either gain access to your personal information or access to your device such as your computer.
“The most common way that we’ve seen it over the past 10 years is you would receive an email with some sort of a call to action, a sense of urgency is usually the key technique that they use that would request of you to take a specific action.
“The two most common types of action would be for you to click on a link and typically what happens next is they want to harvest your credential. So they want you to log into a website that is meant to look legitimate, for example, but isn’t in a way to capture your username and password.”
Another one that is being seen is people wanting you to download a file, which is a malicious file that once downloaded into your computer, for example, would enable them to take various actions. Some of the actions that we’re seeing is they will monitor what you’re typing on your keyboard.
So then and there they can get your credentials, your passwords, and so on and so forth.
And then depending on whether it’s your personal laptop or your work laptop, it may actually allow them to maneuver within the infrastructure of the organization, escalate the privileges, and then do a lot more damage when that happens.
“Retailers actually have access to customers. So the impact that they can have by targeting a retailer in gaining access to personal information can be quite significant,” said Regen.
“Essentially, the more the trend that we’re seeing in the retail industry right now is to gather a lot of data around customers. And that amount of data is very beneficial for trends such as targeted marketing, personalization of the services or the products that customer they’re getting to. But the flip side of this is, this is a well of data that malicious threat actors can try to get access to to create damage, not only to the retailer itself, but also to the area of customers.”
There’s also the very appealing additional factor, which is credit card information.
“The first and the best recommendation that we tend to give over here at EY is to look for a proactive and preventative approach.
Now, what does that mean? Proactive means essentially be ready for a potential negative exploit to arrive within your organization. We often say in cybersecurity, it’s not if, it’s when. So the devil will be in the detail of how prepared are you to respond when something occurs and there’s various elements that goes into preparedness that can be around.
“Do you have the right playbook so that you know exactly what to do, who to call and what to execute. Should something happen? Have you tested this playbook so that you can see how all of the different people in your organization that have to be mobilized work together and invent an incident to effectively respond to this incident.
“Do you have the right providers supporting you if something happens that you’re ready to call? Like incident response retainer is a very common thing that organizations do in those instances. That would be for, say, the preparedness aspect. Now, the additional proactive aspect is think about having the right security guardrails within your organization.”
People need to be ready for any cyber risk
Humans need to be ready. That means train your employee in recognizing something that looks suspicious. Train them to be able to recognize phishing emails, for example, or voice phishing email, for example, and so on and so forth. Test their knowledge and don’t go beyond the basics.
And what kind of technologies have you invested in to have the ability to effectively respond to more sophisticated type of attacks.
“Think proactively, holistically and strategically about the right mix of technical and non-technical security controls that will allow you to both protect your parameters, but also make sure that the people within your parameter have the ability to recognize and take the right action.”
Related Retail Insider articles:
AI named a major security concern among small business owners
