Hardware Retailing The Industry's Source for Insights and Information
By Luke Vander Linden
Vice President of Membership
Retail & Hospitality ISAC (RH-ISAC)
Today, 81% of IT and security professionals feel at least “somewhat” prepared to handle a cyber incident, per the 2024 CDW Cybersecurity Report.
But with steep financial, reputation and even legal consequences to contend with should bad actors successfully infiltrate a business, “somewhat” isn’t enough. Just one data breach or other cyber incident can lead to revenue loss, diminished customer trust and potential regulatory fines and penalties.
To stay protected, retailers must educate themselves on common cybersecurity threats and mistakes to transform their cybersecurity programs from a niche IT responsibility to an all-hands-on-deck, companywide mission.
Common Cybersecurity Threats Retailers Faced in 2024
All businesses face cybersecurity threats, but the retail industry is particularly at risk. According to IBM’s latest Cost of Data Breach Report, retailers were the victims of 14% of all last year’s cyberattacks. With growing attack surfaces due to an increased use of IoT and connected devices, cyberthreats come from seemingly all directions. Still, certain entry points prove higher risks than others.
For example, one common means of entry is via POS systems, where hackers exploit vulnerabilities in retailers’ systems to make off with customers’ credit card data. Bad actors also hunt for credit card data through social engineering, a tactic in which they manipulate employees and dupe them into revealing confidential information. One popular social engineering technique is phishing. Attackers send employees deceptive emails, usually posing as their boss or another trusted source, and trick them into divulging log-in credentials, credit card information or other sensitive data.
Next in the long list of cyberthreats plaguing retailers are ransomware attacks, where hackers deploy malicious software to encrypt a retailer’s data and lock them out of their own systems, demanding hefty ransom payments in exchange for restored access.
In the last year alone, almost half (45%) of retail organizations reported being victims of a ransomware attack, says The State of Ransomware in Retail 2024 report from Sophos.
To add to retailers’ woes, new tools in e-commerce are creating additional opportunities for attacks, such as formjacking, a method in which hackers implant malicious code into a retailer’s online form, allowing
them to covertly steal customers’ sensitive data, like emails, phone numbers and addresses.
Naturally, hacking stories covered in the news largely detail cyberattacks on the industry’s biggest companies, but that doesn’t mean small retailers aren’t also at risk. Even small businesses still process and store, at minimum, their customers’ credit card information, leaving room for bad actors to swoop in and wreak havoc. In fact, in 2023, 41% of small businesses reported falling victim to a cyberattack, just a 3% increase from the prior year but almost double 2021’s figure.
Top Cybersecurity Mistakes Committed by Retailers
With retailers managing thousands, if not millions of customers’ personal and payment information, it’s no wonder they’re attractive targets for cyberattackers. And unfortunately, it only takes a small mistake for
retailers to accidentally give hackers entry—and free rein to do damage.
“An important first step is changing cybersecurity from the IT team’s sole responsibility to an organization-wide, high-level priority.”
—Luke Vander Linden,
RH-ISAC
Perhaps the biggest mistake committed by retailers is failing to sufficiently educate their staff on cybersecurity. Too often, cybersecurity awareness is limited to the IT team and a few select business leaders.
Sometimes, even senior management and key shareholders are left in the dark about their business’s cybersecurity posture, lacking basic insight into information like security policies and incident response plans. This is a mistake that only prepares a company to fall right into attackers’ clutches. After all, without a complete understanding of their business’s cybersecurity posture and the many factors that threaten it, how can a retailer be prepared to protect their infrastructure, their staff and their customers?
Similarly, many retailers make the mistake of putting all the onus of cybersecurity exclusively on the IT team. This is a major misstep. From on-the-ground employees to the most senior executives, everyone in a retail organization can be exposed to cybersecurity risks; therefore, it’s everyone’s responsibility to
understand and uphold cybersecurity best practices. Unfortunately, this is more of the exception than the
norm. Not only do most employees not understand the overall cybersecurity posture of their company,
but more than half (52%) don’t even think that IT and cybersecurity are related to their jobs, per a new report from TerraNova Security.
These are just some examples of common mistakes retailers make that expose them and their customers
to cybersecurity risks—but not everything is an internal problem.
As the global supply chain continues to grow and retailers continue to expand their partnerships with
third-party vendors and suppliers, they must be wary of tying themselves up in so many integrations. The
more third-party service providers a retailer works with, the more teams can get their hands on the retailer’s (and their customers’) sensitive data—and the more opportunities there are for hackers to find vulnerabilities to exploit. Of course, it’s no mistake for retailers to collaborate with third parties. It is a
mistake, however, for them to do so without caution and without regard for the cybersecurity risks that
come with it.
Practical Advice for Retailers to Avoid Cybersecurity Mistakes
Cybersecurity threats are an unfortunate reality that is here to stay. But there are simple strategies retailers
can deploy to strengthen their cybersecurity defenses and help keep bad actors away.
First and foremost, executives should cultivate an organization-wide culture of cybersecurity awareness.
After all, teams can’t fix a problem they’re unaware of. If not already done, assign someone to spearhead your company’s cybersecurity initiatives. This person should help your team leaders stay up to date with changing rules, regulations and policies in cybersecurity—and then transmit these best practices to employees via regular cybersecurity training. For example, support employees with workshops and training with information about deflecting phishing tactics and maintaining password best practices, like never share
passwords, don’t reuse passwords and how to create strong passwords.
Next, make security monitoring and data backups part of your retail organization’s regular activities. With
security monitoring, your team can identify, detect and analyze security threats, vulnerabilities or any other
suspicious activity—and then take action to patch these vulnerabilities to prevent and contain breaches.
A key part of these tests should include surveilling third-party integrations for signs of risk or unusual activity. Meanwhile, regular data backups ensure your IT team is prepared to restore critical information in the event of a cyber incident, such as ransomware attacks or system failures, to minimize business downtime and lost revenue.
The retail industry is a hot target for cyberattacks. But just a few small fixes can make a big difference in
strengthening a retailer’s cyber defenses and protecting their and their customers’ sensitive data.
An important first step is changing cybersecurity from the IT team’s sole responsibility to an organization-wide, high-level priority. Retail leaders can drive this culture shift by participating in relevant industry groups, like RH-ISAC, a global community dedicated to sharing cybersecurity information and intelligence among retailers. Open to all retail companies, RH-ISAC is a confidential, trusted place for industry leaders to share best practices, get real-time cyber intelligence, and work together on common issues to build better security for everyone.
About Luke Vander Linden
As vice president of membership for the Retail & Hospitality ISAC (RH-ISAC), Luke Vander Linden is responsible for member growth, engagement and overall organizational strategy. RH-ISAC is the cybersecurity sharing and collaboration community for the consumer-facing business sector that partners with key trade associations such as NHPA to strengthen the collective efforts to improve cybersecurity in shared sectors.
