We have another fantastic guest post from Jon Heimerl, manager of the threat intelligence communications team at NTT Security, who reflects on our latest quarterly SERT Report.
In my previous blog post, I explained why the retail industry remains an attractive target for cyber criminals. I now want to explore some of the biggest retail risk areas as there is more organisations can do to help themselves better understand the security threats inherent in the retail space.
While many security concerns are well documented, the following three are among the top cybersecurity risks faced today, yet they are often not recognised for the impact they can have.
The complexity of malware has never been higher. Malware is harder to detect than ever and remains one of our biggest threats. While it seems to get most of the press these days, ransomware is just the tip of the iceberg. In our SERT Report, we saw a clear increase in attacks against retail organisations but, on top of that, we found key logger/spyware accounted for 68 percent of all malware in retail organisations in Q4 ’16, indicating that attackers are trying to maintain persistent access to steal credentials and record transactions. Based on our analysis of reported breaches related to malware, the most common delivery mechanism was via phishing attacks on one or more users.
2. Overconfidence in perception
A recent retail cybersecurity survey by Tripwire reported that 90 percent of the organisations questioned believed they could detect a critical data breach in just 48 hours. Yet just 55 percent of staff in firms with revenue of more than $100 million indicated they checked compliance with security policies, standards, procedures, laws and regulations ‘at least weekly’. Additionally, 59 percent of these respondents said that security tools such as intrusion detection, whitelisting and anti-virus were ‘only partially or marginally implemented’. During assessments, management within retail organisations tends to rate themselves higher than is indicated by detailed analysis of actual implemented controls. This ‘rose-coloured glasses’ effect is not uncommon. It is critical for organisations to evaluate the true effectiveness of their own security programs.
3. Human factors
As is true with many vertical markets, retail personnel may not be fully aware of their responsibilities relative to information security. As we have seen during our evaluations, as many as 25 percent of staff members tend to click on suspicious links or inadvertently (or maliciously) divulge sensitive information to unauthorised parties. At NTT Security, we are observing human-focused attacks, like social engineering and phishing, at the highest levels ever.
While these risk areas are not unique to retail, their impact should not be overlooked. Download our SERT Report for find out what retail organisations can do to improve: http://bit.ly/2kQnKJY