So, you want to break into retail?

We recently published an interesting report on cybersecurity and the retail industry which highlights how those retailers who can demonstrate how well they protect the security and privacy of their customers can obtain competitive advantage.

Of course, protecting the security and privacy of (potentially) millions of customers is a non-trivial task, particularly if working in a traditionally competitive and low-margin industry such as retail where the CISO (if the role exists) may have limited budget. There have been many published compromises of customer records in the retail industry resulting from many different kinds of vulnerabilities, from traditional internet-based hacks such as SQL injection via a poorly implemented website through to the (in)famous Target compromise via their cooling systems provider.

How can retailers identify their attack surface and look to reduce the risks to their customers’ data?

Firstly, what do I mean by “attack surface”? I mean the areas where potential attackers can potentially interact with your systems or data. Retailers can have complex attack surfaces – do not limit yourself to consideration of your website!

How complex? Well, let’s consider a retailer that sources or produces its own white-label goods. Consider also that our investigation has shown that many retailers have legacy architectural weaknesses such as flat networks, i.e. every store, factory, farm, distribution center and HQ may all be on the same wide-area network with limited (if any) segregation between the different entities.   This may extend your attack surface to every store, factory, and farm in your organization.

Consider further how dynamic the retail environment can be with new stores being opened and old stores being closed or disposed of (to the competition?) on a regular basis. What happens to the physical network connections in your old stores? Are you absolutely certain that connectivity is no longer available in those stores you sold off last month? How about your distribution centers – are they dedicated to you or are they shared with other organisations? If the latter, what barriers have you put in place to control access to your systems? What about your manufacturing and packaging facilities? Do they contain a plant that is “smart” or network-connected? Is that plant fully patched? Or is that equipment running a networked operating system that can’t be patched because the provider of the kit no longer offers support or has gone out of business?

The Wannacry and NotPetya outbreaks have bluntly demonstrated the dangers of running unpatched systems on flat networks – customers will have little sympathy for businesses caught out by similar outbreaks in the future, given the ample warnings provided by past malware outbreaks.

Now let’s turn our attention to stores. Lots of potential attack vectors here. Are all of your staff trustworthy? Do your stores offer free Wi-Fi?  Is that Wi-Fi connected to the corporate network? How secure is your store’s back-office? Can customers simply walk in and look around the back office? Perhaps even access the corporate systems or network? How secure are your point-of-sale terminals? How do those POS terminals connect to the store network? What would happen if a malicious actor left a few USB sticks containing some malicious content around the store (or perhaps HQ)? Do users know not to plug such devices into corporate machines – even if labelled “Redundancy Planning Q3”?

I’m a cybersecurity chap, I can’t avoid talking about the internet and, these days, the cloud. Many retailers are now moving towards the cloud, particularly in the area of customer analytics. The use of cloud services opens up yet another attack surface – not least the barriers in place between yourself and other users of that cloud platform.

I would not expect customers to be overly sympathetic should they find out that the only barrier between their data and an attacker is a single username/password combination. With the advent of GDPR, I would not expect too much sympathy from the relevant data protection supervisory authorities either.

There’s a lot of guidance out there on securing your web presence, I’m not intending to use this post to repeat lots of long-established good practices on regular vulnerability scanning and full-on red-teaming, etc. I’m sure you have your own preferred sources of expertise in this area.

From a privacy perspective however, I would suggest that GDPR has increased the need for transparent and unambiguous privacy policies, particularly when it comes to obtaining user consent for data collection, and so do make sure that your customer-facing website is privacy-friendly. Your website is one of your primary mechanisms for demonstrating how much importance you place on the security and privacy of your customers, so make sure that you make the most of that opportunity.

In summary, retail is a complex sector from a security perspective due to the long, occasionally tangled, and obtuse supply chains and large customer bases.  The purpose of this post is to point out areas that retailers may not have considered as a potential point of weakness, with a view to hopefully starting a few conversations on pragmatic ways to mitigate the associated risks.  Those are conversations we’d be more than happy to continue elsewhere!

Lee Newcombe

I advise my clients on how to identify and manage cyber risk in an ever-changing and increasingly digital world.
I have assisted central government, a regulatory authority, global insurers, major banks, transport providers, utilities providers, consumer goods producers and others with their adoption of cloud services through provision of pragmatic, forward-looking and practical guidance relating to the organizational, process and technical change needed to securely deliver the benefits offered by the cloud model.