Retail security 101: mitigating cybersecurity risks in the digital age

The retail industry has undergone a profound transformation in the last few decades with the advent of digital technology. While these advancements have revolutionized consumer experiences and operational efficiencies, they have also introduced new vulnerabilities to cyber threats.

Retailers, from small businesses to global chains, face an array of cybersecurity risks that can compromise customer data, disrupt operations, and damage brand reputation. And cybercrime in Canada is on the rise. In 2023, 81% of organizations experienced at least 25 cybersecurity incidents according to the EY Global Cybersecurity Leadership Insights Study.

Understanding the risks to Canadian retailers—and subsequently their vendors, partners and customers—is essential to implementing security practices and safeguarding businesses in our interconnected world.

Common Cybersecurity Risks in Retail

1. Payment Card Data Breaches
   Retailers process vast amounts of payment card information daily, making them prime targets for cybercriminals seeking to steal credit card details through hacking or malware attacks on payment systems.
   
   
2. Phishing and Social Engineering
   Employees may inadvertently divulge sensitive information or grant unauthorized access to systems through phishing emails, where attackers masquerade as trusted entities to trick recipients into revealing confidential data.
   
   
3. POS Malware Attacks
   Point-of-sale (POS) systems can be compromised by malware designed to capture payment card information as it is processed, potentially affecting multiple transactions before detection.
   
   
4. Supply Chain Vulnerabilities
   Retailers rely on complex supply chains, making them susceptible to cyber attacks targeting suppliers or distributors, which can disrupt operations and compromise sensitive data.
   
   
5. Ransomware
   Malicious software that encrypts critical data and demands payment for decryption can severely impact retail operations, leading to financial losses and operational downtime. Ransomware is often understood as the most common and damaging retail threat, as evidenced by some of the most recent cyber incidents.

High-Profile Incidents

• JD Sports
  In January 2023, hackers gained access to fashion retailer JD Sports’ database of online purchases made between 2018 and 2020. The full names, delivery addresses, billing addresses, email addresses, phone numbers and last digits of payment cards of roughly 10 million customers were compromised.
  
  
• Indigo
  In February 2023, Indigo was targeted in what became one of the highest profile attacks recent years. Payment systems were disrupted and forced offline, while the personal information of current and former employees was compromised. This cyber incident resulted in a fiscal year loss of $50 million.
  
  
• London Drugs
  In April 2024, ransomware hackers gained access to files from a London Drugs corporate head office, demanding $25 million for their return. The files were later released online after London Drugs refused to pay the ransom.
  
  
• CrowdStrike
  While not a cyberattack, the July 2024 CrowdStrike update that caused Microsoft outages around the world is a great example of just how vast the cybersecurity landscape is. When a faulty update was pushed by CrowdStrike’s security software, operating systems at countless airlines, banks and healthcare facilities went offline, causing extreme delays and frustration. As a result, CrowdStrike shares fell 20%.

Strategies to Enhance Retail Cybersecurity

To mitigate these risks and protect their businesses, retailers should adopt a proactive approach to cybersecurity that includes:

1. Implementing Strong Access Controls
   Restrict access to sensitive systems and data only to authorized personnel. Utilize multi-factor authentication (MFA) for accessing critical accounts and systems.
   
   
2. Securing Payment Systems
   Deploy robust encryption technologies for payment transactions and regularly update POS systems with the latest security patches. Consider using tokenization to protect cardholder data.
   
   
3. Employee Training and Awareness
   Conduct regular cybersecurity training sessions for employees to educate them about phishing scams, social engineering tactics, and best practices for handling sensitive information securely.
   
   
4. Monitoring and Incident Response
   Implement continuous monitoring of networks and systems for suspicious activities or anomalies. Develop and test incident response plans to swiftly address and mitigate cyber incidents.
   
   
5. Data Protection and Compliance
   Implement data encryption for sensitive information both in transit and at rest. Ensure compliance with industry regulations such as PCI DSS (Payment Card Industry Data Security Standard) to protect customer payment data.
   
   
6. Using Trusted Vendors
   Vet and collaborate with trusted third-party vendors and service providers who adhere to stringent cybersecurity practices. Ensure contracts include provisions for data protection and incident response protocols.
   
   
7. Leveraging Technology and Partnerships
   Invest in advanced cybersecurity technologies such as intrusion detection systems (IDS), endpoint protection, and security information and event management (SIEM) systems to detect and respond to threats effectively. Work with cybersecurity professionals and programs to help keep your business secure.
   
   

Working Together to Strengthen Cyber Resilience

In order to help set Canadian businesses up for successful implementation of the above mentioned strategies, cybersecurity firm Guardlii, along with the Canadian Cybersecurity Network (CCN), is embarking on a Canada-wide retail cybersecurity study.

Through this study, Guardlii and CCN aim to comprehensively analyze the current state of cybersecurity practices in the retail sector, while identifying key challenges and emerging threats. The study will also explore the impact of cyber incidents on retailers who have faced them, and the role of cybersecurity insurance in managing risks.

The study will culminate in a set of actionable recommendations for Canadian retailers to enhance their cybersecurity posture and minimize the impact of potential cyber threats.

When retailers work together with industry partners to build more robust security measures, they safeguard not only their data, but their financial assets, reputation, and customer trust. In a world where cyber threats are becoming all the more common for Canadian retailers, these steps are even more critical.