Secure Browsing

Maintaining Retailer Cybersecurity During Peak Shopping Season

Each year, retailers eagerly look forward to Black Friday, Cyber Monday, and the start of the holiday shopping season. And for good reason, since these few short days account for 20-30% of annual sales. In 2019, the weekend generated $7.4 billion in online sales and consumers spent $11 million per minute at the peak of online activity.

Cybercriminals look forward to the holiday season no less avidly. After all, more transactions means more opportunities for cyber thievery.

Retailers are a favored target of cybercriminals because they have personal information, including credit card information, for millions of people. That data is a treasure trove that can be readily sold or exploited by hackers.

Supply Chain Vulnerabilities

Retailers, of course, aim to provide as frictionless an experience as possible for their customers, based on the understanding that an easier purchase process makes it more likely that customers will buy – and return to buy more. This often means storing lots of sensitive customer information, including credit card information, to make shopping more convenient. It also increasingly means depending on technology solutions from a growing number of third-party vendors. According to one survey, companies allow 89 vendors, on average, to access their networks.

Supply chain vulnerabilities have led to major data breaches for retailers. Examples include:

  • Target. Cybercriminals made off with credit or debit card information for 40 million accounts in an attack that was routed through the company’s HVAC vendor.
  • Home Depot. Accessing the Home Depot network via a third-party vendor, attackers installed malware that enabled them to steal information for 56 million credit/debit card accounts.
  • Under Armour. 150 million accounts were compromised by an attack that came through the MyFitness Pal app, which Under Armour had acquired.
  • Saks, Lord & Taylor. Five million credit and debit card accounts were compromised by an attack via a cash register system vendor.

According to a report from IBM, the average cost of a data breach in the United States in 2020 was over $8 million. In some cases, such as if the breach results in a violation of European data privacy laws and triggers massive fines, the cost can top $100 million, as it did for British Airways and Marriott.

In many cases, cybercriminals have used credentials from third party vendors to get behind company firewalls and into point of sale (POS) systems to install malware.

Combatting Supply Chain Vulnerabilities

Conventional cybersecurity depends on a perimeter secured with firewalls, VPNs, and other technology intended to keep intruders out. But once a user-cum-attacker is inside the network, they have ready access to multiple points within.

Hazards are everywhere, and no security system is foolproof. Malware may be installed via a zero-day exploit, by a trusted – but not trustworthy – internal or third-party user, or in a successful phishing attack. That’s why it’s important to minimize the damage a hacker might do if they do manage to breach your defenses.

The best way to protect your business is to implement a philosophy. Don’t trust any users and don’t trust any websites. Treat everything with suspicion.

Microsegmenting access is an important step toward implementing a “zero trust” approach to securing your business from cyberattack. Users can access only the resources they need to get their job done and different servers, apps, and workloads are isolated from each other. If someone does manage to breach your system using compromised credentials, they would still only be able to access what the legitimate credential owner needed to get their job done. This minimizes potential exposure from a data breach, since it would block hackers from accessing the POS system, or installing malware behind the firewall.

There are a number of ways to implement microsegmentation. Many companies use role-based access control (RBAC), which entitles all users in a given role to access to the same resources. This is not ideal: A better solution would be for each individual user to be able to access only the specific resources he or she needs. Most organizations have not implemented that level of granularity because of the high administrative burden involved.

For these companies, Ericom Application Isolator (EAI) is a game changer. It automates the access rights assignment process, making it easy to segment access down to the individual user and workload level. EAI also masks applications from users who are not authorized to use them, so in the event of a breach, the attacker wouldn’t even be able to see what exists on the network – and what is available to attack.

Going “Phishing” During the Holidays

With so much e-commerce activity, the holiday season is a popular time for cybercriminals to launch scams and phishing attacks against consumers. Retailers, however, need to protect their networks against more sophisticated cybercriminals, who focus on “wholesale” level attacks.

Conventional antivirus / antimalware software is based on identifying and blocking threats – that is, trusting everything except known threats. This is the polar opposite of the Zero Trust approach. It can’t protect against “zero day” exploits, whose signatures aren’t yet recognized and therefore will not be blocked. Remote Browser Isolation, on the other hand, is a Zero Trust approach that blocks all content, unless it is proven (or rendered) safe.

Ericom Shield Remote Browser Isolation executes all web browsing in a one-time use container on a remote server. If a user did accidentally click on the wrong link, there is no way for any malware to be installed on either the user’s device or the company’s network.  Ericom Shield also protects against credential theft by preventing users from entering credentials into unrecognized websites, even if brilliantly spoofed.

Conclusion

Major retailers are an especially popular target for cyberthieves because they have personal information, including credit card data, for millions of consumers. That’s reason enough to be super-vigilant; the holiday season brings additional risk of attacks in the retail sector. Implementing Zero Trust Network Access is an excellent way for retailers to avoid becoming victims of expensive data breaches – and vectors of exposure of their customers’ data.

Lynne Boyd

Lynne Boyd

Vice President Sales Americas | Ericom Software
For over twenty years, Lynne has specialized in building sales organizations that enable cybersecurity companies to dominate their segments. Before joining Ericom, she extended Symantec’s Western US Network and Endpoint sales to include cloud solutions. Lynne previously headed sales at Perspecsys and continued to lead cloud data protection related sales at Blue Coat, following Perspecsys’s acquisition. She similarly headed Cloakware’s sales organization and then became a sales leader at Irdeto, following its acquisition of Cloakware.