It is a uniquely interesting time to be fighting on the frontlines of the cybersecurity battle, with the scale of the threats posed having grown rapidly in recent months and years, and the potential damages for retailers from cybersecurity flaws being exploited by actors numbering in the millions each year. While some businesses have slowly begun to recognise, for one reason or another, the need to better protect their online presences – many others continue scrambling to understand how best to protect their businesses from digital harm.
For retailers, particularly, developing the highest quality cybersecurity protections can be the difference between profits and the paying out of millions in damages and extortion fees to increasingly savvy online threats – particularly as retail’s otherwise most profitable sales period fast approaches.
“eCrime groups are prolific and opportunistic. They are found anywhere there is an opportunity to exploit vulnerabilities for financial gain. The retail sector in particular is vulnerable to not only disruption from ransomware attacks, but may also be targeted for the theft of customer payment data,” Nick Lowe, Director of Crowdstrike threat hunting team Falcon OverWatch, tells Power Retail, “Interestingly, [Falcon] OverWatch observed a spike in interactive intrusion activity impacting the retail sector in late 2021, coinciding with sales events and the busy holiday shopping season.”
“As we again head into this season for 2022, retailers should be particularly vigilant.”
While instances of cyber crime and cybersecurity threats have grown across all industries around the world, few are more targeted than retail, and the swiftness with which online threats can take hold and wreak havoc on retailers’ internal systems should send shivers down the spine of every retailer questioning their own cybersecurity preparedness.
“According to the CrowdStrike 2022 Falcon OverWatch Threat Hunting report when looking at eCrime activity, retail was one of the top 5 verticals by intrusion frequency globally between July 2021 and June 2022,” says Lowe, “In the Asia Pacific and Japan region, the retail industry stood out as one of the top five industry verticals overall when looking at the cumulative total of both eCrime activity and targeted intrusions between July 2021 and June 2022.”
“One of the most concerning observations from CrowdStrike’s recent 2022 OverWatch report was that eCrime groups are getting faster at infiltrating victim’s systems. The average speed at which they can move laterally within a victim’s network (aka the ‘breakout time’) was just 1 hour and 24 minutes.”
The lesson of the data breach suffered by Optus, too, is a cautionary tale of the capabilities held by digital bad actors. This is true not only with respect to the internal damage a cyberattack can cause, or the extortion attempts that might follow, but also the reputational catastrophe that can immediately follow. As Lowe notes, “Today’s eCrime adversaries have added the threat of data extortion to their arsenal, extracting and then threatening to leak sensitive customer or proprietary information which could lead to ongoing reputational damage for retailers.”
“This threat is growing, with the 2021 CrowdStrike Global Security Attitudes Survey revealing that 87% of respondents in Australia believe software supply chain attacks have the potential to become one of the biggest cyber threats to organisations over the next three years. The retail sector is no exception here.”
Even without considering the potential of considerable reputational harm from cyberattacks, the potential financial costs of inefficient cybersecurity are more than significant enough in themselves.
“Cybercrime is a business for eCriminal groups and many have structures that operate like legitimate businesses. Financially, cybercrime pays off for many of these groups unfortunately,” Lowe explains, “According to the 2021 CrowdStrike Global Security Attitude Survey, Australian businesses paid on average US$1.53m in ransomware fees in 2020. The vast majority (94 percent) of those who end up paying their attackers said they were forced into paying additional extortion fees, equating to US$734,677 on average.”
So what steps can retailers take to improve their cybersecurity and make forward progress in protecting themselves against digital harm? Lowe and Crowdstrike, pioneering cybersecurity experts, break it down into three parts:
First, Lowe suggests, “Identify hands-on activity.”
“Amidst a proliferation of eCrime and new critical vulnerabilities being announced, seemingly every other day, the threat landscape can seem overwhelming. But, there are measures that organisations can implement to stay ahead of the adversary. The most comprehensive security is achieved through the combination of robust security hygiene, automated detection technologies and proactive and human-driven hunting looking for interactive activity that deliberately seeks to evade automated security controls.”
“To look for these evasive and unknown threats, businesses should invest in a threat hunting program that focuses on identifying the early signs of hands-on-keyboard activity that follows initial access. This could be one of a number of patterns of potentially malicious behaviours that could include things like use of remote access tooling, out-of-hours access to systems, evidence of attempts to look at system or user information, or configuration changes,” Lowe continues, “Alone these activities are expected as part of normal operations, but in combination they can be a sign of something more sinister.”
Lowe also recommends retailers maintain a proactive awareness of their digital presences, recognising that not every attack will be blocked, but potential damages can nonetheless be mitigated through early-stage detection.
“Ransomware attacks are not one-step events. Once an adversary gains access to one device, they must go through several steps to understand the enterprise environment, gain access across multiple devices, and, finally, execute ransomware,” says Lowe, “Proactively monitoring for the tell-tale signs of this type of pre-ransomware behaviour is key to disrupting an adversary before they can do any damage.”
“This can be done by reviewing existing remote access points and ensuring logging is enabled and actively monitored to identify unusual access, monitoring the applications you have installed and maintaining an up-to-date network diagram, and using frequency analysis to elevate the least common activities and artifacts within an environment—these can be an indication of adversaries looking to blend into the noise.”
Finally, Lowe preaches the importance of taking steps for retailers, businesses and individuals to secure identities online.
“Once an eCrime adversary gains access, they often attempt to compromise additional valid accounts to extend their reach to additional devices, or to elevate their access to the level needed to execute ransomware. Adversaries may even create new accounts to achieve persistence in an environment,” Lowe outlines, “By deepening their foothold in an environment and increasing the number of infected devices, adversaries improve their chances of the victim paying the ransom demand.”
“Maintaining proper visibility of administrative changes, particularly as they relate to user accounts is important for the early identification of malicious activity wherever it appears.”
Ultimately, for as unquestionably intimidating as the threat of cyber crime and malicious digital actors is, there remain nonetheless a variety of options for retailers, businesses and individuals alike to better enhance their cybersecurity. In doing so, they can move forward with greater confidence in hoping to avoid the kind of digital catastrophe as that Optus continues to grapple with.
The e-commerce landscape is changing. With a Power Retail Switched On membership, you get access to current e-commerce revenue and forecasting, traffic levels, average conversion rate, payment preferences and more!