Attributed to: Budiman Tsjin, Solutions Engineering Manager for ASEAN, CyberArk
The new year brings new challenges for the retail space, with organisations struggling to keep up with demand amid supply chain issues, shipping delays and other current realities. But, it is not all bad news. According to a report by Singapore's Department of Statistics, retail sales have recorded a 10.4 percent growth during the period of October 2021-October 2022. Customers are shopping eagerly in-store and online, prompting retailers to improve their shopping experience to attract and retain customers. This includes utilising cloud-hosted e-commerce sites and applications to enhance service efficiencies and deliver personalised offerings.
Despite these advantages, retailers looking to maintain customer loyalty and trust must remain wary of attackers seeking to exploit the swell in online shoppers to wreak havoc. Notably, the Cyber Security Agency of Singapore (CSA) and the Singapore Police Force have issued a joint advisory for retailers to remain vigilant of online threats such as phishing and e-commerce scams.
According to the Singapore Police Force's Annual Scams and Cybercrime Brief, phishing was the highest reported scam type in 2022, with 7,097 cases reported. The losses from these phishing incidents alone amounted to SGD16.5 million. Scams targeting e-commerce in the same period amounted to 4,762 reported cases, totaling SGD21.3 million in losses. These figures emphasise how effective and lucrative phishing and e-commerce scams are for cybercriminals.
Many retailers also store shoppers' personally identifiable information (PII) such as credit card numbers and payment details in the public cloud to deliver efficient high-quality service offerings. With many retailers storing high volumes of PII, a successful cyberattack can have far-reaching consequences such as financial loss, reputational damage and weakened customer trust.
Additionally, handling credit card information also subjects retailers to the PCI (Payment Card Industry) Data Security Standards, a global standard that aims to enforce security best practices to secure data held by payment services from breaches. Failure to meet these standards will leave organisations liable to legal penalties and sanctions that can severely impact them.
Common Cyber Weaknesses in Retail
While cloud technologies enable retailers to deliver new and innovative services that will drive customers to their front door, they also need to address new security gaps and misconfigurations to ensure a smooth and flawless shopping experience. Some of the most common weaknesses that attackers can exploit include:
Unnecessary data access rights. Because of the rapidly-evolving nature of cloud technologies, retailers often configure their security tools to provide their employees and devices with convenient access to company resources, greatly reducing identity security. Retailers become more vulnerable, since identities are valuable targets for cyber-attackers trying to gain entry to retailers' systems. Preventing identity theft requires organisations to adopt least privilege access providing users and devices with only the minimum privileges required to access company resources while preventing cyber-attackers from exploiting over-privileged accounts.
Retailers should also integrate multi-factor authentication to provide their cyber landscapes with an extra layer of security.
Through AI-driven adaptive controls, organisations can assess the security posture of users and devices before implementing dynamic authentication controls to negate the risk of breaches while maintaining ease of access for users and their devices. In addition, businesses need to consider the use of independent audits, red teams and penetration testing to vet third-party vendors' security posture before integrating their solutions to their tech stacks.
E-commerce website vulnerabilities. As retailers look to provide the best in-store experiences, they also need to consider their online services. This is especially the case as cyber-attackers prowl for vulnerable e-commerce sites with rudimentary barriers. Attack methods such as Distributed Denial of Service (DDoS), SQL injection and e-skimming can disrupt online retail operations, turning customers away from doing business with you.
As such, organisations should follow CSA's SG Cyber Safe Programme, which supplies the right resources to enhance their protection capabilities. These include toolkits, curated products and services, and certification schemes to strengthen cybersecurity initiatives.
Translate Cybersecurity Initiatives into Positive Experiences
Cybersecurity will be a key enabler in maximising retailers' productivity, maintaining brand reputation and building trustworthiness throughout 2023. Achieving this requires retailers to be aware of the most effective solutions that can keep their virtual resources under lock and key without slowing down business operations. By making identity security a core part of operations, retailers will be able to provide engaging shopping services that mitigate the risk of incidents like data breaches.