Latest global data breach research suggests both small and large retail and hospitality operators could do still more to strengthen defences against loss and privacy infringements
Retailers count second only among industries that are the biggest targets of cybercrime, accounting for nearly a quarter of all data breaches in 2012, according to this year’s Data Breach Investigation Report released this week.
It found that 24% of breaches occurred in retail environments and restaurants, compared to financial organisations, which topped the list of target industries with 37% of breaches.
Comprehensive global study
The report findings were based 47,000 data breach incidents gathered from 19 international contributing public and private organisations, many of who manage national cyber security such as the Dutch Police National High Tech Crime Unit, or work to develop its defences, like Deloitte and the Insider Threat Centre at the Carnegie Mellon University Software Engineering Institute (CERT
Compiled every year since 2004 by the RISK Team of security analysts at IT company Verizon
, this year 621 of the confirmed data disclosure incidents were aggregated and analysed according to the Vocabulary for Event Recoding and Incident Sharing (VERIS
) data coding standard metrics in order to standardise results as much as possible.
The fact that retail emerged as a key target for cyber criminals was evidence that a definite relationship exists between the value of the data targeted and the attack motive, Chris Novak, retail specialist managing principal at Verizon, told Retail Technology.
Industry provides lucrative target
“This was our most comprehensive study ever,” said Novak. “It showed that every type of retail business, from small retailers to big chains in every sector, including hospitality and leisure, are being targeted by cyber criminals. This is because this is where a lot of money goes and personal or card data gets used.”
He added that retail proved an attractive target for easily commoditised personal and card data from the end user - accounting for 75% of all data breaches - where other industries, like financial institutions or manufacturing are more lucrative source targets for the theft of money or intellectual property respectively.
Overall, Novak reported that, “the numbers look pretty consistent on the previous year”. “Security in the retail space has improved,” he said. "Retailers are not just doing their due diligence with third party providers," he said for example, "and not just asking are providers secure but saying, 'prove it' and sending in their own teams to review their security posture."
But he stressed the industry’s popularity as a cyber crime target meant there was still work to do, especially as the criminals are updating their attack vectors as quickly as retailers strengthen their defences.
Secure the physical and virtual
“The sophistication of retail attacks is much more developed,” he continued. “They are aiming for PoS [point-of-sale] or PED [PIN entry device] hardware and looking at attack vectors outside of typical network intrusions, given that increasing PCI [Payment Card Industry] compliance makes breaching their networks harder.”
Novak said that, from personal experience, the last few cases he had investigated involved criminals compromising payment terminal hardware and using Bluetooth or Wi-Fi to transmit payment data directly from the hardware without ever crossing the retailer’s own network and detection systems.
He advised companies to re-double network security efforts. “Different sized organisations need to look at different things,” he said.
“For smaller organisations, which accounted for a large proportion of the industry's data breaches, the basics of defending against network intrusions are important, especially if they haven’t already got the message about PCI the first time ‘round or lack the money or resources to deal with it.”
“For larger retail organisations, I would say to carry out a ‘true’ risk assessment,” added Novak. “They need to do an inventory of devices to look again at their security stance from a physical perspective, as well as what they're doing from a discovery and detection perspective, especially as, sometimes, the device itself can't tell you it's been tampered with."
Cloud, BYOD and mobile emerge
New areas that Novak flagged as emerging on the retail threat landscape included 'Bring Your Own Device' and cloud computing, "We found retailers seemed to be concerned about security in the areas," he explained. "But we didn't see any significant variation in the data here; it's not suddenly beccome a more risky category, but perhaps has more to with [retail] perceptions.
"Just because you don't own or control it, doesn't mean its security is worse," he added. "It's rather like driving car - you feel safe because you have control. But that doesn't mean that air travel is less safe, even though you might be nervous about flying - it is, in fact, safer."
When it came to mobile, Novak said this was still an emerging area, where organisations - and not end users - are still seen as the most lucrative, scaleable targets. "We are monitoring it. And it is true that, as we move to using more smartphones and tablets per person that are always on and always internet-connected, it would be easy [for a criminal] to snag one to steal personal data.
"But there are still many different forms of m-payments that are not standard yet. From a directional perspective, we see it [attacks] will move that way, but the cyber criminals want to go after a population of users until it is big enough."