According to the 2022 Internet Crime Report by the FBI’s Internet Crime Complaint Center, the potential total loss from cybercrime in the U.S. increased from $6.9 billion in 2021 to more than $10.2 billion a year later. Current projections suggest that the cybercrime problem will only worsen.
In fact, cybersecurity-research firm Cybersecurity Ventures estimates that the annual global cost of cybercrime damage will reach $10.5 trillion by 2025 — a massive jump from $3 trillion in 2015.
The retail industry — which collects a tremendous amount of customer data and facilitates an enormous number of transactions — has long been a popular target for cybercriminals.
“Retailers have had an exceptionally high rate of ransomware attacks relative to all other industries, and the problem got much worse during and after the COVID-19 pandemic,” Katerie Whitman, managing director of tech-analysis and business-consulting firm Strategic Business Insights, told The Food Institute.
The pandemic’s hastening of the retail industry’s digital transformation and retailers’ post-pandemic efforts to link new digital environments and online channels with brick-and-mortar stores have introduced a variety of new cybersecurity risks.
The Risks of Evolving Technology
Generative AI, Whitman said, “is already beginning to allow threat actors to synthesize phishing emails, impersonate voices, and otherwise run social-engineering attacks that could be vastly more effective than anything we have seen in the past.”
As links between digital and physical retail environments continue to form and cybersecurity threats emerge and evolve, retailers must implement cybersecurity best practices to protect themselves, their employees, and their customers.
In an article for Verizon Business, James Hughes — Verizon Business’s retail chief technology officer for Europe, the Middle East, and Africa — provided insights about the retail industry’s unique cybersecurity landscape.
“The challenge for retail, more than most other industries, is people,” Hughes explained. “The human element factors in almost three-quarters (74%) of all breaches.
“The fact that retail contends with labor shortage, high rate of employee turnover, and a workforce that isn’t digitally well-versed can leave retailers vulnerable to phishing and smishing.”
Hughes says that retailers can begin addressing this human element by training their employees to identify and avoid falling prey to phishing schemes and other attacks that rely on social engineering. In addition, Hughes suggests that retailers could use augmented- and virtual-reality technologies in remote video training to overcome the industry’s challenge of bringing seasonal and temporary employees up to speed in cybersecurity best practices.
Key Safety Measures
One way that retailers can address the human element, Hughes says, is to maintain tight control over which employees have access to sensitive information and systems.
“Taking a zero-trust approach to cybersecurity, whereby all users are authenticated, authorized and continuously validated, can also be very effective,” Hughes offered. “This model acknowledges the reality that security threats can come from anywhere, including from unsuspecting users from within an organization.”
In securing themselves against cybercrime, retailers must address not only the human element but also the digital element.
Verizon Business recommends that retailers keep applications, software, and systems current with the latest security patches; implement data-protection measures that safeguard stored company, employee, and customer data and ensure the proper disposal of sensitive data; and use payment-processing systems that are trustworthy and secure.
Pointing to the retail industry’s susceptibility to ransomware attacks, Whitman emphasizes the need for retailers to create and maintain backups of business-critical data — a sometimes-overlooked cybersecurity best practice. She noted:
“Retailers who defeat ransomware attacks by means other than paying the ransom typically do so by restoring from a backup.”
“Nevertheless, an alarmingly high percentage of retailers — about one-third in the most recent survey I saw — were not able to deal with a ransomware attack in this way, because a good backup was not available,” she added.
Hughes ultimately argued that combating increasing payment-data theft in the retail industry requires retailers to maintain compliance with regulations and standards such as the Payment Card Industry Data Security Standard, version 4.0 of which the Payment Card Industry Security Standards Council plans to enact in early 2024.
“As hackers become more sophisticated, adhering to the latest global technical and operational standards will be instrumental in helping to protect account data moving forward,” Hughes said.