Advertisement

Holiday Season Creeping Up On You? Brick-And-Mortar Stores Are Still Under Attack

By​ ​Nir​ ​Polak,​ ​Exabeam

Year​ ​in​ ​and​ ​year​ ​out,​ ​retailers​ ​continue​ ​to​ ​be​ ​a​ ​top​ ​target​ ​for​ ​cyberattacks,​ ​According​ ​to​ ​the​ ​​2017​ ​Verizon Data​ ​Breach​ ​Report​,​ ​there​ ​were​ ​326​ ​reported​ ​data​ ​breaches​ ​in​ ​the​ ​last​ ​year​ ​alone.​ ​Online​ ​retailers​ ​are​ ​hit by​ ​the​ ​same​ ​types​ ​of​ ​attacks​ ​that​ ​other​ ​online​ ​firms​ ​receive,​ ​including:​ ​web​ ​application​ ​attacks,​ ​SQL injection,​ ​stolen​ ​customer​ ​credentials​ ​via​ ​phishing,​ ​etc.​ ​While​ ​retail​ ​CISOs​ ​work​ ​aggressively​ ​to​ ​protect their​ ​online​ ​environments,​ ​new​ ​threats​ ​emerge​ ​regularly.​ ​Online​ ​retailers​ ​are,​ ​by​ ​default,​ ​cyber organizations​ ​and​ ​therefore​ ​large​ ​targets​ ​for​ ​cyberattacks.​ ​However,​ ​this​ ​tells​ ​only​ ​half​ ​the​ ​story​ ​for​ ​the retail​ ​industry.  

This​ ​is​ ​because,​ ​of​ ​course,​ ​most​ ​of​ ​the​ ​largest​ ​retailers,​ ​except​ ​for​ ​one​ ​notable​ ​exception,​ ​maintain​ ​a large​ ​physical​ ​presence​ ​in​ ​the​ ​form​ ​of​ ​brick-and-mortar​ ​stores.​ ​Physical​ ​stores​ ​bring​ ​along​ ​a​ ​huge​ ​set​ ​of security​ ​threats​ ​that​ ​are​ ​very​ ​different​ ​from​ ​online​ ​operations,​ ​including:​ ​credit​ ​card​ ​skimmers, point-of-sale​ ​malware​ ​and​ ​privilege​ ​misuse,​ ​among​ ​other​ ​threats.​ ​This​ ​is​ ​partly​ ​due​ ​to​ ​the​ ​fact​ ​that​ ​the retail​ ​industry​ ​is​ ​well-known​ ​for​ ​seasonal​ ​turnover,​ ​as​ ​a​ ​large​ ​portion​ ​of​ ​retail​ ​staff​ ​are​ ​only​ ​hired​ ​for​ ​a​ ​few months​ ​during​ ​the​ ​holidays.​ ​These​ ​short-term​ ​hires​ ​typically​ ​work​ ​in​ ​the​ ​physical​ ​stores,​ ​leaving​ ​more room​ ​for​ ​a​ ​malicious​ ​hire​ ​to​ ​access​ ​local​ ​systems​ ​and​ ​install​ ​malware​ ​directly​ ​on​ ​in-store​ ​systems.  

Advertisement

As​ ​mentioned​ ​above,​ ​the​ ​large​ ​retailers​ ​maintain​ ​both​ ​large​ ​online​ ​and​ ​physical​ ​store​ ​presences.​ ​They have​ ​the​ ​worst​ ​of​ ​both​ ​worlds.​ ​Their​ ​online​ ​operations​ ​are​ ​at​ ​risk​ ​of​ ​cyberattacks,​ ​while​ ​their​ ​store networks​ ​face​ ​an​ ​entirely​ ​different​ ​set​ ​of​ ​threats.​ ​Of​ ​course,​ ​these​ ​firms​ ​are​ ​established​ ​enough​ ​to​ ​have sizable​ ​back​ ​office​ ​operations,​ ​so​ ​in​ ​addition​ ​to​ ​online​ ​systems​ ​and​ ​a​ ​physical​ ​retail​ ​network,​ ​they​ ​also have​ ​a​ ​separate​ ​corporate​ ​network​ ​—​ ​where​ ​payroll,​ ​finance,​ ​customer​ ​and​ ​employee​ ​health​ ​care systems​ ​reside.​ ​In​ ​fact,​ ​previous​ ​breaches​ ​have​ ​involved​ ​hackers​ ​that​ ​penetrated​ ​the​ ​retail​ ​network​ ​and then​ ​jumped​ ​into​ ​the​ ​corporate​ ​network,​ ​or​ ​vice​ ​versa.   

What’s​ ​a​ ​CISO​ ​to​ ​do​ ​in​ ​an​ ​environment​ ​that​ ​includes​ ​web​ ​systems,​ ​a​ ​distributed​ ​physical​ ​retail​ ​network and​ ​a​ ​corporate​ ​network​ ​with​ ​sensitive​ ​data,​ ​with​ ​nearly​ ​everything​ ​exposed​ ​to​ ​remote​ ​hackers​ ​and temporary​ ​employees?​ ​It’s​ ​a​ ​tough​ ​scenario,​ ​and​ ​perhaps​ ​it’s​ ​not​ ​surprising​ ​that​ ​so​ ​many​ ​breaches​ ​have occurred,​ ​and​ ​will​ ​continue​ ​to​ ​occur​ ​in​ ​this​ ​industry.   

It’s​ ​important​ ​that​ ​CISOs​ ​educate​ ​themselves​ ​and​ ​continue​ ​to​ ​steer​ ​their​ ​executives​ ​and​ ​boards​ ​of directors​ ​toward​ ​innovations.​ ​New​ ​techniques​ ​can​ ​truly​ ​help​ ​reduce​ ​the​ ​risk​ ​of​ ​a​ ​breach​ ​significantly.​ ​For instance,​ ​the​ ​use​ ​of​ ​user​ ​behavioral​ ​analytics​ ​has​ ​already​ ​been​ ​successful​ ​at​ ​large​ ​retailers​ ​in​ ​detecting jumps​ ​from​ ​the​ ​corporate​ ​to​ ​the​ ​retail​ ​network.​ ​These​ ​systems​ ​can​ ​also​ ​be​ ​quite​ ​effective​ ​in​ ​modeling behavior​ ​of​ ​new​ ​(i.e.​ ​seasonal)​ ​employees,​ ​helpful​ ​when​ ​managers​ ​have​ ​little​ ​personal​ ​history​ ​with short-term​ ​staff.​ ​In​ ​fact,​ ​older​ ​security​ ​solutions​ ​weren’t​ ​built​ ​for​ ​this​ ​type​ ​of​ ​detection,​ ​but​ ​the​ ​amount​ ​of data​ ​generated​ ​today​ ​prevents​ ​detection​ ​by​ ​human​ ​staff​ ​alone.   

Retail​ ​security​ ​professionals​ ​should​ ​take​ ​a​ ​close​ ​look​ ​at​ ​the​ ​latest​ ​in​ ​security​ ​and​ ​user​ ​behavioral analytics.​ ​The​ ​technology​ ​has​ ​improved​ ​dramatically​ ​in​ ​the​ ​past​ ​two​ ​years​ ​and​ ​can​ ​provide​ ​significant​ ​risk reduction.​ ​After​ ​all,​ ​we​ ​aren’t​ ​too​ ​far​ ​from​ ​Christmas…  


Nir​ ​Polak​ ​is​ ​co-founder​ ​and​ ​CEO​ ​of ​Exabeam​.​ ​He​ ​has​ ​13​ ​years​ ​of​ ​experience​ ​in​ ​information​ ​security, including​ ​executive​ ​experience​ ​setting​ ​company​ ​strategy,​ ​driving​ ​execution,​ ​building​ ​new​ ​products​ ​and bringing​ ​them​ ​to​ ​market.​ ​While​ ​at​ ​Imperva,​ ​Polak​ ​set​ ​the​ ​company​ ​product​ ​strategy,​ ​and​ ​launched​ ​and managed​ ​the​ ​worldwide​ ​services​ ​organization.​ ​He​ ​also​ ​held​ ​engineering​ ​positions​ ​at​ ​Adjungo​ ​Networks (acquired​ ​by​ ​Flash​ ​Networks)​ ​and​ ​Shopping.com​ ​(acquired​ ​by​ ​eBay). Outline Headings you add to the document will appear here.

Advertisement

Advertisement

Upcoming Events

Access The Media Kit

Interests:

Access Our Editorial Calendar




If you are downloading this on behalf of a client, please provide the company name and website information below: