Retailers, we have a problem – half of the devices powering frontline operations are running outdated operating systems, leaving them vulnerable to known security risks. And to make matters worse? Hackers armed with generative AI are actively hunting them down and fueling a surge in ransomware, malware and phishing attacks.
This is a double-edged security issue with revenue repercussions. From connected TVs displaying signage to tablets serving as point-of-sale (POS) systems, connected endpoints in retail can quickly become network entry points if they’re not up to date. Then, once inside, hackers can hold operations up for ransom, steal customer data and disrupt sales for weeks. Not only does this hurt bottom lines but also brand reputations when they matter most.
With a softer holiday season on the horizon, retailers need to nip this threat in the bud by improving device patching and protection.
Old and Outdated Devices are a Real Retail Risk
Devices in retail take on different functions than their consumer counterparts – inventory scanners in stockrooms, handheld devices for click-and-collect, mobile payment readers on the sales floor – but they’re devices all the same. They’re connected to the internet which means they’re hackable, and this is much more likely when running legacy hardware or outdated software.
Advertisement
The scale of this threat is staggering. Zimperium’s annual threat report found that more than 50% of mobile devices are running outdated operating systems, with 25% too old to upgrade. These systems create untrusted environments where even apps with security measures become susceptible to manipulation.
For retailers managing hundreds of devices across multiple locations, this means that one out of every two scanners, tablets or payment readers is at risk at some point in the year. And hackers now have an added advantage: AI tools that automate vulnerability discovery, craft convincing phishing campaigns and scale the kinds of attacks that previously required large teams. Unfortunately, hackers can do more damage with fewer resources, and outdated devices make every attack easier to execute.
Why Retail’s an Attractive Hacking Target
The main issue is that outdated devices are usually left unpatched. Bad actors might uncover a vulnerability, but software makers are quick to hit back and plug the hole with an update. However, if left uninstalled, retailers expose devices and themselves to known backdoors. According to the Ponemon Institute, 60% of breach victims reported being compromised due to a known yet unpatched vulnerability. This is arguably the most frustrating aspect of this attack vector – these are vulnerabilities with readily available and easy-to-fix solutions.
Specific elements of retail also make it a more appealing target. The sector’s complex supply chains make short-term disruptions very expensive. Uptime is the bottom line and businesses are more willing to pay to restore service as quickly as possible. Add to this the fact that retailers handle vast troves of customer data and payment information, and it’s no wonder that retail ransomware attacks were up 58% between Q1 and Q2 of this year.
A big jump like this is evident in more cases and bigger breaches. Over Easter, UK retailer Marks & Spencer suffered a ransomware attack that resulted in £300 million in lost profits and a 46-day suspension of online operations. The company had to revert to pen-and-paper inventory tracking during one of its busiest periods, and reported the compromise of customer data points including full names and addresses. The financial and reputational damage of this kind of hack speaks for itself. Clearly, even major retailers are vulnerable, and yet security gaps remain concerningly common.
The Moment Demands a Redoubling of Device Efforts
All of this matters as we head into the holidays. Sales this year are expected to grow at their slowest rate since the pandemic, which is expected to usher in tighter margins. Every transaction counts, and devices running unpatched software create operational friction in addition to security vulnerabilities. Outdated devices are often slow and sluggish, creating a double negative by frustrating customers and unwittingly inviting attackers. Retailers can’t afford either risk.
The good news is that retailers can fight back with targeted and practical actions. First, update operating systems across your fleet. If a device is too old to update, replace it. Likewise, check that all software and apps are running the latest version. A unified endpoint management platform can help in this regard by centralizing visibility and remotely automating updates during off-peak hours. This ensures that devices are standardized at a click without impacting operations.
Both best practice and current context demand a redoubling of device efforts. Implement zero-touch enrollment so that new POS tablets auto-configure with security policies from day one. Additionally, by setting devices to kiosk mode, admins can lock devices and better dictate their functions. It’s also essential to involve staff in the process by educating them on the latest social engineering trends and fostering a security-first culture.
For too long, these devices have been the forgotten endpoints in retail security. Hackers see an opening in lax policies – retailers must respond in kind and not give them an inch. Ultimately, device complacency will cost far more, both in actual sales and future reputation, than treating endpoints with the protection they demand.
Apu Pavithran is the Founder and CEO of Hexnode and a recognized consultant, speaker and thought leader in the IT management community, with a focus on governance and information security.
