It’s a case of ‘digitise or die’ for Australian retailers but doing so can see sensitive customer and corporate information exposed to new risks.
According to the NAB Online Retail Sales Index, Australians spent an impressive $26.5 billion on online retail in the 12 months to June 2018.
Online shopping has become a significant component of the mainstream retail sector and local chains need to augment their bricks and mortar outlets with internet storefronts or risk losing a sizeable chunk of their turnover and profits.
Digital transformation may call for the wholesale replacement of systems, the migration of corporate and customer data to new software, a move to the cloud and the embrace of Internet of Things (IoT) devices.
It’s ambitious, mission critical activity and can be dangerous too, if new risks are not recognised and mitigated before systems and infrastructure go live. Here are a couple to look out for.
Unfortunately for the businesses and organisations in their sights, hackers and cyber-criminals don’t rest on their laurels. They’re constantly finding new ways to infiltrate and hijack corporate computing resources for their own ends. Crypto-jacking – diverting computing resources from their legitimate purpose and using them to mine for crypto-currency – is their newest means of doing so. It’s lately overtaken ransomware to become the most common form of cyber threat and there are two ways retailers can be affected.
Rogue employees may choose to subvert ICT systems to mine for crypto-currency covertly, potentially slowing critical systems in the process. Alternatively, crypto-jacking malware can be used to infect IT systems to the same end. In both cases, the process will be designed to escape detection for as long as possible and, for retailers, a decline in IT performance is likely to be the only symptom.
Supply chain attacks
Complex supply chains are the sine qua non of large retailers. Digital transformation can result in the creation of a web of connections with manufacturers, distributors and logistics firms and every connection represents a potential vulnerability for hackers to identify and exploit.
System or privacy breaches caused or experienced by suppliers and partners can be damaging for retailers, even though the fault is not their own. Similarly, if these third parties don’t inform retailers about attacks they’ve experienced, it’s impossible for them to react defensively.
The vastly expanded attack surface which digitisation can create means retailers must aspire to secure more than just the perimeter. A safe eco-system is what they must now, in partnership with their suppliers, strive to create.
In addition to these emerging risks, retailers must remain vigilant in the face of the longstanding threats that are as real – and frequent – as ever.
Chief among these is the compromise of Point of Sales (POS) systems. Threats include the interception of network traffic in order to steal payment details, and the use of malware to steal credit and debit card data. The hijacking of POS terminals has cost large retailers dear in the US – chain store Target paid $18.5 million in settlements following just such an incident in 2013 – and Australian retailers are every bit as vulnerable as their international counterparts.
Meanwhile, next generation mobile card readers and POS machines from vendors including Square and PayPal represent a new frontier for hackers. While their portability makes it easier for merchants to take the sale to the customer, security researchers have identified significant vulnerabilities with these devices and systems.
Distributed denial of service
Web site outages and interruptions, courtesy of distributed denial of service attacks (DDoS), are also an ongoing threat to Australian retail chains. The term refers to the harnessing of multiple compromised computer systems to attack a web site, server or network resource, with the aim of slowing or crashing it. Disruptive to operations at the best of times, DDoS attacks can be financially devastating during peak trading periods, such as the pre-Christmas rush and Boxing Day sales, and every local retailer with an online presence is potentially a target.
Notifiable data breaches
Tough new privacy laws which affect every local retailer of size came into force in Australia in February 2018. As a result of changes to the Privacy Act, all businesses with turnover in excess of $3 million must notify their customers and the Office of the Information Commissioner within 30 days, should they suspect or experience a serious data breach. That includes any situation where personal information, including customers’ names and contact details, are compromised. Retailers risk financial penalties – up to $1.8 million for serious and persistent offenders – and significant damage to reputation, if they don’t take every reasonable step to prevent breaches occurring.
Securing the future
Embracing digitisation is no longer optional for Australian retailers; it’s essential for their profitability and viability in 2019 and beyond. Recognising and mitigating the security risks the exercise gives rise to should be integral to the process.
Joanne Wong is the Senior Regional Marketing Director Asia Pacific and Japan at LogRhythm