The adoption of e-commerce solutions over the last two years has skyrocketed as customers embrace seamless online shopping experiences from the comfort of their homes. Alongside this, retailers are now handling rising volumes of sensitive customer data like personal information and payment details as they look to deliver innovative online shopping experiences.
However, cyber threats are also on the rise, with Tenable’s latest Threat Landscape Retrospective revealing over 40 billion records exposed worldwide in 2021, three billion of which were from APAC. Retail was one of the most targeted sectors in the region, and it’s never been more important for Australian retailers to prioritise cybersecurity measures in unison with the implementation of new online shopping experiences for customers to ensure their data is safe and secure.
Regularly reviewing software and legacy systems to pinpoint potential vulnerabilities
2021 saw countless headline-grabbing cyberattacks and vulnerabilities, and it’s clear these incidents are only growing more complex. With many retailers regularly implementing new software as they continue to remain nimble and adaptive to customer needs, cyberattack surfaces have expanded. As a first step to build stronger cybersecurity measures, retailers must carry out regular and comprehensive reviews of all the different applications and programs they use for their day-to-day operations.
It can be easy for a once-used piece of software to go unnoticed in a retailer’s tech stack, and this can lead to potential blindspots that make cyberattacks possible. A holistic overview of every piece of software a retailer uses allows them to pinpoint legacy ones that can be phased out to remove potential attack paths. More importantly, these reviews identify which programs require regular patches, so the appropriate attention can be placed to ensure they are always kept up to date and don’t risk creating unseen attack paths.
Prioritise monitoring for misconfiguration or vulnerabilities with cloud-based services
The adoption of cloud-based services will continue in the retail sector over the next decade. Cloud is the underlying foundation of many improvements in retail and e-commerce, including seamless processing of more payments, better user experience, or more efficient leverage of customer data in real-time to optimise different aspects of retail. The cloud helps industry players remain nimble. However, while the use of more cloud-based services may mean less maintenance and fewer patching concerns, retailers must never assume these services ensure full consumer data protection once integrated.
When new cloud technologies are integrated into existing tech infrastructures without proper security protections, the attack surface expands, making data breaches harder to detect. Much like the process of regularly reviewing software and legacy systems, retailers looking to integrate more cloud services must examine the access management and trust relationships these systems have with existing applications and programs. The way these systems talk to each other and share information, the access permissions, must be constantly reviewed to make sure potential misconfigurations are corrected and vulnerabilities are removed.
Adopting a Zero Trust security framework for these cloud system integrations is one option for achieving this. This framework helps retailers restrict access controls to applications, networks, and data by different groups of staff members or external stakeholders, and provides a much more comprehensive overview of what data is accessible by whom in the process. With the right measures in place to keep track of how new cloud systems integrate with existing applications, retailers can enhance how they handle and store increasing volumes of customer data.
Setting employees up for success
Sometimes all it takes is an employee accidentally clicking on a rogue link in an email sent by a malicious actor to cause a major cyber incident that compromises business and customer data. Between January to June 2021, human error stood out as a major source of breaches in Australia, accounting for 134 notifications to the Office of the Australian Information Commissioner (OAIC).
However, incidents like this can be minimised by providing training for staff to identify when malicious actors may be trying to compromise their credentials, and regular education on protocols for accessing and managing sensitive customer data. On top of this, additional layers to the login processes for employees accessing critical systems, like multi-factor authentication that can’t be compromised by malicious actors, is crucial for retailers in the face of increasingly complex cyberattacks. This deeper level of authentication goes beyond simply entering a username and password, creating a unique part of the login process such as biometrics scans, and reducing the likelihood of attacks or breaches in the process.
As Australian retailers continue to innovate with more sophisticated online shopping experiences, cybersecurity measures must also be adjusted to ensure customer and business data, devices and tech infrastructure are not left open to compromise. With the threat landscape constantly changing, and cyberattacks continuing to increase, retailers must be vigilant and regularly review legacy systems and new cloud-based infrastructure for potential vulnerabilities, alongside training employees on cybersecurity and data best practices.
Scott McKinnel is country manager for Australia and New Zealand at Tenable.