It’s been a tough year for Australian retailers thanks to COVID. Now, with restrictions eased and Christmas looming, retailers are facing supply challenges and COVID-induced staff shortages. However, despite these headwinds, the Australian Retailers Association (ARA), and research partner Roy Morgan are predicting this year’s pre-Christmas spending will reach $58.8 billion, broadly matching last year’s levels and sitting at 11.3 percent above 2019’s pre-pandemic level.
With enormous sums of money flowing through retailers’ systems — the vast majority of it electronically — these systems present tempting targets for cyber criminals. According to Verizon’s 2021 Data Breach Investigations Report, “The retail industry continues to be a target for financially-motivated criminals looking to cash in on the combination of payment cards and personal information.”
In early November MediaMarkt, Europe’s largest consumer electronics retailer with over 1,000 stores was hit by ransomware and a demand for an eyewatering $US240m ransom, according to one report. Another put the figure at $US50m. The company shut down IT systems, disrupting store operations in The Netherlands and Germany.
In May 2020, Sydney sporting goods retailer IN SPORT reported it had been hit by ransomware. Its online systems, run by Shopify, were unaffected but the head office was taken offline, and the company was unable to assure customers their personal information had not been exfiltrated. A week after IN SPORT revealed the attack, a cache of documents purported to be from the company was published on the dark web.
Fail to prepare, prepare to fail
Retailers hit with ransomware face challenges other than dealing with the impacts of the attack and the demands of the cybercriminals. It is vital to communicate appropriately with any partners and third-party suppliers whose information might have been compromised, not just customers!
A communication plan is needed and, once developed, should not be filed and forgotten. It must be practiced regularly and updated regularly.
Regulatory compliance is key
Any retailer or business that stores, processes or transmits credit card data is required to comply with the Payment Card Industry (PCI) Data Security Standards, set by the major credit card providers. Failure to do so can incur heavy fines.
The Australian government notes that “All Australian businesses that accept card payments need to comply with the PCI DSS regardless of business size.” Retailers must be aware that PCI compliance requirements differ between each payment provider.
Knowledge is power
To ensure robust and ongoing protection against ransomware, it’s important that retailers regularly audit their networks and applications to identify and remedy any weaknesses.
Software vulnerabilities are prime targets for ransomware attackers. It is essential retailers understand their software, what it’s intended functions are, and confirm it is performing those functions and no others.
Specifically, retailers should look for security tools that protect during runtime. These tools automatically monitor applications in the background (without requiring any downtime), check any activity against what is normal for that application, and block anything suspicious, providing robust protection against ransomware and stopping attackers before they get the chance to do any damage.
We can expect ransomware attacks to surge over the next two months, but it presents a serious and ongoing threat beyond Christmas and the holiday season. It’s important that retailers reduce their attack surface now, to ensure they are compliant with evolving regulations and prepared to face threats in the new year.
Robert Nobilo is regional director for Australia and New Zealand at Virsec.