When the pandemic hit, retail stores lay dormant as millions of consumers were confined to their homes. To survive amidst lockdowns and economic uncertainty, retailers had to act quickly to prioritise online channels.
Bricks-and-mortar only businesses quickly launched new online presences while companies with multi-channel approaches refocused all their digital efforts to maintain sales performance. According to the latest Australia Post report, Australians turned to online shopping like never before with more than 80% of Australian households purchasing something online. This led to a record $62.3 billion in online spending, driving national year-on-year growth to 12.3%.
The fast move online had a ripple effect on Australian retailers’ exposure to cyber-attacks.
Whilst Australian retailers have always been a key target for cybercriminals, as they handle their customers’ banking details and payments daily, the Australian Cyber Security Centre recently revealed a 13% increase in online crimes last year, with fraud and online shopping scams topping the list.
While retailers’ own security postures are clear as they have strict payment security compliance rules to follow, like the Payment Card Industry Data Security Standards (PCI DSS) to protect the Personally Identifiable Information (PII) they process daily, can the same be said for that of their suppliers?
As part of building and maintaining the infrastructure required for an ecommerce platform, one of the challenges facing retailers is that they are required to use a multitude of technologies from different third-party suppliers. This includes network carriers, hosting platforms and/or payment gateways alongside the company’s website, mobile applications and other customer channels. Additionally, retailers have to think about customer experience and use tools like real-time inventory tracking and artificial intelligence chatbots.
This scenario illustrates why the risk of a cybersecurity breach for retailers is instantly elevated with potential cyber defence gaps throughout the supply chain.
Planning ahead around security
For retailers to track security across their operations, they must have an accurate view of all their assets – internal and external – and take a risk-based approach to their security accordingly. Without this insight, it is impossible to maintain an effective security strategy that keeps customers’ PII secure.
The biggest challenge is keeping that asset list accurate – from individual desktop machines and internal servers through to web applications, cloud instances and all those external suppliers. You must ensure assets are reviewed and kept up to date regularly. With so many changes taking place all the time across those assets, it is easy to miss where updates are needed and risk compliance failure.
For internal assets and applications, this involves checking for vulnerabilities or potential misconfigurations. For example, customer data may be securely held in the application used for managing accounts and payment information. However, that data might also be copied to use in a marketing application or for testing. When this happens, those secondary applications may be less secure. Developers may also put data into a new database for ease of use but not consider security best practices, like changing default security settings or enforcing access control.
Another issue might arise where a software vulnerability is discovered in the web application or ecommerce product used. In these circumstances, patching and applying updates is necessary, but it can be hard to schedule downtime when those applications are responsible for generating revenue around the clock.
Scanning for internal vulnerabilities should be an ongoing process across any endpoints, web applications and cloud infrastructure to ensure issues are detected before they become risks and prevent a breach. However, how these issues are managed will be crucial to the outcome.
For many retailers, vulnerability management is the security team’s responsibility but patching or applying updates falls on IT operations, application development teams or even those third-party providers. Security teams, therefore, must ensure recommendations and any mitigating security processes are carried to prevent problems.
Alongside this internal focus, Australian retailers must examine security processes and priorities conducted by their suppliers.
They must ensure that their security team talks to any third-party provider that will handle PII and check they follow best practices for data security around access control, encryption and management. Additionally, they need a strong legal contract that defines the provision for security management and reporting they should have in place.
In security, the ‘trust but verify’ approach is the most common mindset. However, while this approach is needed, it can be easily faulty if it is not adopted continuously across all operations and over time.
Establishing a clear internal methodology applied by all suppliers and third parties, including agreed minimum standards, regular audits, and a zero-trust approach to security across all operations, is key to ensuring Australian retailers’ data and customers’ PII is regularly verified and protected.
Being ‘online’ means you have made an effort to expose your business to the internet. Knowing immediately if you have made a mistake in a configuration or a when service becomes insecure, is key so you can quickly resolve it. Threat actors act fast, but a well-executed security plan means you can likely act faster.
Simon Ractliffe is regional vice president for ANZ at Qualys.