Retailers are a target
Retailers have become the target of choice for organized crimes that launch cyber-attacks to obtain payment card and personal information that can be used for fraudulent purchases and identity theft. News headlines of the cyber breach events of the past year are evidence of this.
Canadian businesses are not immune
Although reporting on specific cyber-attacks on Canadian businesses and retailers is limited, Canadian organizations have seen their share of cyber security breaches in 2014. A recent Globe & Mail article reported on a recent cyber security study indicating that 36% of Canadian businesses know for sure that they have been hit by a cyber security breach in the last 12 months.
Canadian businesses cannot afford to ignore cyber threats. A 2014 study by the Ponemon Institute that looked into the actual costs of a breach indicated that, in the retail sector, the cost is $105 per record. It also benchmarked that the average size of a breach was approximately 30,000 records. Therefore the average cost of a cyber security breach for the average retailers would be approximately $3.15 million.
Cyber-attacks that focus on retailers
Analysis from Verizon’s 2014 Data Breach Investigations Report indicates the three main cyber-attack patterns that were the cause of 74% of breaches on retailers were:
- Denial of Service
Attackers use an army of botnets to compromise the availability of networks and systems. Motives can vary:
Hactivists - may have a point to make
Organized crime - ransom requests
Organized crime – mask other hacking attempts
- Point-of-Sale Intrusions
Remote attacks on systems that handle payment card data. Organized crime is motivated in obtaining payment card or customer information. Payment card information will be used on forged cards or for fraudulent transactions. Customer information will be used for identity theft.
- Web application attacks
Exploit vulnerabilities in eCommerce sites to gain access. Phishing, brute force and SQL injection tactics are used. The primary target is payment card information.
Retailers can reduce the cost of a potential cyber security breach as well as their exposure to cyber security risk by following a few basic information security good practices.
Starting with recommendations from the Ponemon survey, a company can save an average of $42 per record breached by doing the following:
- Appointing a Chief Information Security Officer (CISO) – savings of $6.59/record
- Involving business continuity management - savings of $8.98/record
- Having a strong incident response plan – savings of $12.77/record
- Having a strong security posture – savings of $14.14/record
In response to the three main cyber-attack patterns Richter recommends the following:
Denial of Service
- Patching - Ensure servers are patched promptly. Many denial-of-service attacks take advantage of vulnerable components of an operating system.
- Anti-DOS Service - Deploy or subscribe to an Anti-DOS service. Periodically test the service in conjunction with an incident response plan to ensure it is working correctly.
- Deploy a defence in-depth architecture – Ensure your servers are effectively segregated behind firewalls on different network segments. Put servers containing critical data deep in the network behind multiple firewalls.
- Restrict remote access – Tightly control access by third-party companies to POS systems. This includes training your staff to identify illegitimate attempts to access the POS systems in stores.
- Change default settings – Ensure the various components that make up or service your POS systems are secured by changing default settings. This includes wireless networks, touch terminals, desktop servers, network servers, card readers and/or signature capture.
- Restrict activities on POS systems – Do not allow employees to surf the internet freely on POS systems.
- Use strong authentication – Consider using two-factor authentication for employee access to POS systems. • Use two-factor authentication – Consider using two-factor authentication for administrative access to the eCommerce platform.
Web application attacks
- Static content - Use static content management systems when possible.
- Enforce lock-out policies – Ensure that customers’ accounts lock out after a number of failed attempts. Provide an automated recovery avenue.
- Monitor outbound connections – Look for unnecessary out-bound activity from you web servers and other systems in the network. If it looks suspicious, investigate and contain the issue. Harden the web servers to only allow necessary services.
Richter can help
If your company is on the receiving end of a cyber-attack, or you want your company to be prepared, we can help. Our experts have experience in helping organizations prevent, detect, contain and respond to cyber threats.
In the media:
- The Globe and Mail, November 26, 2014
Canadian Retailers should be wary of hackers on Cyber Monday: expert