Cybercrime and the retail industry: How to protect your shop

There may once have been a time when the only crime that retail businesses were particularly vulnerable to was shoplifting from physical stores. Sadly, as technology advances and the world becomes increasingly digitally interconnected and technology-dependent, cybercrime is fast emerging as a major threat to retail.

A prevailing conception amongst many members of the public is that cybercrimes such as hacking and the use of ransomware only tend to target large corporations and major institutions who can afford to pay significant extortion demands. However, according to Verizon’s 2021 Data Breach Investigations Report, 28% of data breach victims are small businesses and between the summers of 2020 and 2021, it is estimated that 1 out of every 8 retail businesses in the UK suffered a cyber attack.

The world of cybercrime is a fast-evolving environment, and even businesses with the best intentions to secure their systems can lag behind the curve when it comes to being effectively protected, as Donald Toon of the National Crime Agency explained:

As the rewards for perpetrating cyber crime become greater, the need for businesses to focus on cybersecurity has become acute.

So, what are the risks posed to retailers by cybercrime, and most importantly, what can you do to protect your business?

The threat of retail cybercrime

Point of sale (POS) attacks

In an increasingly cashless age, one thing that just about all retailers have in common is the use of a card payment system, for both credit and debit cards. Card payment systems may have streamlined the sales process, but they have brought with them opportunities for cyber criminals to target retail establishments.

With most retail sales, both online and instore, now conducted by card - cash sales are expected to account for just 7% of transactions by 2024 - the point of sale now exists in a digital space.

Cyber criminals target card payment systems, both online and offline to steal customers’ private card details using a variety of methods, including:

• Malware and spyware - Usually downloaded onto a computer through a phishing email, these malicious softwares steal private card details from a user as they engage in online shopping.
• Skimming - A low-fi method by which a criminal physically attaches a device to a point-of-sale device such as a card reader, cloning the card details.
• RFID Skimming - Utilising the technology that allows contactless payment, criminals use devices enabled with near-field communications to steal unencrypted card information from unsuspecting shoppers.

Instore vs online threats

The COVID-19 pandemic saw a large-scale rush on behalf of businesses to move their retail sales online, with consumers staying away from bricks-and-mortar stores. Furthermore, public health measures meant that many physical stores had to shut for long periods of time. As a result of this, online retail sales increased by 48% during the height of the pandemic.

Concurrently, Techrepublic reports that cyber crime against retail businesses has risen by 41% during the global COVID-19 pandemic.

While it is easy to see some correlation between the rise in online shopping and the increase in cyber attacks against retailers, the threat of cyber crime is just as real for businesses that run physical stores, as it is for eCommerce retailers. However, there are certain differences between how in-store and eCommerce retailers should approach cyber risk mitigation.

Because of tactics such as card skimming and RFID skimming (mentioned above), physical bricks-and-mortar shops are particularly at risk of point of sale attacks, especially if they use unsecured wifi networks.

Online eCommerce retailers, conversely, are more likely to find themselves at risk of ransomware extortion because of the more extensive digital structure needed to support an online store. The larger an eCommerce retailer’s website and customer base, the more data exists to potentially be encrypted by criminals using ransomware.

Ransomware

In point-of-sale attacks that target card payment systems, the object of the attack is to steal data that is intrinsically valuable to the criminal, such as customers’ private card details. With ransomware attacks, criminals use a type of malicious software that encrypts victims’ data, allowing cyber criminals to demand extortion payments in exchange for releasing the data. The data in question here is often not necessarily directly valuable to the criminal, but is of such value to a business that owners are willing to pay for its release.

There is a common misconception that ransomware is primarily an issue that affects large corporations and government-level organisations with the capital and insurance policies in place to pay eye-wateringly large sums to unlock their data. This, however, is not an accurate reflection of the ransomware threat.

According to Sophos’ State of Ransomware in Retail 2021 report, 44% of retail businesses were hit by a ransomware attack in 2020, with more than half of those attacks succeeding in encrypting their data. The reality is that small businesses and retailers are routinely targeted by cyber criminals using ransomware, with a higher percentage of attacks successfully encrypting data of victims in the retail sector than in any other industry.

The principle ways in which your retail business may become the victim of a ransomware attack include:

• Removable media - devices such as USB flash drives can be injected with malicious software which, when plugged into your device can deploy ransomware to your entire network.
• Remote desktop protocol - This is the protocol that allows IT administrators to remotely access systems. Cybercriminals can crack login credentials and impersonate administrators to deploy ransomware.
• Phishing - a more traditional form of infiltration where the malicious software infiltrates a machine and a business’ entire system via a link or attachment in a phishing email.

What can retail businesses do to avoid risk?

Employee training

Unlike office-based businesses, small retailers may think that the nature of their business makes them less likely to be targeted by cyber criminals via email phishing. Quite the opposite is true. Because small retailers are less likely to be adequately protected against cyber attacks, they are seen as easy targets for cyber criminals.

In instances of social engineering, cyber criminals rely on human error to attack a business’ systems. By impersonating suppliers, employees or other authority figures inside your business, cyber criminals send phishing emails that, if clicked on, can install malicious software (malware) on your business’ systems, compromising sensitive information.

Every business, however large or small, should routinely train employees to recognise the most common and recent phishing scams, as well as the tell-tale signs of a fraudulent email:

• Requests for payment for an outstanding invoice or debt
• Poor spelling or grammar and unprofessional language
• Suspicious attachments
• A countdown or time-limited sense of urgency (eg. “You have 24 hours to provide this information or your account will be closed”)
• Generic greeting style - ie. a greeting that does not address you or your business by name

In a small retail business with only a handful of employees, it should be relatively easy to confirm if an email purporting to be from another employee is genuine, but this task becomes harder for larger shops or chains, with multiple different branches and an online presence. Vigilance is key and anti-phishing training can help reduce your retail business’ risk of exposure.

Insurance

As the owner of a retail business, there are several different types of insurance that can benefit your company and can shield you from various risks associated with trading.

Whether it is the legal requirement of employers’ liability insurance, or product liability insurance to protect your retail business against compensation claims because of faulty or dangerous stock, many small retailers understand the value of comprehensive insurance.

Amongst the range of policies that retailers often take out to protect the whole of their business are:

• Business contents insurance - Covers your electronic equipment on site, as well as your stock, against theft or damage.
• Business interruption insurance - Covers unexpected stoppages in your business activity, meaning your cash flow is not affected by unforeseen downtime.
• Public liability insurance - Protects your business against claims made by members of the public because of injury or property damage in your retail premises.

This extensive range of insurance policies can go a long way to protecting your business, but we live in a digital world and this can present a large area of additional risk.

When it comes to cyber threats, many businesses see cyber cover as an unnecessary expense and are not adequately insured against the risk of cyber attack. Indeed, as of 2019, the Association of British Insurers found that just 11% of businesses in the UK have cyber cover, while 31% of small businesses experience some form of cyber breach.

This lag between the threat posed and the number of businesses covered means that more and more small enterprises are at serious risk. To counter this, Superscripts offers an extensive cyber insurance policy that forms part of our tailored shop insurance product for retailers.

Ensure you are PCI DSS compliant

As any shop owner who accepts card payments should know, there are stringent rules and guidelines set out by the leading card issuers, known as the Payment Card Industry Data Security Standard (PCI DSS), designed to help keep customers’ private card details secure.

Breaches of the PCI DSS can lead to fines of between £3,000 and £60,000, so actively ensuring your card system is secure can offer you and your customers peace of mind, and potentially save you money in the longer term.

When it comes to ensuring your business is PCI DSS compliant, you firstly need to know which of the four compliance level your business fits into:

• Level 1: Businesses processing over 6 million card transactions annually.
• Level 2: Businesses processing between 1 and 6 million transactions annually
• Level 3: Businesses processing between 20,000 and 1 million transactions annually
• Level 4: Businesses processing fewer than 20,000 transactions annually

Under this framework, most smaller retail businesses will fit into levels 3 or 4 of the framework and are therefore entitled to become PCI DSS compliant by filling in a self assessment questionnaire.

Level 2 businesses can also file a self assessment questionnaire, while businesses in level 1 require an external audit performed by a Qualified Security Assessor (QSA).

Back up data on alternative servers

In the case of a ransomware attack on your business, even with comprehensive cyber insurance in place to cover extortion payments, backing up your data is still hugely important. Research has found that retail businesses that paid a ransom demand managed to recover, on average, roughly two-thirds (67%) of the data that was initially lost.

Sophos’ report on ransomware in retail also found that more than half (56%) of retailers who were successfully attacked by ransomware managed to restore their data from backups.

Businesses are recommended to keep two backups of their valuable data on separate systems, ideally with one of those systems being off-site or offline. That way, if your data is encrypted by ransomware, your business activities will not be overly disrupted and you can continue to trade.

You may also like

• Small business cybersecurity guide
• Internet of Things and cyber risks
• How to protect your business from cyber attacks