With the explosive growth of online shopping, retailers have become a primary target of cybercriminals. Retailers reported a 75% increase in the rate of ransomware attacks over the last year, according to the State of Ransomware in Retail 2022 report by Sophos.
The report found that 77% of retail organisations were hit in 2021, up from 44% in 2020. And only 28% of retail respondents said they were able to stop an attack before attackers encrypted their data, which is below the global average of 31%. The average recovery cost from a ransomware attack in the retail sector was $1.27 million, and the average ransom payment was $226,044.
Retailers are a high-value target for attackers because downtime for them is incredibly damaging, and they are more inclined to pay—and pay quickly—if an attack brings down their systems and halts sales. It is particularly true during the Christmas period, a crucial sales season for most retailers. Attackers also target retailers to get their hands on customer payment details and other personal data, which they use to commit purchase fraud and identity theft or sell to scammers on the dark web.
With ransomware attacks on the rise and their impact from them growing more severe, retailers must take steps to ensure they can respond swiftly and effectively to an attack to limit the damage. Here are three ways retailers can better repel bad actors:
1 Practice good cyber hygiene
Good cyber hygiene requires some ongoing efforts. You should have a programme to remind employees of strong security practices continuously. You should monitor your operating systems and other software to ensure they’re regularly updated and patched. It will help if you protect your network with best-in-class security solutions, including firewalls, endpoint security, multifactor authentication (MFA), and privileged access management (PAM), to name a few.
Last but not least, you should implement an effective backup and recovery plan. Retailers with a backup and recovery plan in good working order are less likely to suffer significant damage and data loss from an attack. A solid plan includes regular testing of your backup images so you can identify and fix any issues before they cause problems.
2 Consider cyber insurance
Cyber insurance offers to compensate policyholders for losses and penalties caused by cyberattacks. In today’s environment, it’s a must-have for businesses. The average cost of a data breach in 2021 was over $4 million, according to a report by IBM and the Ponemon Institute, which is a cost many businesses can’t bear.
The Sophos report cited above notes that most retailers are now upgrading their defences with cyber insurance coverage. But if you don’t have it yet, it’s getting harder to find. Cyberattacks are getting so common and costly that insurance companies are starting to baulk. The compensation they have to pay out is higher than the premiums they can charge. So providers are cutting back on the number of cyber insurance policies they write and growing more selective about those companies they will insure.
Many companies that can’t get cyber insurance are denied because they don’t meet the ever more stringent requirements. If you want to apply for cyber insurance, you’ll have a much better chance of getting it if you research and learn the current requirements. A common one now is effective cybersecurity measures, such as a solid data backup and recovery plan. It will help convince insurers that your business is not a bad risk.
Retail organisations, like other organisations, should look for a data backup and recovery and immutable storage solution that safeguards information continuously by taking snapshots every 90 seconds. You can still recover your information, even if cybercriminals overwrite your data.
3 Put your trust in zero trust
Retailers have a heavy security burden. Like other businesses, they must protect themselves from internal and external threats. They must ensure that their employees follow security protocols and that their customers are real customers, not hackers or fraudsters. At the same time, they must make it easy for shoppers to shop or risk the possibility that they’ll go elsewhere. They also must protect customer data, such as credit card information.
‘Zero trust’ is an increasingly popular cybersecurity philosophy that can help your retail business handle that burden. A zero-trust model is what the name implies. It assumes that all users might be up to no good and grants just enough privilege, just in time, for users to perform their tasks and operations—and nothing more. With zero trust, only minimum permissions are granted at the right time to get a job done. You can then revoke those permissions immediately after the completed transaction.
Zero trust also works for data backup, and the good news is that implementing it for backup can be accomplished by simply expanding the security measures already in your network. By adding this extra layer of security, retail businesses can minimise damage if a data breach or cyberattack occurs. Even if determined cybercriminals can access your database and get hold of usernames and passwords, they will likely not be able to penetrate that extra layer of defence.