In the aftermath of recent cyberattacks on the UK’s retail industry, it’s apparent that many firms, including big household names, lack the cyber resilience and operational readiness to withstand the increasing number of threats, says Glenn Akester, Technology Director for Cyber Security & Networks at Node4.

As far as is known, M&S suffered the most, left reeling from the ramifications of ransomware. Unable to resume online ordering for weeks, profit losses are predicted to exceed £300 million. The Co-op also only narrowly averted getting locked out of its computer systems, according to the BBC. While Harrods reported it had been targeted too, it minimised disruption by taking swift, decisive action.

Technically simple, socially sophisticated

Just two weeks later, news of further attacks on stores in the U.S. started appearing, highlighting the extent of the inherent security weaknesses in retail environments.

It is evident these are not technically sophisticated attacks, but they are socially adept and deceptively simple. In some cases, bad actors are simply calling staff, pretending to be from the company’s IT helpdesk and asking for log-in credentials or to approve an MFA request. It appears that easy, but behind it is a deliberate manipulation of human trust and behaviour.

Then there is an array of tried-and-tested techniques that still come up trumps for attackers. These include tricking users into handing over passwords via email (phishing), using passwords harvested from past breaches (credential stuffing), bombarding employees with log-in prompts to approve authentication (MFA fatigue) and intercepting or stealing cookies and tokens that enable log-in sessions (hijacking).

There is little new in the techniques themselves, but attackers are clever in how they exploit them. These methods continue to reap rewards because they rely on human fallibility. It only takes one momentary lapse to launch ransomware or give an attacker the security details they need.

Protecting a complex and vast attack surface

What makes this problem especially difficult for retailers – and attractive to criminals – is the distributed nature of business operations. Having large environments with many endpoints, operating 24/7 and relying on complex, interconnected supplier ecosystems, creates a vast attack surface to protect. Add to this high staff turnover – and significant numbers of temporary and seasonal staff – and the result is varying standards of cyber security awareness, training and commitment to security obligations.

Cyber criminals, on the other hand, are highly motivated and switched on, driven by the potential extortion value of customer data. They will go after personal information within financial, customer and marketing platforms, including transaction histories, loyalty schemes and contact data. Commercially savvy, hackers are also aware that retailers are immediately impacted by such breaches, both financially and reputationally, and are therefore likely to succumb to ransomware ultimatums.

Changing outdated security thinking and practices

The situation is further complicated as many retail organisations continue to operate under the misapprehension that anything inside their network is safe, and only the perimeter needs defences. But it’s a false sense of security, as once an attacker gets hold of credentials they can move laterally through a network, elevating permissions and gaining access to the most sensitive data, systems – and even backups.  At this point, containment is extremely difficult.

Retailers must strengthen internal cyber resilience on the premise that ransomware or malicious actors will get through eventually. What matters most is being able to spot an intrusion immediately, contain damage and recover quickly.

To reach this level of resilience, retailers need to have a comprehensive understanding of where data resides, who has access, and how authentication is managed. Implementing a zero trust strategy and architecture helps instil a ‘trust no-one attitude’ by continuously verifying identity through passwords combined with multi-factor authentication, contextual and behavioural analytics. Least privilege access can be enforced to restrict how far an attacker can progress if they gain access to the network. Additionally, real-time monitoring of applications will flag suspicious activity and temporarily shut down users or applications for further investigation. 

Importantly, authentication procedures and monitoring should be extended to the wider supply chain to ensure there are no weak links. All third parties should only be given minimal, appropriate access to systems and permissions withdrawn immediately they are no longer required.

Cyber defence can’t be a ‘one and done’ exercise

It is also vital to remember that cyber security resilience is never a one-off exercise. Tools and programmes require regular and rigorous testing, using both internal and external red teaming resources. Staff training is another key component to ensure teams are primed to act effectively when a security incident occurs to prevent it becoming much more serious.

Finally, having an incident response plan is vital to minimise disruption as, although it is possible to recover eventually from a major breach, avoiding the cost and upheaval makes much better commercial sense.

But this requires a concerted effort to change the traditional mindset and get universal buy-in to introduce new processes and appropriate detection technologies. This must be supported at board level, as cyber resilience directly impacts profits, brand reputation and future success. It is no longer just an IT security issue, it is now a business imperative.