72 percent of UK retailers not ‘Cyber Secure’ in lead up to Christmas

December 11, 2014 Sophos Press Release

OXFORD, UK – December 11 2014: Sophos today announced the results of its 2014 Retail Security Barometer, revealing worrying gaps in cyber security and data protection across UK retailers during the busiest shopping period of the year.

The research, conducted for Sophos by Opinium, investigated the attitudes of 250 UK retail IT decision makers towards cyber security and consumer data protection. It reveals that there is a significant gap between the perceived level of security held by UK retailers, and the level of security that is physically in place at retail establishments across the nation.

The research demonstrates that despite being aware of the increasing risks associated with cyber security and the implications a breach can have on both consumers and their own brand, retailers aren’t imposing the correct level of IT security or ensuring sufficient training is in place for sales staff to help stop credit card fraud and the theft of sensitive customer information, such as bank details and email addresses.

According to James Lyne, Global Head of Research, Sophos: “We’re now in the midst of the busiest time of the year for the retailers, so shops must ensure they have appropriate measures in place to prevent cyber crime . As recent data breaches show , it is critical that retailers protect customer data both from exposure in the public domain and from being quietly used in the background. Cyber criminals have clearly demonstrated systematic compromise of such organisations, it is clear that they are high on their priority list”

The research reveals significant overconfidence in the retail sector, with 87 per cent of UK retailers confident that they have adequate security in place to protect customer data, and 86 per cent confident that they are able to protect their general network from the malicious malware used by hackers to steal business and customer data.

However, the research also indicates that while confidence among retailers is high, in reality the vast majority – 72 percent – have not implemented fundamental security required to safeguard both business and customer data. The lack of basic encryption capabilities, designed to protect business and customer data at a very basic level, highlights a significant and worrying gap in the cyber security strategies of UK retailers.

The majority of retailers acknowledge that they rely primarily on barebones protection, such as firewalls (77 percent) and anti-virus (33 percent). The emphasis on perimeter protection like firewalls can be compared with closing the door of your house while leaving your windows open. And even those that rely on securing the perimeter do not defend their networks in depth, with only 31% indicating they have network protection beyond a firewall and only 2% having comprehensive unified threat management capability in place.

“In the lead up to Christmas, we can expect to see an increase in data breaches if retailers continue not taking the necessary steps to secure customer data,” said Mr Lyne. “For an industry responsible for holding and safeguarding so much sensitive customer data, it’s worrying to see the level of over confidence and lack of awareness surrounding cyber security. This needs to be rectified if we are to adequately protect UK consumers. What amazes me is how often the breaches are the result of incredibly simple failures of policy, training or technology and not the result of cyber criminals being particularly clever.”

Statistics at a Glance:

  • 87 per cent of UK retailers are confident that they have adequate cyber security in place to prevent malicious data breaches
  • 72 per cent of UK retailers admit they have not implemented basic encryption security to safeguard business and consumer data
  • 14 per cent of UK retailers admit to not having the expertise necessary to implement basic cyber security measures
  • 40 per cent of UK retailers acknowledge they don’t know why they haven’t implemented basic cyber security measures
  • Only 2 per cent have a comprehensive unified threat management capability in place
  • 77 per cent rely only on perimeter-based protection such as firewalls and 33 per cent on anti-virus
  • Only 67 per cent of those who have fallen victim in the past have plans in place to further secure their IT system in the future

Even fewer – 48 per cent – of those who haven’t previously been compromised have plans in place to enhance the security of their IT systems

“It won’t happen to me…” – The Ostrich Effect

The research reveals that the ‘Ostrich Effect’ is firmly in place as the UK retail sector continues to bury its head in the sand when it comes to cyber security.

In addition to the 72 per cent that admit to not having basic cyber security capabilities, half of retailers also have no contingency plans in place to deal with a data breach if they do fall victim to malicious hacking.

  • 48 per cent admitted to having no process in place to inform customers should their data be stolen
  • 34 per cent stated potential impact on business brand reputation in the event of a data breach is a key driver for investing in IT security measurements
  • 59 per cent of retailers are not very concerned that the risk of credit card fraud will increase in the lead up to Christmas

Email Address & Credit Card Vulnerability

The research found that email addresses were the most common form of data to be stolen. Credit card details were the second most popular form of cyber theft across UK retailers.

  • 23 per cent of UK retailers that have been victims of data breaches in the past identified email addresses as the most common form of data to be stolen
  • 10 per cent of UK retailers that have been victims of data breaches in the past admitted to losing customer bank/credit card details
  • 16 per cent of UK retailers do not have a plan in place in the event of customer credit card fraud taking place
  • 34 per cent of retailers did not have training in place to teach staff how to recognise credit card fraud
  • 56 per cent of retailers in London did have practical on the job training for point of sale staff in recognizing credit card fraud
  • Only 35 per cent of retailers in the North provide practical on the job training for point of sale staff in recognizing credit card fraud

Top 6 retail threats and what to do about them

Good security is simple security, so there are a few basic steps that retailers can take to drastically improve their security.

1. Targeted attacks: a common way in is to aim some credible emails at a specific area of the organisation. This might be invoice enquiries for accounts or undelivered courier items for office management.

Action: Ensure you have effective endpoint, network and email protection that filters out spam, malware and dangerous file types. In addition, train employees to be suspicious of emails, especially those that contain attachments, and to report any unusual emails or attachment behaviour to IT.

2. Legitimate looking sites rigged with exploit kits: these try to work out in real time how to "crack" a PC - usually some JavaScript or Flash that tries one known flaw after another.

Action: Consider a patch assessment tool to ensure your operating system and applications are up to date with the latest security fixes. Most exploit kits see success due to exploits in software for which a patch is already available and just has not been deployed. And install endpoint protection software and/or a secure web gateway that can identify and block exploit kits before they infect your systems.

3. Access all areas: once in, the crooks want to move around your network so they can capture more than just one hapless user's passwords and confidential files. They want access to your back-end databases, your PoS network, your testing network (which may have temporary copies of live programs and data that isn't as secure as it should be, or have deliberately unpatched servers for troubleshooting), and more.

Action: Consider segregating your networks with next-gen firewalls that treat your internal departments as potentially hostile to each other, rather than having one big "inside" fenced off from the even bigger "outside." And put in place a device control strategy to identify and control the use of removable storage devices – not only does this prevent bad stuff getting in, with data loss prevention DLP, but it can also help stop personally identifiable information (PII) and intellectual property (IP) data from going out. Finally, implement full disk protection and encrypt sensitive data stored on servers or removable media for sharing with business partners.

4. Remote access: you may want or need to allow remote access, maybe even for a third party, for example the vendor of your PoS system. Many breaches have been down to slovenly password practices by outside vendors.

Action: Consider implementing your own remote access service using a virtual private network (VPN) and requiring everyone to use two-factor authentication. Do a review of your purchase requirements and vendors with your procurement team if you have a more sizeable infrastructure.

5. Automated malware: If the crooks get in and leave behind malware to automate their dirty work, that malware is often programmed to keep "calling home" to one or more command-and-control servers to fetch further instructions and to exfiltrate (sneak out) what it has found since last time.

Action: Consider web filtering and a next-gen firewall with command-and-control traffic detection. This isn't as good as blocking the malware before it runs but it can neutralise (and will draw attention to) malware that would otherwise make off with your crown jewels. Numerous breaches this year would have been detected and thwarted far sooner with this in place.

6. Unnecessary software: Crooks love servers that have more applications and add-on software than needed because it gives them more tricks to try when they are attempting to break in using command injections (getting the server to run the wrong command). Servers don't usually need Microsoft Office, for example, so why have it at all?

Action: Use Application Control to keep track of, and restrict, unnecessary software that reduces security without adding any needed benefit. Periodic reviews of builds and expected configuration will also help drift or organic changes leaving you open at some point in the future.