We all know that cybercriminals are opportunistic, especially attackers wielding ransomware. Hospitals overrun with COVID-19 cases are suffering system shutdowns and paying hundreds of thousands of dollars to get back online. Ransomware gangs also targeted election systems too, slowing down the verification of absentee ballots in Georgia. Retailers and logistics suppliers are already falling victim to ransomware attacks, but with the busiest shopping season of the year coming up, they should prepare their companies for an onslaught of attacks from opportunistic threat actors.
It’s impossible to underestimate the impact of ransomware on any industry, and with the shift toward e-commerce this holiday season, retail has become a particularly ripe target. The biggest area of IoT growth – and ransomware concern – lies in the retail supply chain, which makes for a particularly attractive ransomware target.
IoT devices have been used in manufacturing, shipping and delivery of retail products for years – 94 percent of retail companies already use them. This includes robotic arms on manufacturing lines, connected forklifts in fulfillment centers, and smart sensors enabling track-and-trace delivery monitoring.
Many of these connected devices in industrial environments are also built without security in mind, which puts skilled attackers in close range of shutting down manufacturing and delaying deliveries. Any interference to the supply chain during the holiday shopping season would seriously impact the bottom line of retailers. Attackers could exploit this, knowing retailers and logistics companies are more likely to pay ransomware payments during their busiest time of the year. To illustrate the consequences of a supply chain attack, in 2013, multinational shipping company Maersk lost somewhere between $200-300 million in revenue because of operational downtime from a ransomware attack.
While online shopping eclipsed in-store visits on Black Friday, we also have to consider the risks that in-store IoT has introduced. Point-of-sale (POS) systems like Square and smart sensors have been used to measure foot traffic for years, but the pandemic has resulted in even more IoT devices in stores for safety reasons. Automated temperature checks greet customers at the door. Contactless POS systems have replaced cash and credit card handoffs. And robots are used to clean floors and restock shelves.
IoT devices have a well-documented history of weaknesses. Security flaws have been found in the major POS systems. Hackers have also hijacked CCTV cameras and compromised HVAC sensors. Built-in security settings are usually disabled by default, and minimal processing and storage means fewer security controls. Security teams find patching IoT vulnerabilities notoriously difficult. With this in mind, retail stores should prepare to defend against IoT attacks.
Making a list, checking it twice
Here are some recommendations for retailers – both large and small – on how to ensure their holiday sales aren’t interrupted:
- Review third-party security posture. In addition to having an inventory of the third-party systems connected to the corporate network, retailers should continuously assess remote access points into the network, regularly audit the security posture of third parties, and implement safeguards to protect against third-party breaches. For instance, millions of records for Amazon, Ebay, Shopify, PayPal and Stripe were exposed after a third-party app left data exposed on MongoDB — an avoidable error.
- Have real-time visibility into all IoT devices. Whether in-store or in distribution hubs, it’s critical that retailers are aware of and are monitoring every connected device within their network. In doing so, companies can establish baselines for device behavior, detect abnormal activity and stop IoT device attacks before they spread. Without this level of visibility, security teams run the risk of attackers leveraging blindspots to gain entry into systems and create broader network disruptions.
- Segment networks. Security pros can’t block all attacks, so it's important to minimize the damage. Establish visibility into IoT devices, then segment them from important business assets to limit any damage. IoT devices are also used to establish segments – and they too are vulnerable. Security teams also need to aggressively monitor and patch IoT devices to ensure segments stay intact and threat actors can’t use IoT as the weakened entry point to a company’s broader network.
- Operationalize existing security frameworks. For retailers relying on small security teams with less expertise, leverage existing security frameworks to evaluate cybersecurity posture. The National Institute of Standards and Technology (NIST), International Standardization Organization (ISO) and MITRE ATT&CK guidelines are good places to start.
- Implement unique passwords on new IoT devices. Don’t just onboard IoT devices with factory security settings and passwords. Take the extra step to input unique, secure passwords and if possible, change the passwords regularly for an additional layer of security.
Retailers may worry about phishing attacks, stolen customer credit card numbers and online shopping scams, but they shouldn’t overlook the risks posed by IoT devices that enable safe in-store shopping and efficient product pipelines. Retailers can’t afford to lose business and customer confidence during the busiest shopping season of the year.
Curtis Simpson, chief information security officer, Armis
