By: David Higgins, EMEA Technical Director, CyberArk
Autumn Fashion Week season has successfully travelled around the globe for another year, starting in New York at the beginning of September, and coming to a close in Paris, following stops in London and Milan, earlier this month. The season offered a huge beacon of hope to retailers and fashion houses that have struggled to survive the last 18 months. This year’s editions were hybrid events, split between live catwalks online and in person, with the latter making a welcome return post-pandemic.
Just as the season of events itself has changed, so too has the reality for retailers. Even before the pandemic, sales were slowly trending towards online channels, fuelled to peak higher around the November events such as Black Friday and Cyber Monday, and conversations around the demise of the high street were already common. While food sales have bounced back to pre-pandemic levels, other retailers are still struggling even though restrictions are mostly lifted, with an unexpected drop in sales this July. Many retailers have revamped their online offerings in response to this sudden shift, leading to a swathe of new digital offerings.
Making cybersecurity the main event
The high street experience has evolved to incorporate digital retail at a rapid rate. Some retailers were even investigating innovative ideas to make themselves stand out from the crowd pre-pandemic, such as coveted makeup website Cult Beauty, who introduced their ‘MatchMe’ feature using AI to suggest a perfect skintone-matched foundation in 2016, long before necessity dictated it.
These technologies rely on increased personalisation, which brings increased personal data collection, and also increased security compliance requirements. Previously, the priority was securing in-house ‘endpoints’ such as tills, tablets, and interactive screens, alongside the back-end infrastructure supporting stores’ retail operations. As well as having to cope with corporate staff newly operating their devices from home, the greater proliferation of devices and data used and generated per store has created a whole new threat landscape within the shopping experience, affording more ‘ways in’ for savvy hackers to infiltrate the network. The prize is higher, too, with exponentially more payment details and customer data up for grabs.
This is a challenge that is familiar to online retailers, who have always been a target as a payment centre, and for some years have needed to stay one step ahead. When it comes to protecting back-end systems, safeguarding customer data and ensuring consistency of retail operations. But with new technologies being introduced and their security perimeters constantly expanding, retailers must invest in protecting what attackers seek most: privileged credentials to traverse through the network. Privilege abuse is a recurring element of cyberattacks, with it featuring in over 60% of breaches in 2020.
Taking cybersecurity from workshop to catwalk
Securing retail networks needn’t be a daunting task and can be broken down into manageable steps. Focus should be placed on implementing least privilege as a discipline, meaning users and machines can only access what they need to be able to access, so if a hacker is able to compromise a single user account, their ability to move laterally is restricted. This protects mission-critical workloads while buying valuable time to detect and respond to an attack.
Once that important first step is taken, regular auditing should be implemented to shrink the attack surface. A thorough audit process can identify orphaned and excessive permissions and limit them to the least privilege required for a service to work properly.
Taking a leaf from other sectors is advisable, too. Many businesses across a range of industries from healthcare to insurance are hiring a team of ethical hackers to always test critical systems. To protect against hackers, you have to think like one continuously.
Education, Education, Education
Before new identity security measures are implemented however, education has to take place. The Verizon 2020 Data Breach Investigations Report showed that in retail, system intrusion and social engineering were the first and second most prevalent forms of attack, meaning that not only does retailers’ identity security need to be on point, but their staff need to be well trained to identify when they are being targeted. Basic training in ‘cyber hygiene’ is crucial to ensure that all employees, from the CEO to the shop floor, are equipped to deal with cyber-attacks before they happen and not let malicious hackers into the network.
Post-fashion week season, retailers must take stock and capitalise on the opportunity to refresh their cyber hygiene if they’re to manage the risk of cyber-attacks. Delivering an innovative, digitally engaging customer experience is essential to restoring the retail sector, and ensuring robust security is a fundamental pillar to building a trustworthy experience. The retailers which manage to claim a stable footing from the fashion week hype will be those which have innovated their cybersecurity at the same rate as their digital offerings, ensuring a trustworthy online experience for customers.