Analysis: Retailers and Ransomware 2023
By Gareth Dew, Head of Platform, Infrastructure and Security at PMC Retail
Retailers may get some comfort from Sophos’ annual security report: The State of Ransomware 2023. But it also provides cause for concern.
The study surveyed 3,000 IT and cybersecurity professionals in over a dozen industries across 14 countries. Headline news for the retail sector is that ransomware attacks reported by retailers have dropped to 69% – an 8% decrease on the year before.
On the other hand, cybercriminals encrypting data remains a nasty and persistent problem for retailers, along with everyone else. A massive 71% of data was maliciously encrypted during last year’s ransomware onslaught on retailers.
Alongside the reputational damage a ransomware attack can cause a retailer, is the operational sabotage it causes. If you’re not willing to pay ransom fees to get your data back, then you need to rely on back ups and a savvy IT team to get your systems back online or face rebuilding from scratch.
For many businesses the loss of revenue caused by a system shut down can be catastrophic if you’re not able to get back online quickly. With the average recovery cost for businesses hit by ransomware attacks sitting at $1.82M for 2023.
The biggest cyber risk today
Sophos says: “ransomware is arguably the biggest cyber risk facing organisations today” due to the high level of attacks, which are also getting more sophisticated and persistent.
Sadly, 46% of organisations admitted to paying the ransom to get their data back last year. But it’s not just the extortion that’s a problem. Some attacks are pure industrial sabotage to stop businesses trading. And lost profits can cost more than lost data. The report found that, of the retailers hit by a ransomware attack, 38% “lost a lot of business or revenue” and 44% lost a little.
Criminals also use ransomware to acquire and sell personal employee data for ID fraud and aim to access systems and remain undetected for as long as possible to achieve this.
In 30% of ransomware attacks where data was encrypted, that data was also stolen, the report found. Examples of UK retailers who’ve been hit in this way over the last few years include Royal Mail and JD Sports.
Retailers taking cyber security seriously
Compared to the 2022 report, overall ransomware attack rates remain constant, but have dropped for retailers, as mentioned. There are three reasons for this.
Firstly, retailers are taking cyber security seriously. Secondly, there’s much stronger governance in place, especially in the US, where security protocols such as ANSI and ISO are being enforced on businesses. Thirdly, hefty fines and legal action can trouble retailers if an investigation reveals the attack was due to their negligence.
T-mobile is an example of a business that faced a huge data breach class-action pay-out of $350m to customers, plus an additional $150m to upgrade its data protection.
Good housekeeping thwarts attacks
For retailers, the root causes of last year’s ransomware attacks were exploited vulnerabilities (41%), compromised credentials (22%), a malicious email (15%), phishing (17%), a brute force attack (2%) and a download (1%).
So, what can we learn from this? Exploited vulnerabilities typically include things like not patching servers properly not running routine hardware and software updates or failing to keep antivirus or firewalls up to date. End point devices can also leave retailers vulnerable, especially if they’re not centrally managed and monitored by an experienced IT team.
As for compromised credentials, these tend to occur through employees not following protocols and re-using the same passwords across multiple devices or applications. To counter this, more stringent employee security training should be rolled out across organisations and multi-factor authentication, minimum password lengths and regular password renewals should be set up at a minimum.
7 top tips for retailers:
- Educate employees Teach them about the importance of following security protocols. Even things as simple as making employees run weekly software updates on their laptops or restricting personal apps on employee mobiles.
- Antivirus Use a best of breed antivirus system, and one which provides lateral protection (the option to isolate infected devices) at a minimum. And then keep it up to date!
- Understand the risks For most retailers, it will be a case of ‘when’ not ‘if’ you are ransomed. Having an IT team who understand this, and have a disaster recovery plan in place to bounce back from an attack is one of the most worthwhile steps you can take.
- Stay updated Ensure all business software and hardware is kept up-to-date, and you have proper control of all business end devices: mobile phones, POS systems, employee laptops etc.
- Backups Ask yourself: are my backups good enough? If an attack happens, can I get back on line quicky? Which systems can I easily rebuild from scratch? And what can I not afford to lose? Then focus on backing up the ones you can’t afford to lose.
- Servers Think beyond backups and clone your server as well. Then, if you have to restore backups quickly, you have something to run them on.
- Get assistance Be pragmatic: 24/7 threat protection is just not financially feasible for many retailers. Threat risks change, so there is no set security roadmap you can simply roll out. However, sitting down with a trusted partner and coming up with a tailored plan can help you better understand the risks you’re facing, and how to invest wisely to protect the assets you can’t afford to lose.
How we can help
PMC are running a retail-centric event with Sophos, the leaders in this field, on Thursday 6th July. We’ll be covering the topic of cyber resilience, and how retailers can address the modern threat landscape with endpoint security. For further details visit our website here.