MELBOURNE, 26 September 2012 — Speaking at Retail Expo 2012 in Sydney yesterday, Michael McKinnon, Security Advisor at AVG (AU/NZ), stressed to his audience of small to medium retailers the importance of taking responsibility for the online security of their businesses. He detailed the dangers for retailers in relying too heavily on their IT suppliers to deliver the necessary levels of security.
In what would appear to be a counter intuitive statement, McKinnon said: “It is not the 5.3 percent of Australian retailers that provide online shopping services which have the greatest exposure to cybercrime, it is the remaining 95 percent of business owners in the sector whose eyes are still on the shop floor rather than the online world, who are most at risk of falling prey to cybercrime.
“Retailers with a sophisticated Internet presence tend to have more current ICT systems and security regimes in place, while the vast majority are largely unaware of and are unprepared for threats to their security,” he said.
Shop owners are being targeted because their businesses have high EFTPOS and credit card transaction volumes and detailed customer databases. Every piece of personal identification information and financial data can be used or sold by a hacker.
McKinnon said: “Not all cybercrime is coming from borderless networks of organised bad guys opportunistically scanning the Internet to find vulnerabilities. It is very easy to walk in and scope physical stores, see what equipment and systems are running, and exploit known weaknesses.”
By operating with unsecured wireless networks and weak password regimes, outlets are open to online attack. A criminal, sitting in close physical proximity to the shop, can simply hack into its system.
The insidious nature of sophisticated malware is that it is designed to work undetected. The longer it can successfully infiltrate POS and other systems, the greater the value of the online heist – and in most cases a compromise won’t be discovered for months2.
McKinnon said: “Your machines won’t slow, nothing unwarranted will appear in your bank statements. You’ll only find out you’ve been a victim when customer fraud issues are traced back to you.”
The ramifications of a breach are in the loss of critical time, money and reputation. The costs involved in having to deal with the Australian Federal Police and banks to comply with investigations, as well as ICT contractors to clean systems and compile evidence, can be too high a price for some retailers to pay. And McKinnon says: “As the story spreads of you ‘allowing’ a hacker to fraudulently access customer financial information – particularly when you look at the immediacy and reach of social networking – the competitive retail market will often see customers changing to other, ‘safer’ suppliers.
“While a shoplifter can walk out the door with a single item of clothing, a cyber criminal can clean you out,” he said.
Retail operates on tight margins. While it may be tempting to cut corners when purchasing ICT equipment and commissioning external computing services, McKinnon advises: “Don’t scrimp. Get the best and the latest and use every available security measure.”
A clear indicator of the benefit of high level internal security can be seen in the statistic from Verizon that 92 percent of data breaches in smaller operators are notified by an external party, whereas in larger organisations only 49 percent find out the hard way, because they tend to control their own IT and security and can detect breaches earlier.
Another issue for retail shop owners is staff turnover and the ability to keep security policies and implementation at a comprehensively high level.
AVG (AU/NZ) urges retailers to take greater interest in and responsibility for their online security. It is an area of their business that should only be outsourced with care. In a recent example, several retailers were breached when their IT supplier installed remote access technologies to service their systems but gave a hacker an open door by using the same password for every customer.
Confidentiality of customer data is paramount so AVG (AU/NZ)’s 5 Top Tips for Retailers are:
- Check the credentials and security regimes of any outsourced ICT resources.
- Maintain the highest security levels for Virtual Private Networks and your suppliers’ remote access authorisations.
- Create strong passwords and strict authentications – hackers test for systems that use factory default settings.
- Secure all end points – POS, PCs, mobile devices including smartphones, tablets and USB sticks.
- Staff training must include online security awareness, and specifically the issue of social engineering where staff can be manipulated into divulging confidential data or personal identification information.
Links
1. NAB July 2012 Online Sales Index – http://www.nab.com.au/wps/wcm/connect/nab/nab/home/Business_Solutions/10/25/
2. Verizon 2012 Data Breach Investigations Report (DBIR) – www.verizonbusiness.com/about/events/2012dbir/ – page 50 – Initial Compromise to Discovery
3. Verizon 2012 Data Breach Investigations Report (DBIR) –
www.verizonbusiness.com/about/events/2012dbir/ – page 51 – Breach Discovery Methods
Keep in touch with AVG (AU/NZ)
AVG (AU/NZ) has a comprehensive range of security tips on its web site at http://www.avg.com.au/resources/security-tips/. For video tips from AVG (AU/NZ), see http://www.youtube.com/user/avgaunz.