May 24, 2022//Isa Jones
It only took two attacks for Brazilian e-commerce platform, Americanas.com, to lose millions. The attacks, over two days in February 2022, didn’t affect physical stores, but rendered the e-commerce side unavailable, and the total loss added up to $183 million.
That kind of devastating loss isn’t an anomaly when it comes to retail hacks. The sector was named the top target of phishing attacks, and the average cost of a retail-related hack in 2021 was $3.27 million.
As both cyberattacks sophisticate and the retail industry transforms, threats — from ransomware to phishing to other kinds — are only going to increase. One part of a broader solution is to implement user access reviews.
Like a few different industries in recent years, the retail sector is undergoing a transformation — one that is primarily from analog to digital. Small boutiques and international retailers are improving their e-commerce sites (and relying more on those digital sales), as well as digitizing every aspect of their business from cash registers to inventory management to even building functions like HVAC units. If its digital, it can be hacked, and the truth is most retailers are thinking more about innovation than security. They’re running new software on old cybersecurity architecture, opening up holes that previously weren’t there for a bad actor to crawl through.
In addition, retailers are full of valuable information that an attacker would love to hold for ransom. Think credit card information and other personal identifying information of customers, supply chain partners, and more. Plus, downtime is expensive and customers don’t forget if their favorite store was hacked: 19% of shoppers say they would abandon a retailer that’s been hacked.
All of those reasons above don’t even include third parties, which continue to be a pain point for all industries. The third-party point of connectivity is the weakest security point for any organization, and retailers deal with a lot of third parties every single day. GoDaddy, which serves as a third-party web hosting provider for millions of small businesses, had hundreds of their customers’ sites hacked just this last month.
While a strong cybersecurity strategy involves multiple components working together to keep our modern marauders away, one program retailers can employ to practice better access management is user access reviews.
User access reviews, or the process of periodically and systematically reviewing which assets, data, and access points individual users have access to is a crucial component of any access management strategy.
This kind of review not only provides insight and accountability, but can prevent access creep and insider threats. According to the Ponemon Institute 2020 Cost of Insider Threats: Global Study, there were 4,716 insider attacks recorded across the globe, and the cost of an insider incident almost doubled between 2019 and 2020 from $493,093 to $871,686. So it’s a process that could save money, reputation, and critical assets from falling into the wrong hands.
User access reviews are specific to internal users, which is perfect for retail. A retail organization could employ thousands who all have access to different systems, and the industry turnover rate is over 60%, according to the National Retail Federation. That many employees going in and out could easily lead to some kind of human error or access creep — where a user gains more access than they need and that access is not properly deprovisioned.
User access reviews can also help an individual organization build better, safer access policies, practice role-based access control, provision and deprovision access more frequently, and spot irregularities before they turn into threats or even an attack.
Learn more about the power of user access reviews with SecureLink’s Access Intelligence.