Osterman study highlights false sense of security in the retail sector

Shared credentials and staffing singled out as top concerns in retail

point of sale credit card reader

A memory scraping malware program steals payment card data from point-of-sale terminals and sends it back to attackers using the Domain Name System.

Credit: Mike Mozart

The retail industry has already seen their share of problems when it comes to security, but a new report from Osterman Research shows that the previously exposed weak points remain, and there's no sign of that changing any time soon.

Osterman Research, on behalf of Bay Dynamics, interviewed decision makers at 125 large retail organizations in November. The study focused on common problems and issues in the market including access controls and visibility, which is the wheelhouse of Bay Dynamics.

Despite the obvious marketing elements, the data collected shows a previously established weakness remains as a source of potential trouble.

One of the first things highlighted by the Osterman report is that while most of the business leaders who responded to questions said they know what their employees are doing when they access corporate assets (systems and data sets), that really isn't the case.

On the floor, 21 percent of permanent retail workers and 61 percent of the temporary workers use shared credentials. Moreover, more than a third of the respondents said they couldn't identify the systems that temp employees had accessed.

Lastly, a quarter of respondents couldn't say for sure if temp workers had accessed or shared data they shouldn't have. The same can be said for 14 percent when it came to permanent staff.

When it came to rating risk directly, most respondents said that temp workers were somewhat risky, if not a high risk. But 66 percent ranked permanent workers as at least somewhat risky.

"The report shows that retailers are falling short when it comes to security – whether that’s assuming everything is fine and they won’t get breached or not understanding what it really takes to be secure. The underlying sense of false security that exists among the IT and security teams is being pushed up to the board as well," said Ryan Stolte, co-founder and CTO of Bay Dynamics.

If IT and security think they're doing a great job, they feel as if they don't have anything to report to board.

"C-level executives and board members should be concerned that they are being blinded by a false sense of security. They are being told their employees are doing a great job but based on the results of our survey, it’s clear many are in bad shape. If the board understood the actual security holes within their infrastructure, they would be able to make a more informed decision when it comes to security spending," Stolte added.

In 2014, the retail industry was hit hard. Almost all of the known giants and household brands suffered some level of loss due to security incidents. What the Osterman report highlights isn't new. The data is confirmation that some of the problems that led to the issues back then remain now.

Consider a brief from IBM last year:

"Retailers need to defend themselves against all the successful attack methods of the past, but that won’t be enough: they also need to put in place defenses and alarms that can detect irregularities and alert them quickly to future intrusions, many of which may take specific forms no one has yet seen or anticipated... That’s quite a challenge, and since the realm of digital security isn’t itself a profit center, the amount of executive attention, and the investment that retailers will be willing to devote to it, will necessarily be limited."

During the holidays, temp workers are used to fill gaps, but aside from a warm body, little is done to vet them or train them on security issues. Yet they have plenty of access that can be abused, either intentionally or unintentionally, if they're tricked into sharing it.

For many of them, a key part of their job is the point-of-sale system, and that's exactly what criminals are looking for. It wouldn't be outside of the realm of possibility for a criminal to gain temporary employment during the holidays to stage an attack.

"Employees always pose a cyber risk – whether that’s using the point-of-sale system as a personal computer, visiting websites they should not be accessing, using weak passwords or sending out data they should not be accessing. During the holiday shopping season that risk is even higher because temporary employees are added to the mix, many of whom know they won’t be working for the retailer for an extended period of time and therefore are less concerned about cybersecurity," Stolte said.

The bottom line in the Osterman report is the existence of an immaturity and misunderstanding among retailers about what it means to be secure.

There's two views here; either retail giants are knowingly cutting corners when it comes to security and don't view it as a risk, or worse – they're completely unaware and that will leave them blindsided when those shortcuts are abused.

Insider: These ransomware situations can result in colossal outcomes
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies