Top 5 Sources of Security Incidents in Retail

by Calyptix, April 13, 2016

computer-security-incident-oopsPeople tend to assume that hackers or other malicious actors are behind the security incidents and data breaches we hear about in the news.

While it’s true – thousands of criminals try to steal data every day – it’s also true that many security incidents are caused by employees.

Employees are the number-one cause of security incidents in the retail and consumer industries, according to the results of the Global State of Information Security Survey (GSISS) 2016 from PwC.

The survey, conducted from May to June 2015, is comprised of responses from more than 10,000 executives of security practices from 127 countries.

Before we dive in, it’s worth noting that the chart applies to security incidents and not data breaches. The terms are slightly different:

  • Security incident – An event that violates a security policy or otherwise puts an asset (such as customer data) at risk. This is a general term and can include network scans, malware infections, or a breach of customer data.
  • Data breach – A confirmed disclosure of sensitive data to an unauthorized party.

security-incident-sources-retail-chart

The top 5 sources of security incidents

Source #1. Employees

Current employees were reported as the greatest perpetrators of security incidents in the retail and consumer industries by those surveyed. The number was 30%, down 12% from 2014.

Employees pose both an intentional and accidental security risk.   They have an insider advantage if they choose to steal data.  But they often compromise their company’s cybersecurity unknowingly.

spear-phishing-security-incidentSpear phishing

Many retail and consumer industry cyber-attacks are initiated when an employee opens an email sent from a villainous source, who tries to trick the recipient into providing personal information, such as logins and passwords.  The act is called spear-phishing, and it arrives as an email that appears to be sent from someone an employee knows.

When the employee opens an attachment, or clicks on a link embedded in the email, associated malware instigates a cyber-attack.  When high-level employees are targeted by this technique it is sometimes called “whaling.”

Spear-phishing has been the point of entry for cyber-attacks on Anthem and Sony.  Stolen data included personal health information, employee social security numbers, and thousands of leaked internal documents.

A 2012 paper by Trend Micro Incorporated found that spear-phishing was involved in 91% of targeted attacks.

Careless or poorly trained?

In 2013 Deloitte reported that up to 90% of user passwords were easily hackable. Splashdata’s 2015 “Worst Password List,” comprised of the 25 most common passwords on the internet, are easily guessable, and therefore highly vulnerable.  They include “123456,” “baseball,” and “password.”

Employees of retail and consumer organizations often put their company’s data at risk by performing work tasks on their own personal devices, often accessed through unsecure WIFI.  They might send work documents to personal email accounts, bypassing security precautions initiated by their employers.

A perceived decrease in retail and consumer employee security incidents could be due to increased employee training.  In addition, more companies are paying vigilance to firewalls, and many businesses require employees to change their passwords on a regular basis.

former-employee-security-incidentSource #2. Former Employees

Former employees are ranked 2nd in the GSISS for security incidents in retail and consumer organizations. Down to 26% in 2015 from 30% in 2014, its share fell 13%.

If employment ends on unhappy terms, it’s easy to imagine an employee with inside information, a grudge to bear, and a lack of morality could be a danger to the company’s security.

A 2009 survey by the Poneman Institute found that 59% of ex-employees surveyed claimed to have taken company data with them when they left their position.

The phenomenon is not limited to retail organizations.

In January 2015 a former employee of the U.S. Nuclear Regulatory Commission and the Department of Energy (DOE) was charged with sending 80 spear-phishing emails to DOE employees seeking sensitive information in exchange for money from a foreign embassy.  He had been terminated by the NRC in 2010.

A former employee of the U.S. Embassy in London was charged in August 2015 with seven counts of computer hacking to extort, one count of wire fraud and nine counts of cyber-stalking.

Those surveyed could be responding to increased company diligence to eliminate logins and passwords of employees immediately upon their termination.  Companies are also improving their data encryption, and many have dedicated IT security personnel that help prevent former employees from taking information with them when they leave.

Source #3. Service Providers, Consultants, Contractors

The survey respondents reported a 21% increase, from 19% to 23%, in retail security incidents caused by current service providers, consultants, and contractors, also known as third parties.

Third party contractors include any outside organization hired by a company.  Third parties run the gamut from lawyers, to electricity providers, to security providers.

As reported by Krebs on Security, the 2013 Target heist that compromised the credit and debit accounts of millions of people was orchestrated through network credentials stolen from one of their Heating, Ventilation and Air Conditioning Contractors.

Cloud security risks can also rise when a retailer uses a third party vendor, since the retailer rarely knows the veracity of the vendor’s employees and partners.

security-incident-source-hackersSource #4. Hackers

The GSISS attributes 21% of retail security incidents to hackers in 2015, up from 20% in 2014.

Hackers perpetrate direct attacks.  Their goals are as numerous as they are varied.  They can be nation-states, lone wolves, and hacktivists, who break into databases on what they see as benevolent missions.

Hackers break into databases to steal personal identities and financial information as an act of theft. Most hacking is done for profit, but some people hack for the personal challenge of breaking into systems that are thought to be secure.

The collective “Anonymous” hacks to fight perceived internet censorship. Hackers might have political motivations, and target electrical grids or other civic infrastructure.

In 2015, 21.5 million people had information stolen from the U.S. Office of Personnel Management by hackers.  The New York Times reported the suspect is China, but it is unknown whether the crime was committed by the government or individuals.

Hackers also target intellectual property, or business secrets.  As various segments of government and corporations have become more sophisticated in their ability to fend off cyber-attacks, hackers have sought to invade industries with less sophisticated cyber defenses.

In 2014 hackers compromised the point of sale system at Home Depot with custom built malware that breached the integrity of 56 million unique payment cards.  It’s estimated the cost to Home Depot will be approximately $62 million.

In addition to retail and consumer firms, U.S. law firms have suffered increased hacker attacks in the United States because they are in possession of potentially lucrative information, and lag other professions in cyber security.

In a recent survey reported by Legal Tech News, less than half the law firms surveyed had intrusion detection systems, email encryption on all their services, or logs of employees who accessed public health information.

Source #5. Organized Crime

Those surveyed identified a minor increase, from to 18% in 2015 from 17% in 2014, of retail and consumer organization security incidents by organized crime, the final group identified in the GSISS report.

According to the report, some in the financial industry believe that increasingly, cybercrime is a collaborative effort between foreign nation states and organized crime.

The FBI reports a sampling of the organized criminal threats to the U.S. include groups from Africa who perpetrate financial schemes, Russian mobsters who moved to the U.S. after the collapse of the USSR, and Asian groups including the Japanese Boryokudan.

A white paper written by The RAND Corporation notes that black markets where data is sold are growing in complexity and size, and that hackers are morphing from random individuals to sophisticated, financially driven groups, often associated with traditional crime groups such as mafias and drug cartels.

The dangers are real, and the smart money is on those who exercise continuous vigilance on the cyberfront.