On Cybersecurity in Digital Retail

Shoptalk • March 18-21, 2018 • Las Vegas, NV

By Sergei Ostapenko, DEPLABS Inc.

Last week, I attended Shoptalk 2018 – an industry event for retailers in North America focusing on digital technologies, innovation, and transformation of retail. Among hundreds of technology vendors, numerous knowledge-sharing sessions, rich customer success stories, and general excitement about AI and emerging technologies, I saw a massive void in that the topics related to cyber security were almost absent. Indeed, only six (6) vendor sponsors were listed under the “Web Security” section of the trade show catalog, while one hundred thirty-six – one a many – were featured under the “Personalization” section of it.

Having attended numerous eCommerce and retail technology-focused trade shows in the US for a number of years, I can attest that the above is not unique. In my experience, retail executives generally do not like to talk about cyber threats, risks, preventive defense mechanisms, considering them somewhat of a “DevOps”, “CIO” type issues – technical, so not sexy as, say, a Blockchain. A typical (at best!) response to a cyber security-related question from a retailer is “Oh, we’re PCI-compliant and we use SSL”. Well, darn it, I am glad, now lets talk Blockchain, right? While deeply technical these “boring” issues are, today’s challenges mandate a different mentality and an utmost serious consideration of cyber security strategy in digital retail. We must be aware of the types of potential risks and the effective strategies and tactics in offsetting such risks – if you think you’re safe, think twice.

Raytheon published a fascinating “Cyber Megatrends” study in February 2018, where they show some shocking findings on this front. Apparently:

  • Less than half of IT security practitioners surveyed believe they can protect their organizations from cyber threats. That’s down from 59% three years ago.
  • Only 36% of respondents say their senior leadership sees cybersecurity as a strategic priority, meaning less investment in technology and personnel.
  • 54% believe their organization’s cybersecurity posture will either stay the same or decline. 58% believe staffing problems will worsen, and 46% predict artificial intelligence will not reduce the need for experts in cybersecurity.

And, at the same time:

  • 60% predicted attacks by nation-state actors against government and commercial companies will worsen and could lead to a cyber war. 51% of respondents say cyber warfare will be a high risk in the next three years, compared to 22% who feel that way today. Similarly, 71% say the risk of breaches involving high-value information will be very high, compared to 43% who believe that risk is high today.

But hey, who cares about aggregate numbers, right? Consider a following story from a friend of mine who runs an outsourcing business building mobile applications. His agency has crafted a mobile app for a mid-size retailer client, quite a sizable project with multiple integrations and rich features. Post-launch, the client claimed that their new app was performing poorly and they did not make a final large payment on that contract. The agency believed they were being taken advantage of; however, they did not want to go to court – the cost and effort of doing so was very high. So, when my friend discussed possible courses of action, one of his technologists suddenly came forth suggesting that they can shut down the client’s mobile app and… blackmail the client. By that time, agency’s access to client’s servers was already cut, so my friend naturally wondered how it is possible (by that time, the application has already been downloaded by thousands of users). What he was explained almost gave him a heart attack. In layman terms, there was a custom code embedded deep within the app core that made frequent calls to an external server. This server, maintained by said developers, returned specific values to specific “calls” that came from client’s application which was programmed to behave based on these external values – for example, stop further processing until an external server returned the right command. No harm intended, just something they do for interim app testing. My friend was stunned – his developers embedded such custom code to many app AND websites they built without anyone’s knowledge or approval, and no one knew the exact scale of potential exposure and liabilities that such actions may have exposed his agency to. He immediately launched a full scale security audit, made quite a few senior changes in his engineering team, and established strict internal control procedures to prevent such practices in future. Throughout the process, his client remained oblivious to the fact that some rogue developers could have basically taken over devices of his entire customer base. And while my friend has fixed said app, how many of similar apps are out there? And how could a client be protected in such cases?

Hearing about a third-party-built commerce mobile app stuffed with a harmful code is one thing; but in a different scenario, I was approached by a prospect, sizable privately held independent manufacturer, several years ago. A company long-term veteran, CIO who helped the founder to grow the direct-to-consumer online business was now stealing in plain sight – and no one noticed. It was a classic side effect of their huge online sales growth – resulting in lack of internal controls combined with a blind trust in things to continue to “work right”. The CIO has rigged an eCommerce application in such a way that a portion of online order credit card payments were sent to his personal bank account. After these orders were assembled and shipped, usually on the on same day, he altered ERP and OMS systems’ inventory records and counts to erase the “personal” orders. Even when returns were processed, his cleverly designed order numbering system allowed to avoid a detection. No financial audits spotted any discrepancies for years (it’s hard to find patterns when all of your data sources are compromised and one person holds the keys to all systems as a super-admin, including being the owner of record of the domain records!). Eventually, an outlier event made it possible to uncover the theft – a customer asked for an express shipment (shipping was always free) to an exotic location, and a night shift company employee processed the shipping charge that was then attached to the order that miraculously disappeared. Puzzled, the COO has setup a batch of test orders over a few weeks and the whole scheme was uncovered. It took the company several months to restore records, accesses to critical systems, and to re-establish control over its digital channel. Could they have prevented it and if so, how?

These are not standalone examples. With eCommerce-driven explosive growth and the proliferation of new promising technologies, it’s obvious that lack of robust internal controls over a digital channel could and does take place. Contrast that with a well-established practice in traditional accounting and finance audits. Such audit procedures are normalized and structured by industry vertical; a significant portion of these is based on automation (for instance, did you know that among all digits, some have a much higher probability of appearing as a leading digit in financial numbers? Run a sample of numbers you got from your accounting through a testing tool and if your stats are well off, someone’s cooking the numbers!) However, take a look at a typical enterprise website with its macaroni mix of JavaScript code from God knows how many marketing tools accumulating over time. Often, people responsible for running these sites cannot specifically tell what each of these code pieces does or what it is used for. Let alone having a set of controls in place to ensure that their eCommerce application isn’t doing something that it should not.

What then are the right key areas to focus on when addressing cyber security of your digital sales channel? The scope of our discussion is obviously wider than a post like this would warrant, but here are some of these areas to get you started:

Basic internal controls system

Your digital channel must undergo a controls scrutiny at the same level, if not deeper, as your traditional channels in retail. There are quite straightforward and established reconciliations to be run regularly, and I am sure most if not all are doing it. However, these very often are focused on financial transactions – payments processing, refunds, shipping & handling charges, pricing and discounts, etc. There are numerous other risk areas that are often omitted, such as access levels to critical applications, integrity of records, backup procedures. Do not let the buzzwords and slick marketing terms lure you into believing that somehow part of your business is secure because you bought an “AI/ML/Blockchain-driven most-secure app from an established vendor” (Here you have it, I did manage to slot in the Blockchain buzzword : ) ). The reality is such that each one of these complex applications is run by people who are the agents of yours as a principle stakeholder. It is your responsibility to ensure that the systems will work as intended even if your agent’s intentions may be adverse.

Data is your most valuable resource

You must establish controls over it in areas that relate to both internal and external information assets handling. Lots is published on this subject, so there is some inflation to the “protect your data” term – however I don’t cease to be amazed of how many of executives I speak with are not 100% sure if their customer data is handled correctly and if its safe. You may not get a repeat order from someone who once your customer, but their name and detailed profile may be of much value to scammers. Do invest your time in understanding fully how data progresses through your organization, especially in eCommerce sales and in a marketing/merchandising promo cycle. Where does it originate? At what level of detail? How it is stored, how is it used? Who has access to it? What happens when it gets deleted? What systems does it get imported into? In identifying a web user, what kind of parameters are you recording on such user? Do you personally identify your web users, even if not logged in? These are all good questions to ask. (But do not just ask them, play the part too; I find that it is very beneficial to be a “secret shopper” and register across all company channels I am working with myself to see from an inside how exactly I am being communicated to, and where & how my individual data is stored. It’s especially exciting to do when you have an advanced toolkit on your web browser identifying the ways in which you are being identified and tracked by your client.) I would also mention GDPR here being a major regulatory compliance issue for retailers now. You should absolutely familiarize yourself with it if you have not yet – massive regulation is coming our way to protect the way in which personally identifiable information is to be handled.

Clear internal roles and cyber security-specific policies & procedures:

I find that most organizations, when considering digital transformation and internal organizational reforms, primarily focus on agility. How do we embrace change? How do we deploy faster? How do we test latest promising technologies without months of slow committee-type approvals and endless discussions? How do we shift project mentality to product mentality? All these are fantastic challenges to tackle! You’d hear about ROI, cross-functional teams, lifetime values; but very rarely you’d hear about security aspects of what is being rolled out. In some cases, the burden is put on an external advisor and/or vendor. In some, it is simply assumed that “someone” should care about “security and passwords and all that stuff”. But do your internal positions and roles actually have specific measurable responsibilities for cyber security? At what level? Here is a brief example of a retail company senior role in digital with focus in this area:

  • Scope: Cyber security risk management, signal assessments, compliant handling, technology deployment, customer queries and communications. Select Responsibilities:
  • Provide leadership in the execution of a cyber security strategy, to include aligning with business and product strategy, gaining executive approval and support, and overseeing successful execution.
  • Collaborate with product teams to create and maintain a Secure Product Development Life-cycle process to ensure that cyber security controls can be embedded within the product development process.
  • Build a metrics program that leverages assessment data, internal and external vulnerability & threat intelligence sources, supplier data, and product profiles to provide insight into future trends.
  • Coordinate with the division teams to conduct product cyber security risk assessment and develop mitigation plans.
  • Develop and employ an ongoing product cyber security communications, training and awareness program tailored to the evolving needs of the business and specific requirements of various user groups through change management.

I cannot overestimate an importance of backing of cyber security strategy and awareness at the most senior level in an organization, especially in retail environment with many distributed and diverse multi-functional teams running multiple concurrent digital initiatives. A core Cyber Security Policy is a must – a formal set of rules by which those people that are given access to company technologies and information assets / data must abide. It then translates into specific procedures to be implemented – do not make a mistake of NOT defining your formal set of rules on this front before issuing these specific procedures. Most certainly, a message that “We take cyber security seriously here” from a company’s CEO with subsequent very specific and decisive actions to enforce it is a powerful way to assert the desired impact on your organization.

Mitigate most common cyber threats with tools, but first, use common sense

Before you evaluate, buy, and deploy widely available automated tools for cyber security, your team must address immediate most obvious system vulnerabilities. Of course, not being expert hackers, they won’t be able to break into own systems with ease – so self-testing systems for vulnerabilities has a marginal effect. However, there are very obvious things, bordering primitive, to look out for, especially when testing customer-facing applications. Are most common passwords used for super-admin access? Do web forms on a website have captchas, “I am not a robot” type verification required before submission? If not, your website can easily be put down with a simple script that will bombard your server with fake submissions. Does your application automatically log out when left idling for long? If not, it can be accessed by unauthorized personnel and be manipulated. What happens when a user would randomly enter garbage data into search or other fields, can they put the website down? What about your web store chat bots, how are they responding to non-trivial customer questions and comments?

About 6 weeks ago I was looking for some accessories for my motorcycle and I stumbled on a very functional web store that sold what I needed; it has a friendly chat bot that started to converse with me. Deciding to test the machine, I pretended to be a very depressed person with no funds to purchase anything from their store. Chat bot immediately offered me a discount coupon. I continued to complain and painted a very sad image of humanity to a poor algorithm. At first, it issued me an employee discount, then, when pressured with threats of litigation, a potential consumer liability and various other bad things, it presented me with a “free product” discount, which turned out to be a mother lode – when applied, it discounted an order total to zero no matter what or how much you put in a shopping cart and only kept sales taxes and shipping costs in. I shared this with that company and suggested them to fix the glitch, which they promptly did – it turned out to be a test (!) coupon they used before the site was launched; the unsuspecting algorithm simply picked up what it considered to be a viable promotion applicable to me based on its inferred sentiment! but what if that coupon has made its way to the pubic? A retailer may have been sending out discounted merchandise for a while before realizing there is an issue.

Of course, most of such obvious vulnerabilities are tested for and are eliminated by developers prior to application launches. However, over time, with multiple changes and systems impacted, things have a tendency to slip. Take a fresh look as what you have and, better yet, hire someone to do so for you professionally.

There are tools and people out there that can help you

Cyber security is a complex discipline, and as such, it has various subsets of methods and products to address specific threats. Here are just a few of these, with links to some reliable technology vendors in their respective areas (and no, I am not promoting them, if I did, I’d tell ya):

  • Penetration Testing (pen testing) – an authorized simulated attack on a computer system to evaluate the security of such system. (Rapid7).
  • Anti-Phishing – computer programs that attempt to identify phishing content in websites, email, or other forms of data access and to block the content; often integrated with web browsers or email client programs (CybeReady).
  • Risk Assessment tools – such as security operations platforms that help surface unseen threats and to empower expert decisions with front line intelligence (FireEye).
  • Data Access Governance – management of all of the data which an organization has to ensure that high data quality exists through the complete life-cycle of the data. Key focus areas are availability, usability, consistency, integrity and security of data (SailPoint).
  • Enterprise Forensics – platforms that enable examination of digital media in a sound manner for identifying, preserving, recovering, analyzing, and presenting facts and opinions about digital information (FireEye).
  • Database security – broad range of information security controls to protect databases against compromises of their confidentiality, integrity, and availability (ImpervaCitrix).
  • User & Entity Behavior Analytics – detection of internal threats, targeted attacks, and financial fraud; looking at patterns of human behavior and them applying algorithms and statistical analysis to detect meaningful anomalies from those patterns – anomalies that indicate potential threats (Securonix).
  • Deceptions & Traps – an emerging category of cyber security defense. Products that can detect, analyze, and defend against severe threats (known a zero-day attacks) and attacks, often in real time. Deception technology enables a proactive security posture by seeking to deceive the attackers, detect them, and defeat them, allowing the enterprise to return to normal operations (CyberArk).
  • Network Access Control – an approach to computer security that attempts to unify endpoint security technology, user authentication and network security enforcement (Portnox).
  • Shared Technology Platforms – centralized “digital vaults” with multiple levels of built-in security for authentication, tamper-proof storage, and data protection (CyberArk).

Work with professional service providers

Make sure that you hold third parties accountable for adhering to their contractual responsibilities and declarations, especially when it relates to cyber security, intellectual property rights, and dealing with personally identifiable data & proprietary information assets. It helps to periodically verify / audit your service provider’s processes executing your contractual rights to send very clear “zero tolerance” type signals. Don’t be fed by vendors’ generic template-based ‘disaster recovery plans’ and ‘PII handing policies’. Do verify the adequacy of professional liability insurance coverage your vendors have. Take a look at your professional services contract today – what will happen if a third party were to inadvertently send a phishing email to all of your customer base? What if your contractor injects a potentially harmful software code into your application that they can then activate to take over proprietary data, as in the example in the beginning of this article? Are you sure that your applications are being thoroughly tested and audited, independently and objectively?

In closing, I’d like to quote Stephane Nappo, Head of IT Risk Management and Chief Information Security Officer at Société Générale. He says:

One of the main cyber-risks is to think they don’t exist. The other is to try to treat all potential risks. Fix the basics, protect first what matters for your business and be ready to react properly to pertinent threats. Think data, but also business services integrity, awareness, customer experience, compliance, and reputation.

Are you ready to face the basic cyber threats? Think and learn, but please, act if you think you can do better on that front.

2020-07-01T15:15:21+00:00March 26th, 2018|Latest Articles|
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. Ok