CenturyLink

Susan McReynolds

Dodging a Dark Web Feeding Frenzy

One click. That’s all it takes to fall victim to a phishing campaign.  And since phishing exploits human susceptibility, 59 percent of hackers identify phishing as the best strategy for data exfiltration.

With more sales traffic over more channels than ever before, hackers are launching advanced cyber-attacks to deploy malware that infiltrates retail networks and steals valuable credit card and customer data.

We’ve all seen the headlines. The vast majority of retail breaches over the past few years have been due to point-of-sale (POS) compromise. POS malware, designed specifically to gather the card holder’s name, primary card number, and other data such as PINs, has proven to be a lucrative business across the globe. As POS systems are targeted with greater frequency, malware developers are creating new strains at a breakneck pace, leaving breached retailers to fight a war against both reputation diminishment and damages liability. And with the slow rate at which U.S. merchants are transitioning to EMV chip and PIN technology, bad actors are only encouraged to more aggressively target retailers. The bad news doesn’t end there: 67 percent of CISO’s and CIO’s believe their companies are more likely to fall victim to a cyber-attack or data breach in 2018 than in 2017.

So, what is the answer? The new security paradigm for retailers requires a layered approach to risk management, with integrated and adaptive security solutions, controls and defenses, to combat phishing and malware infections.

Below are four key steps for risk management professionals to build discipline in helping to prevent, detect and respond to malware attacks.

  1. EDUCATE – A good prevention strategy starts with security awareness training and education of all employees. And it’s important to remember phishing attacks are not limited to just email campaigns. According to Wombat Security’s State of Phish 2018 report, 45 percent of respondents experienced phishing via phone calls (vishing) and SMS/text messaging (smishing). Employees must be trained to recognize and report phishing attempts across all devices to proactively thwart this attack vector and help create a collective organizational defense. Special attention should be paid to high-risk employees who are more likely to be targets of email phishing campaigns. These individuals typically include customer service, call center and employees that handle or have access to sensitive company and customer information.
  2. PROTECT– In today’s threat landscape, retailers must take a layered approach to build robust defenses. Good spam and email filters can go a long way in blocking malicious penetration of the network, and anti-phishing software should be deployed in the email gateway for added protection. Anti-ransomware clients should also inspect for encryption software to help prevent malware from being executed on critical infrastructure and systems. And to limit the lateral spread of malware, segmenting the data center environment and employee user environment provides better protection than flat networking architectures. 
  3. DETECT – It’s not a matter of if, but when. Applying intrusion detection technologies to protect email servers, combined with threat intelligence solutions that can detect and block malware in real-time at the edge, will help thwart attacks and reduce exposure. Focus your security controls not only on prevention but also detection capabilities that help minimize dwell time. For retailers, the average dwell time of 197 days is far too long for a bad actor to be left undetected inside your network. Leveraging threat intelligence to respond quickly to malicious or suspicious network activity will help reduce damage to your customers, shareholders and brand reputation.
  4. TEST – No matter what security defenses you have in place, 10 percent of employees will still click on a phishing email. And for phishing email templates disguised as “corporate email improvements”, the end-user failure rate rose to 89 percent. Hiring a third-party to conduct simulated phishing attacks on your employees will allow you to discover your organization’s susceptibility “click rate” and aid in cybersecurity training. Testing can also provide deeper analytics around users that hovered over a malicious link, whether data was entered, or if sensitive data was submitted among other insightful and actionable reporting metrics.

While there is no silver bullet to prevent cyberattacks, retail organizations need robust, data driven intelligence to quickly respond and mitigate phishing attacks and malware exploits. As the retail environment grows more complex and the attack surface continues to expand, shoring up organizational defenses to protect sensitive data should be a 2018 top priority, now.

To learn how CenturyLink is helping retail organizations combat today’s sophisticated cyber threats, visit our Retail Security Lookbook.