The retail industry is one of the most crucial pillars propping up the United States’ economy. Without it, approximately 42 million Americans—a quarter of the entire US workforce—would be unemployed. Not to mention the fact that its demise would mean no more Christmas sweaters or Roombas: a slightly less dire but nonetheless devastating loss.
The retail industry keeps Americans employed, our economy churning, and the population satisfied with the essential (and occasionally inessential) goods it wants and needs. Considering how massive a role retail plays in both our economic wellbeing and daily lives, the severe extent to which the industry underperforms in respect to cybersecurity is alarming to say the least.
A recent report by Truvantis’ partner SecurityScorecard rates retail as the lowest performing industry in terms of vulnerability to social engineering. This fact is all the more unnerving when you realize exactly how much money the industry accounts for. According to the National Retail Federation, retail saw $3.53 trillion in sales last year, and the NRF reports that the industry is expected to see that figure increase between 3.8 and 4.4% by the end of 2018.
You may be wondering how an industry so important and enormous can be so prone to these kinds of hacks. To figure that out, it helps to know which kinds of attacks the industry has been most susceptible to. According to SecurityScorecard, phishing and vishing are the main culprits.
Phishers tend to prey on ignorant, impressionable employees. These kinds of attacks can come in the form of fake emails that appear to be from management or IT departments. Many employees do not think twice about listening to the demands of what appear to be company authority figures, and it only takes a handful of employees to go along in order to compromise an organization’s data.
Vishing is the other most popular tactic employed by social engineers on the retail industry. In a vishing attack, social engineers call a company under the guise of being concerned, rational customers. Since customer service is arguably the most important point of emphasis within retail, many victims of social engineering will unknowingly aide exploits over the phone, under the impression that they are just doing their jobs.
The fact that the industry employs so many young, inexperienced workers is also a huge factor in its social engineering problem. A disproportionate number of young people work in retail, relative to other industries. Retail also employs roughly 55% of the country’s working teenagers: a demographic that accounts for about 10% of the industry’s workforce as a whole. Considering that younger workers are generally more naive than their older counterparts, many social engineers use them as easy points of entry.
Though the retail industry’s social engineering problem is widespread and challenging, the situation is not hopeless. Retail company’s need to be aware of the issue and take proactive steps to combat it; these measures could include comprehensive employee security awareness training and penetration testing with special attention to tactics like phishing. Social engineering within retail will always be a concern, but if businesses are willing to take the proper precautionary initiatives, it does not have to be an epidemic.