Why retail stores are more vulnerable than ever to cybercrime

When we think about cybercrime and retail it is natural to focus on websites being targeted with attacks. Indeed, there has been a shocking rise in the number of cyberattacks perpetrated against online retailers in the past year. Dakota Murphey explains why store owners and security managers need to also protect their physical locations from the cyber threat, too, however. 

Figures from SonicWall’s Biannual Report revealed that ecommerce and online retail businesses saw a 264% surge in the past 12 months in ransomware attacks alone. These kinds of statistics are extremely worrying for retail businesses, so it is unsurprising that websites and digital security are at the forefront of retailers’ minds.

However, for those retailers that have a physical store as well as an online presence, there might be an assumption that the cyber security in-store doesn’t need to be considered as a top priority. Well, doing so could be a big mistake.

In this article, we take a look at why retail stores are more vulnerable to cybercrime than ever before.  

Security is weaker

There can be no doubt that one of the major issues around security in-store is the issue of complacency. It is assumed that physical stores themselves are unlikely to be targeted by cybercriminals – surely it is more likely that they will put their resources into using hacking or phishing? 

In reality, cybercriminals are always looking for ways to maximise their time – they want quick wins. Increasingly, as retail stores are less well protected they are being seen as an easy way into the computer system of a company. Perhaps the lesson that needs to be learned here is that you should never assume that you won’t or can’t be attacked.

Cybercriminals are far more sophisticated than they’ve ever been. If there are gaps in security, they can identify and tap into them. Retailers, for instance, need to balance consumers’ privacy and data protection with their own tight security measures that protect their internal IT systems and physical stores. Failure to install security effectively and comply can result in firms facing fines for breaches in privacy laws under stringent CCTV regulations and GDPR guidelines.

Stores and websites are intrinsically linked

You might think that there is a divide inside your business: your physical store and your online store. However, it is generally the case that your physical premises are linked to your digital system just as much as an office might be. Do you log into your system at work? Do you track customers’ details using an IT system? 

For the majority of businesses, the physical store is actually just as dependent on your IT system as the site online. This presents a potential problem. If your physical retail store can potentially allow access to your whole IT system, cybercriminals can use nefarious methods in your physical premises. 

The rise of the Internet of Things

Physical stores are increasingly reliant on Internet of Things devices – that being any device that is connected to the internet. This might include stock checkers, smart shelves, predictive maintenance equipment and much more. 

Physical security devices such as CCTV, video surveillance and alarm systems are often connected to the internet and can also be a vulnerability for targeted cyber attacks. The wider use of video surveillance technology and other types of physical devices extends to more than pure crime detection. They have intelligent capabilities that can be applied to monitor crowds, secure physical sites and support building management platforms. 

Although such integrated systems do a good job in providing smart data to support security firms and facilities managers managing retail sites, any data, files and surveillance videos can be vulnerable to cyber attacks. 

Whether stored or managed on cloud-based applications or as on-premise solutions, such physical security devices that protect retail stores also open up another potential entry point to your IT system that criminals can exploit. And, if CCTV, video surveillance and alarm systems are not managed properly, they can be a major problem.

The invasion of shadow IT

Shadow IT is the use of any kind of software or applications that aren’t approved by the IT team. This is becoming a big problem, especially in stores where staff make use of personal devices as a part of their role. 

“The popularity of shadow IT is partly due to its perceived benefits,” says George Glass, Head of Threat Intelligence at cybersecurity specialists Redscan, “these include the ability to take initiative in setting up and using technology and the freedom to adopt systems and software more quickly in order to reduce workload. However, these apparent benefits come at a significant cost”.

The issue arises when this shadow IT is not checked for vulnerabilities or is not kept up to date because it is not known by the IT team. These vulnerabilities and flaws can present a potential opening for cybercriminals. 

Prioritising speed of service over security

It is naturally the case that many businesses in retail want to prioritise fast and effective customer service. Unfortunately, this can ultimately result in good security practices being overlooked in favour of getting on with tasks. For example, if a customer comes in requesting a password reset on their account, there may be some pressure to simply go ahead with this rather than following the correct procedure. 

Retail stores need to understand the interconnected nature of cybercriminals and in-person crime. With the rise in cashless retail and a surge in online sales (that has witnessed an unprecedented rise in recent years), retailers’ IT security has had to keep in step and reposition itself with the evolution of consumer’s buying habits. This increased awareness, however, has been reinforced by the UK Government’s measures to support security technology within the retail industry. 

While retail stores are more vulnerable than ever to cybercrime, there is much that businesses can do to mitigate risk. Perhaps the most important factor is providing staff training to ensure that everyone understands their role in preventing cybercrime. 


1000+ people have put their trust in G6S Security, how about you?