Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Holidays Bring Increased Cyber Threats to Retailers
Quick Take
In this episode of Compliance Unfiltered, The CU Guys dive into the challenges and strategies for retailers as they gear up for the holiday season.
With cyber threats on the rise, particularly AI-driven attacks, the duo discusses the importance of proactive measures, employee training, and maintaining PCI compliance. They also explore the impact of seasonal hiring and the need for vigilance in protecting sensitive data.
Tune in to learn how retailers can navigate the bustling holiday period while safeguarding their operations.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process.
Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the fresh fruit to your compliance cornucopia, Mr. Adam Goslin. How the heck are you, sir?
I am doing just great today, Todd. How about you?
I can’t complain, sir. I truly can’t.
I can’t believe it though, man. We are just a couple of weeks away from Thanksgiving, which means it’s one slippery slope of peppermint mocha highway straight on down into Christmas, and that means that there is an increase in cyber threats coming especially to the retail space this year. Now, clearly this is a timely topic. Why don’t we tee it up for the folks?
Sure thing. I’m surprised you didn’t jump on the pumpkin spice train personally, but whatever. Ignoring the obvious, I see how it is.
We’re heading to Black Friday and holiday shopping seasons is starting to gear up. What’s interesting, this topic in particular I relate to, just because I spent, as a kid, I spent a lot of time in the retail and retail related arena, as I was coming from my mid to late teens to early 20s type of thing. So yeah, intimately familiar with the old gearing up of the holiday timeframe, but now putting on a new hat. You look at it from a cyber perspective and one of the worst things that can happen to one of these retail stores is getting hammered with a ransomware attack that’s shutting down both e-commerce and in-store POS systems, et cetera. I mean, not only would these organizations lose their ability to sell during what ostensibly is the most critical shopping portion of the year, because for a lot of these retailers, man, they do a lot of business in the calendar Q4 type timeframe. So it would not only hit the company financially, but almost as importantly the store’s reputation would take a gigantic two by four to the eyeball.
So the financial impacts, if they’re felt, are last for numerous quarters. And hell, just go back. And I love talking about the target incident, but oldie but a goodie. Just ask Target how easy it was to navigate the waters when they went through it. So- Wasn’t that like-
Like an HVAC vendor of theirs or something?
Yeah. Oh, God, it was a whole combination. It was that. It was a myriad of controls they weren’t taking seriously. And so, yeah, that was exciting for them.
But it’s not just, the things they have to worry about, it’s not just like shoplifting is always a thing in the retail space, which does spike during the holidays. But it’s the fact that these companies need to get prepared for increased cyber attacks that’ll put the business at the risk of the financial losses and reputational losses. The bad guys aren’t sitting around going, okay, it’s Black Friday, so we can go. The bad actors are already in effect for in prep for the 2025. And in fact, for a lot of them, they’ll start working on that in advance so that they’re ready to rock when the most critical time and most impactful time happens and whatnot. They’ve got capabilities for increased automation. They’ve got more capability for adaptive attack patterns, things along those lines. So it’s going to get exciting for the old folks in the retail space here over the next couple of months, shall we say.
No doubt. Now, what’s the outlook for the upcoming retail season this year? And what is the anticipated impact specifically of AI related attacks this season?
Well, you know, there’s the National Retail Federation is predicting retail sales for November and December, respectively, to increase by an average of 4% over 2024’s holiday shopping season. So, you know, in total, it’s more than a trillion dollars in spending in the retail space that happens during the, you know, kind of during the holiday season. So, you know, certainly, you know, for those retailers trying to keep up with the increased demand, well, they’re going to need to hire even more temporary staff than they did last year. They’ll often, you know, call them seasonal staff.
So, you know, you put a combination of more seasonal staff, more shoppers, more transactions, means more cyber threats. So, you know, and the complicating factor for these organizations is that their most experienced employees, it’s kind of a mixed bag, depends on the organization, how they’re staffed and how they structure things, et cetera. But either your experienced people are going to be stretched unbelievably thin, or in some cases, they’ll give the experienced staff the opportunity to step away now that they’ve got this, you know, additional supplemental staff that, you know, that kind of come in. So, you know, it’s going to be a mixed bag, but either way, the presence of your, you know, more experienced folks is going to either go down or be absent. And, you know, when you’ve got this now, you know, kind of non, you know, non-traditional skeleton crew primarily manning the store, they’re going to be far less likely to be able to even spot the signs, you know, of an attack. So, you know, there’s a couple of complicating factors there.
You know, you mentioned, you know, what’s happening in, you know, with the AI space. Well, the bad actors certainly are picking up AI capabilities to be able to, you know, better approach, automate infiltration of retailer systems. The bots have become more sophisticated, mimicking human behavior, bypassing security measures so that they can get to and access sensitive data on the internal network. You know, once they get to that point, well, they can just go ahead and, you know, scrape out all sorts of things, you know, price data, you know, off of the systems, launch credential stuffing attacks, create fake accounts, you know, and whatnot.
So, you know, they’ve got what they refer to as Grinch bots that are active during the holiday shopping season, but it’s basically, you know, attempting to access the inventory, find high-priced items that are in demand, and, you know, make purchases through fake accounts so that they can turn around and resell them, you know, the hot merchandise, if you will. So, you know, these AI-driven bot attacks, they can make changes quickly, you know, to how they’re approaching things, et cetera, be hard to detect and mitigate, you know, from the retailer’s perspective.
So, you know, the retailers, in response, they need to prioritize their detection capabilities and remain, you know, very vigilant whenever they’re seeing this, you know, kind of suspicious behavior happening on their internal system so that they’ve got the capability to kind of appropriately respond to those incidences.
Well, how can organizations get more proactive regarding their protection and equip their systems better?
Well, when it comes to that, you know, from a proactive perspective, you figure about three quarters of the retail organizations are, you know, say that they’re boosting their endpoint detection and response this year when compared to 2024, you know, and that’s, you know, a vital tool in their toolbox for effective defense, but it’s not going to cover everything. You know, it’s, you know, EDR is inherently reactive, which means that it’s only occurring after they’re already in hot water.
So, you know, when they want to look at, you know, look at things from a, you know, kind of holistic defense stance against these holiday cyber attacks, they need to, you know, put investment into things that are going to be proactive, things that are going to, you know, spot the attacker patterns or traffic patterns, you know, in advance of their actually becoming an issue. So, which leads to the, you know, to the increases in protection that they need to put, you know, to the existing system.
So, you know, developing a kind of holistic bot management strategy that can both watch for and identify the malicious bot traffic, you know, on your systems, you know, it includes several factors that the retailers need to take a look at, such as, you know, evaluating traffic and its associated risk, identifying potential entry points, blocking, you know, blocking outdated user agents they may have on their systems, you know, limiting the use of proxies, monitoring for signs of automated automated activities, you know, and a lot of these are going to be, a lot of these capabilities are elements that they’re going to, the retailer is going to have to get dialed in as well. It’s not just, hey, I’m just going to go fling this on, turn it on, you know, the automated activity thing I was just talking about, like, you know, what is the level of, you know, kind of the level of traffic patterns that I’m seeing that should start to, you know, to alert or to quarantine traffic, things along those lines.
So is it, you know, so many requests within a certain amount of time, things along those lines, but there’s a balancing act, right, where you’re trying to balance out, you know, being able to mitigate the impact of automated attacks while not stifling real actual clients from being able to, you know, be able to do their thing. So, you know, you want to look as well at business logic. So, you know, these AI bots that they’re coming out with, they can be very challenging to detect. So, you know, you’ve got to, you know, enforce strict user validation processes, monitoring for the anomalies and unusual activities, and then also coupling that with looking at your existing business processes just on a regular basis so that you can, one, discover pitfalls that may come into play, two, so that you can kind of adjust, you know, the various data flows that you expect through the system and use that to be able to feed back into, you know, some of your automation systems for, you know, for the detection.
It’s a real balancing act for these organizations, and it’s made extremely difficult by the fact that they’ve got an astronomical amount of throughput, volume, and traffic that happens in a relatively short period of time.
No doubt. Now, what are some pointers, I guess, for seasonal hiring and training?
Well, that’s part of the fun, right? God, I always remember one, when I was the noob, right? That was the seasonal help type of a thing. And then I transitioned from that, I got on the floor and then I got to see it from a different perspective, right? It was always entertaining getting the new group of people in to help out with the holidays and whatnot.
But you know, when you’re talking about record setting holiday spending, the number of temporary workers that these retailers are going to need to bring in is going to, number one, escalate number, but also mean that they need to do so, bring these folks on more efficiently as well, just because they have a lot more to do in the same amount of time. So, you know, in the mad rush to go get these newbies trained and on the floor, it can become easy to gloss over things like due diligence and unknowingly bringing in bad actors into the mix. And the bad actors are kind of counting on that as well. So, that holiday season, it’s a real prime opportunity for threat actors for looking for physical access to sensitive data, whether it’s the POS system, the manager’s office, employee lockers, you know, et cetera, you know, those all become, you know, become inherent risks as well. You know, it’s really important and I can’t emphasize it enough, for the retailers, do their due diligence, do thorough background checks on everybody that you’re bringing in. You know, sure, it may finger out slow down the hiring process, but honestly, with the capabilities that we have today, not that much, you know, you can get through that relatively quickly, but that way you’re able to identify, you know, red flags that are, you know, that are in the backgrounds of, you know, of these folks and make sensible decisions for your organization. But, you know, making a decision not to hire somebody with a checkered past, that could be the thing that saves the company millions of dollars and, you know, in cleanup costs or after a really public data breach, you know, not to mention, you know, any of the loss revenue from headlines and things along those lines.
So it’s definitely an area that the retailers need to keep an eyeball on. You know, when it comes to the employee training side of that coin, you know, if the holiday training is just some, you know, gurgitated version of your, you know, prior year training sessions, then, you know, it’s going to become, it’s either already stale or it’s going to become stale very quickly, you know, type of a thing. And you’re not going to have the personnel prepared for protecting the company’s sensitive data and financial transactions, you know, while, yeah, the same holiday scams that were in place in 2024 and 2023 and 2022 and years before, you know, are going to surface again. You know, you also need to put an eyeball toward, you know, kind of education for your folks about latest on what’s going on in the, you know, with cyber threats within retail stores, etc. You know, and don’t limit that training to just the store employees.
You know, you think about it, everybody in the organization needs to, you know, kind of step up that level of training. So, the corporate staff, your IT personnel, your online customer service, compliance teams, don’t forget for a lot of these vendors, for a lot of these retail, you know, organizations, they use vendors to assist with certain things.
So, if they have a vendor that’s doing the online, you know, responding to online customer service inquiries, etc., don’t forget about them. You want, you know, across the board, anybody that’s involved in the organization and assisting in its protection, you want those people to be, you know, to be up to snuff and make sure that you extend that out to the, you know, to the vendors that you use to create the overall interaction with your, with your customers.
Well, let’s talk a little bit about store vigilance and cyber tool investments for retailers.
Sure. So, you know, the in-store vigilance of the folks, right, that’s critical. There’s always needs threats to monitor. But, you know, like I said, the same old, same old is going to be happening, you know, even in 25, as it was in prior years, so things like, you know, your POS, POI devices, you know, making sure that you’re doing, you know, device inspections. Generally speaking, the requirement is to do those once a day, you know, once a day, once a week, whatever your normal process is for doing those device inspections. But, I mean, honestly, I would strongly encourage the retailers. I mean, you’ve got different shifts of people that are coming in within a day. Maybe what you do is you just make, you know, me make the process such that with every new shift that’s coming in or three times a day or whatever, you’re taking a look at the devices and whatnot. But, you know, a lot of that, you know, one thing I really encourage the retailers to do is, you know, acquire examples of, you know, specifically their devices and ways that bad guys have attempted to use skimming devices and whatnot, you know, on those systems, you know, get them used to being able to spot the, you know, the differences. Because that way, when you’ve got somebody literally working at the register, you know, they may spot it faster, you know, if they got their eyeball open for it, you know. I see somebody fiddle-fuddling around with the, you know, with the, you know, with the card terminal, you know, et cetera. I happen to notice that out of the, you know, out of the side of my vision or whatever, you know, now I know to go take a closer look at it, you know, real quick before the next person comes up. You know, these people are definitely part of the, you know, part of the solution. But, you know, it’s difficult with just the volume of what’s going on to keep your eyeball on all of these various things that, you know, that the on-floor staff should and are capable of being able to pay attention to. So, you know, I would recommend, you know, that general increase of that in-store vigilance as well.
The managers in the retail space, I mean, they need to be constantly reminding their people, encouraging people to speak up, you know, the expression, they see something, say something, you know, say something, you know. It’s definitely an opportunity for the, you know, for the frontline personnel to be, and we need them to be part of the solution. Everybody, managers, frontline personnel, corporate, IT, everybody’s trying to just protect the freaking company. So, you know, let’s go ahead and give it our best, you know, our best shot. You know, the modern cybersecurity tool investment, you know, recent reports are showing that, you know, more than half of the retail security teams are in the process of having some form of AI integration, typically in the detection capabilities through their cyber tooling, you know, and whatnot.
But the interesting part is that about 24% or one in four of these retailers say that they still haven’t replaced their outdated security tools. So, you know, as an organization, I mean, us sitting here where we’re at in the year, probably a little bit too late if you haven’t already, you know, gone to, you know, gone to take a gander at the outdated security tools at this point, because a lot of these retailers will go into lockdown, you know, from, you know, November, you know, November timeframe through, you know, mid to late January, just because they don’t want any possibility of system, you know, systematic impacts to their closed loop systems.
But without those right tools, you’re not going to be able to defend the organization from, you know, from the continuous evolution of the cyber test by the bad guys. So, you know, I mean, as an organization in the retail space, certainly that investment in the tooling, I would make it an abject policy to go in, do at least an annual review of the tech stack, probably a good timeframe. It would be, I don’t know, let’s call it the March, April timeframe, you know, maybe that’s the right, you know, the right time of the year to, you know, to go ahead and do that reevaluation because if you do come up with modifications that you need to make, now you can go ahead and start getting those, you know, start getting those rolled out, you know, through the summer timeframe to allow them to get configured, dialed in, seasoned, you know, and finalize those systems in advance of your next, you know, busy season.
We’d be remiss, Adam. If we didn’t discuss the implications of PCI DSS for the retailers during this busy season.
Yes, this is a very, very true statement. I am a huge fan of the retailers being and remaining fanatical about their PCI compliance. As an organization, because you’re doing so much with credit cards, you’re required to comply with the PCI DSS, but there’s a difference between we’ve hit the bare minimum versus taking that responsibility seriously, taking advantage of the various controls that PCI brings to the table in an overall structured approach to protection of the organization. If you take this more seriously, you’re taking it the better equipped that you’ll be to be able to protect your business from cyber attacks, other security threats.
I’ve seen a lot of organizations over the years that have this bare minimum check the box mentality when it comes to compliance, including PCI. And honestly, they’re the ones that typically end up with their names in lights with an inappropriate headline that they didn’t really want the first place, but it’s their own fault for half-assing it. So don’t cut corners when it comes to your PCI. Make sure that your assessors take is holding you to account, putting you through the gauntlet, holding a high bar and high standard. Expect that from your internal personnel. You don’t want to be the organization that’s checking boxes. Just because you possess antivirus software doesn’t mean that you’re fulfilling your AV responsibilities under PCI. So in that retail environment especially, PCI can be astoundingly complicated. You’ve got corporate HQ. You may have a multitude of facilities and styles of locations where things are being hosted. You certainly have a large-scale presence of physical in-person stores. You’ve got an e-commerce. You’ve got at least one e-commerce platform, probably multitude. So there is a ton of complication when it comes to the management of your compliance and especially for retailers, leveraging a high-end compliance management system that can handle all of those various circumstances, things like gathering up evidence and data from in-person physical locations from the retail stores perspective and leveraging either a totality approach internally would be my recommendation.
So collect up evidence to the internal audit team from every location you’ve got. Make that part of your process. And then when it comes to the assessor, they’re probably going to use a sampling methodology to get kind of an overall view of your organization. That way you’re 1,000 percent prepared, ready to roll and whatnot. But I like that approach because it means that you’ve got all of the personnel at their head in the right spot. You want to be able to protect your organization during this holiday season, but in the same sense, leveraging the capabilities, the high-end capabilities of a strong tool like TST Portal gives you that ability to be able to have your team with the bandwidth needed to be able to navigate the holidays without crushing themselves under the weight of the overall compliance engagement.
Parting shots and thoughts for the folks this week, Adam.
Well, you know, if you can’t tell, uh, you know, I’ve, uh, you know, I, I’ve lived and breathed, uh, the, the retail space from a number of perspectives. I know how absolutely nuts and insane it gets, uh, from the kind of November to January timeframe. Um, it is, it is, if you haven’t personally experienced it, um, it is a wild ride. I, I always encourage folks be, be patient with the, with the poor folks that are, that are frontline, uh, you know, front, frontline, there’s a lot of, uh, we’ll call it elevated, uh, elevated emotions and frustration and things along those lines, but you know, the, just, just remember they’re, they’re, they’re trying to do their thing and they’re trying to help you out.
Um, get, you know, take deep breath and navigate your, uh, navigate your holidays. But now for the retailers that are out there, I mean, just take this stuff seriously, button up your programs, do those, uh, you know, kind of annual validations and checks, and I can’t underscore enough how much of a, how much of an offload and how much of a relief it is, uh, when you use, uh, the right technology for the right, uh, for the right solution, um, both day by day to protect, help to protect the organization, um, but also for your overall compliance, uh, overall compliance program, um, that, uh, that, that’s a really, really awesome marriage, uh, that will save a lot of brain cells for, uh, for your team.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
