Retail and hospitality organizations now find themselves in the cybersecurity line of fire. According to Tech Business News, retail is the third-most targeted industry, ahead of both educational institutions and energy companies.
According to the 2022 Verizon Data Breach Investigation Report Analysis, Retail & Hospitality Industry Insights, 95% of attacks were financially motivated, and 88% were executed by external actors.
This uptick in attack volumes is partly tied to the potential value of data held by retail and hospitality organizations. For retail companies, this data may include customer financial information or intellectual property (IP) related to new products or services that bad actors can sell for a profit. Similarly, hotels run the risk of guests' personal or financial data being stolen and sold on Dark Web marketplaces.
Successful attacks are also linked to risk management challenges, both in first-party data and third-party access. Without effective strategies to monitor and manage the risks, retail and hospitality brands can find themselves struggling to safeguard digital assets, especially as services and solutions move to cloud and mobile environments.
Here, we look at some of the retail and hospitality industries' current risk management challenges and what steps companies can take to manage their risk more effectively.
Current Challenges in Retail and Hospitality Risk Management
According to the Verizon report, there are three primary data types targeted by cybercriminals in retail and hospitality attacks: User credentials, personally identifiable information (PII), and payment data.
All three pose problems if accessed or stolen. For example, compromised credentials could allow attackers to access critical systems without setting off security alerts, while stolen PII or payment data could put customers at risk. Given that just 20% of US customers would buy from a company they don't trust, businesses can't afford to lose control of customer data.
First-Party Data Management: Keep it Secret, Keep it Safe
First-party data is collected by retail and hospitality companies; how it is stored and managed varies by brand– no one size fits all. For example, some hotels might use a proprietary in-house reservation system to handle the data collection necessary for bookings and reservation changes, while other organizations contract a third party to process and manage their data. Similarly, a retail store might opt for in-house servers to store consumers' PII, such as their credit card data, while others bring on a data management vendor. And, of course, there’s always a hybrid data management option, combining in-house capabilities with outsourced services. In this scenario, the retailer/hospitality organization may handle certain aspects of data management in-house, such as data collection and basic analysis, while outsourcing more complex tasks like advanced analytics, predictive modeling, or data security.
Regardless of how you tackle data management, the bottom line is that your data is a valuable target for attackers. If cybercriminals can access retail or hospitality networks — through brute force, social engineering, vulnerability exploitation, or via a third party — they can encrypt, steal or destroy critical data.
Consider data from the Sophos State of Ransomware in Retail 2022 report, which found a 75% increase in the rate of ransomware attacks year-over-year. Just 28% of companies said they were able to stop these attacks before data was encrypted, and 49% said they paid the ransom to get their data back. In many cases, however, even giving in to attacker demands didn't solve the problem — the average amount of data restored after payment was only 62%.
Add in the reputation damage that comes with a publicly-disclosed data breach, and companies can't afford to let first-party data fall into the hands of malicious actors. The consequences of these breaches are highlighted by hospitality companies such as Marriott. In 2014, more than 340 million guest records were compromised, but the attack went undetected until 2018 and led to regulatory fines. The company was breached again in January 2020 and yet again in January 2022, with hackers claiming they stole more than 20 gigabytes of data that included guests' credit card information.
As noted by Cybersecurity Dive, the ongoing breaches show a pattern of "human error." And while it's impossible to completely eliminate the risk posed by humans, ongoing issues can potentially undermine consumer trust.
Third-Party Risk Management: Swing and a Miss
Hospitality and retail organizations use a host of third-party solutions to streamline business operations. For example, retail companies may deploy third-party point-of-sale (POS) systems to complete transactions anywhere and anytime. Hospitality organizations often implement property management systems (PMS) to handle reservations, maintenance, and cleaning operations.
If these solutions are compromised, companies can suffer revenue and reputational damage.
According to research firm Gartner, many companies are experiencing third-party "misses" when it comes to mitigating third-party risks. These misses are defined as third-party risk incidents that result in at least one negative outcome, including disrupted operations, adverse financial impacts, increased regulatory scrutiny, adverse reputational impact, and action taken by regulatory bodies. The data shows that 84% of these misses disrupted operations, while adverse financial impacts and increased regulatory scrutiny came in at 66% and 60%, respectively.
84% of third-party risk management 'misses' disrupted business operations.
And the risks of these misses are only growing. Consider that 60% of all retail security incidents come from third-party services or solutions. One example for retail businesses is supply chain risk, especially if production or logistics is outsourced to a third-party provider– if that supplier is breached, you may not receive goods until the incident is contained. Additionally, for a third party to fulfill its obligation to produce or deliver goods requires some level of information about product specifications, customer preferences, and/or access to your data, leaving you exposed.
If third-party security is breached, it could compromise protected data — a compromise that retail firms may not be aware of until third parties report the breach or attackers make it public. The Target breach is likely a familiar data breach example. Hackers attacked a third-party HVAC contractor who had access to Target’s non-critical network. Once inside, the threat actors moved laterally to access Target’s critical systems, which housed customer financial data.
Both retail and hospitality organizations also need to consider the risks of third-party applications. Nearly three-quarters of these apps contain security flaws, and there's a 27% chance each month that new flaws will be introduced. Given the sheer volume of applications now used by companies to manage transactions, capture customer and guest information, and perform data analytics, there's more opportunity than ever for risk to creep into the third-party equation.
Many of these security flaws and vulnerabilities go unnoticed until attackers find a way to exploit them. And even once a system has been breached, there can still be a significant delay between infiltration and detection. Again, let’s look at the Marriott data breach. Despite the massive number of records compromised, the breach itself wasn't detected until four years later. This speaks to the ability of attackers to bide their time. If they have what they want — network and data access — they're often better served to lay low and collect information than cause obvious problems.
Balancing Customer Satisfaction and Business Security
The customer- and guest-focused nature of retail and hospitality operations creates an operational paradox: While customers want streamlined service and purchase interactions, companies must be aware of potential third-party threats.
In many cases, companies aren't equipped to monitor and manage third-party risk effectively; businesses need a third-party risk management (TPRM) strategy that makes it possible to identify, analyze, and remediate risks in near real-time — without compromising the customer experience.
Accomplishing this goal requires two key components: evaluation and action. Too often, organizations either spend inordinate amounts of time trying to find the riskiest vendors in their portfolio or attempt to gather as much assessment data as possible, leaving little-to-no time for data analysis. Some may have implemented point-in-time programs such as security rating tools or custom questionnaires to gain insight into their risks. However, these approaches provide only a snapshot of risk, and the evolving nature of cyberattacks means these captured moments aren't effective in providing an accurate picture of a vendor’s risk posture. And when you don’t know where your most significant risks lie, it’s hard to take action to remediate them.
RELATED: Strategies to Reduce Your Third-Party Risks and Maximize Your TPRM Budget
Put simply, a TPRM strategy should let businesses do precisely that: Manage risk. In practice, this means deploying tools capable of identifying which third parties pose the most significant risk, applying the right level of due diligence to mitigate potential threats, and monitoring third parties over time to track changing security postures.
Hospitality and Retail: Reducing Third-Party Risk
While eliminating all risk is impossible, retail and hospitality organizations can reduce the frequency and impact of attacks with an effective TPRM strategy. By recognizing the risk management challenges associated with a sizeable third-party network and leveraging a comprehensive third-party risk management platform, companies can better identify emerging threats and take action to reduce their vulnerabilities.
Ready for a better approach to TPRM? Book a CyberGRX demo today.