Several high-profile cybersecurity incidents recently have highlighted the evolving threats to retailers and other private-sector businesses.
Explore NRF’s hub for engagement on key technology issues that have significant policy and risk management implications.
A casino resort company had to disable slot machines and other systems at its resorts to mitigate the effects of a cyber incident. A large household products firm reported a significant negative financial impact from a cyber incident that disabled production and fulfillment systems. And attacks exploiting a vulnerability in a commonly used file transfer tool led to dozens of cyber incidents at government agencies and in the private sector.
The cyber threat environment has only become more complex and challenging. Cybercrime groups use a variety of widely available tools, services and techniques to gain access to corporate networks to steal or ransom data.
These criminals rely on social manipulation of a company’s employees — or take other measures to spoof their identity — to gain privileged access to a company’s networks and data. And the advent of ChatGPT and other generative AI tools has made it easier for cybercriminals and fraudsters to overcome language barriers and craft plausible and convincing phishing messages.
Cybersecurity Awareness Month presents the opportunity for companies to reassess their cyber preparedness. These five questions are not a comprehensive checklist; instead, they cover several areas that may warrant additional attention by companies’ cybersecurity leaders.
Do I have a robust cybersecurity awareness program for all my employees?
Cybercrime groups and other attackers are persistent in their efforts to find weak points in companies’ security. Recent cyber incidents have involved attempts to gain access credentials from employees in administrative or customer support roles as an entry point to the company’s networks and systems.
These tactics increase the imperative for companies to invest in programs and tools to support cybersecurity awareness for all employees, including tools that send fake phishing messages and require additional training for employees that are duped by these messages.
How recently have I inventoried critical systems and data and who has privileged access to them?
Cyber attackers frequently attempt to gain access to credentials of employees or contractors who have privileged access to corporate systems— often members of the IT team who manage critical systems and databases. If they can access these accounts or credentials, they may then be able to move laterally and access a broader set of corporate systems or accounts, including those belonging to company executives.
Companies must keep a clear inventory of who has privileged access to key systems and eliminate privilege for employees and contractors who do not need it. For those who do need privileged access, it is critical to put into place multiple levels of security, particularly with respect to validating requests for resets of passwords or other types of authentication.
Are my information security and fraud prevention leaders working together?
The cybercrime group Scattered Spider and similar groups that have carried out recent attacks are blending cyberattack tactics with other types of attacks that have historically been more associated with fraud and identity theft: for example, using SIM swapping in support of efforts to gain access to company’s systems.
This working group enhances the understanding of current fraud tactics and trends among members and improves their ability to detect and prevent fraud risks. Learn more.
This blending of tactics creates an imperative for companies to align their cybersecurity and fraud prevention teams. While some retailers have fraud prevention integrated within their cyber teams, in many cases they are located within loss prevention or other business functions. While this separation may be appropriate depending upon the risk profile of the company, there must be clear alignment and communication between cyber and fraud teams.
Retailers can learn more about this issue through participation in NRF’s Fraud Prevention Professionals Working Group, which discusses best practices for fraud prevention leaders within retail companies.
How engaged is my company leadership and board of directors in managing cyber risk?
As cyber threats become more complex, retailers and other companies are facing new regulatory requirements that put more direct responsibility for cybersecurity on senior executives and their boards of directors.
Most notable is the SEC’s cybersecurity rule for public companies, which goes into effect this December. It requires companies to disclose material cyber incidents within four days of a determination of materiality and provide details on their cybersecurity risk management and governance processes in annual reports.
The SEC rule is the first significant federal cyber regulation for many retail companies, and it increases the need for the entire leadership team — not just the chief information security officer or chief information officer — to take responsibility for the company’s cybersecurity risk management and ensure the company has effective internal governance and is providing adequate resources to counter cyber threats.
How am I collaborating with other retailers to address cyber threats?
The overall situation is challenging, but companies in the retail sector are working every day to address it. They are continuing to invest in people and technologies to augment their own cyber capabilities, but more importantly, they are working together to share information on threats and best practices on cyber risk management.
If a retail company is not already collaborating with others in the sector, they should look at opportunities to do so, both through NRF and the Retail & Hospitality Information Sharing and Analysis Center, the leading group for sharing information on cyber threats in the retail sector.
In 2014, NRF established its IT Security Council, a forum for senior-level retail cyber leaders from more than 150 companies to collaborate and benchmark activities. The council holds in-person meetings at NRF conferences and additional virtual meetings throughout the year, and NRF regularly releases white papers, conducts benchmarking surveys, and holds incident response exercises for council members.
Earlier this year, NRF formalized a partnership with the Retail & Hospitality ISAC to further unite efforts to manage cyber risks and engage with government and industry partners. The partnership is already bearing fruit, with reciprocal sessions at each other’s conferences and members of NRF and RH-ISAC who were not already members of both groups now actively participating in each other’s programs, deepening collaboration and information-sharing within the sector.
Cyber threat actors will continue to evolve their tactics and try to find new ways to break into companies’ systems. The best way to stay ahead of these threats is to be part of a broader community — and work together to address shared cyber risk management challenges.