Imagine turning on your smartphone and finding that it has been completely locked out by a stranger demanding payment, a cybercriminal. If you have ever lost access to your phone for other reasons, you know the frustration of not being able to get to your contacts, emails, calendar or any communication convenience. Now imagine this frustration applied to your entire retail operation — blocking all transactions and disrupting your connection to the customer. This is what ransomware can do to your enterprise.
The persistent need for transactions within retail makes it a highly targeted industry. Everyone is painfully aware of the Target breach and the various data breaches at multiple retailers that followed. On the periphery are smaller POS skimmer attacks at specific stores, as well as the ever-present mass proliferation of online product counterfeiting, knockoffs and diversion. However, something much worse is coming: the power to completely stop your business for hours, even days.
Individual Internet users were the original targets for ransomware, but the criminal industry has turned its focus to entities with more cash flow and time-sensitive transaction needs. Businesses have continued, with annoyance and difficulty, through other types of cyber-threats. Credit cards are replaced and hardware is cleaned. Often, the only indication your customer has of any retail security threat is when a data breach is reported in the mainstream media. Ransomware is very different.
The simple scheme of ransomware is basic but effective. Ransomware, either on a single device or a whole enterprise, is malicious software that encrypts data storage, including software, rendering the technology basically inaccessible to the user. The attacker presents the victim with instructions to pay a ransom, usually in a virtual currency like Bitcoins that are difficult to trace. Consider your logon screen, replaced with another logon screen controlled by some remote criminal. Sometimes the encryption can be defeated with decryption tools, but there may be better solutions, discussed below.
Ransomware In The Enterprise
This threat is about shutting down your enterprise until the ransom is paid. Ransomware has already been successfully used against dozens of major hospitals, busy hotels, and even a San Francisco transportation authority. These enterprises lost control of their operational systems. The “damage” in these attacks is not being able to access your data or process to serve clients. Your relationship with the customer is broken along with your transaction-based income. Consider it a total loss of productivity until the system is restored.
Think about what you have built over the last decade. Your retail operation is a quality, consumer-driven platform. Whether the customer is in-store, on their phone or on their laptop, they can get to the products they know and trust. The bumps in web-carts and online transactions have all been long smoothed over. Even through partner channels, your customers can easily get to you and execute transactions with very little effort.
This value and trust took time to build. It is the value and trust that will be used as leverage against you. Instead of your data and literal money being seized, it is your relationship with the customer that is actually held for ransom. Not only will transactions be blocked, but all the market research and advertising dollars will be wasted.
Address The Problem Now, Not After
How much would your operation lose if it were down for eight hours? How much would it lose in 24 hours? The simple answer is significantly more than the attackers will ask for. Victims of ransomware may be shocked at how little is actually demanded. The criminals have researched your company and know you pain points as well, and maybe even better, than you do. Ransomware operators actually make the choice very easy. If your store makes a daily average of $500K and the attacker wants $10,000 it will usually be paid. Once paid, the criminals will unlock your computers and your operation will return to normal. Not unlocking after payment would be bad for the criminal business model.
The holiday season is often seen as a period of high risk for security, but attacks appearing during the holidays have been months in the planning. The time to think about security is all the time, because ransomware may already be awaiting activation. This is why solutions need to be deployed to the endpoints and not just the enterprise. Security teams need to look at all devices on their network and add local protection. Cybereason has developed and released a free ransomware prevention tool for Windows. This type of measure should be applied to reduce the spread and activation of ransomware. Start thinking about the whole enterprise as a collection of potential threats.
Understand and then discuss the cycle of this attack with your staff. Simply knowing that “ransomware” is out there is not enough. Thoughtful executives need to understand why it is different from a data breach or transaction skimming. This is an opportunity to create a culture of security within your organization, one that fosters information sharing, initiative and proactive security. When banks started going online in the 1990’s the criminals were ready with a number of attacks. Banks were slow to respond, but have significantly hardened their environments following various breaches. Retail can avoid mistakes made in the past by other industries and protect now.
Finally, let your customers know that protecting them is your priority. Your relationship to the consumer is everything; it is worth making them a virtual partner in your efforts.
Criminals are going to target your retail operation with more sophisticated attacks; this is a certainty. Executives should be aware of the threat and how they can work with their various teams to prepare for the inevitability of ransomware. The constant onslaught of critical management decisions does not always leave time for strategic planning around digital enterprise security. This is a fact that innovative organized crime entities are counting on — that you are too busy to think about ransomware.
Israel Barak is Chief Information Security Officer (CISO) of Cybereason. He has nearly two decades of cybersecurity experience, including spending nine years in the Israel Defense Forces where he specialized in developing cyberdefense systems. Previously, Barak co-founded two cybersecurity companies, Q.rity, an Israeli company that was acquired by CITI Venture Capital International, and Sentrix.