What’s the Story?

Despite the advent of advanced cybersecurity tools, major security breaches continue. Hackers are now attacking data stored in the cloud as well as providers of Internet and cybersecurity tools. Retailers are a particularly attractive target for hackers as they possess customer and payment data, and point-of-sale (POS) terminals represent another connected device that can be attacked. The recent move of many employees accessing corporate networks from home creates opportunities for weaknesses in home networks and hardware to turn into security breaches. In this report, we discuss recent developments in the cybersecurity space and provide an overview of the types of hacking and strategies for defense.

Why It Matters

The total global cost of cybercrime and spending on cybersecurity exceeded $1 trillion in 2020, according to a report published by McAfee and the Center for Strategic and International Studies. The combination of high rewards, low risk and the decentralized structure, low cost and anonymity of the Internet present low entry barriers for many types of cybercriminals. Retailers need to do everything within their power to keep customer and payment data secure to protect their reputations so that consumers feel safe shopping with them. This has become even more urgent since the outbreak of Covid-19 as e-commerce penetration has stepped up to a higher level and many workers are accessing corporate networks from home. Retailers have historically been victim to several notable data breaches and want to do everything possible to prevent damage to their reputations.

Cybersecurity and Retail: In Detail

During 2020, there was an increase of IT supply chain-related security breaches, which is a huge concern for retailers—and the migration to cloud computing creates additional risk. Several leading technology companies and innovators offer cybersecurity solutions, and growing venture funding indicates that many future leaders are set to emerge in the market. How Can Retailers and Other Enterprises Boost Cybersecurity? The simplest, most effective cybersecurity defenses largely remain network hygiene—i.e., keeping software up to date—and confining users’ access within appropriate sections of the network. Given the dramatic increase in phishing attacks, training employees to increase their skepticism of correct-seeming e-mails can also reduce the number of threats to the network. Many incursions are the result of human error or negligence, by not keeping software and patches up to date to address known vulnerabilities. Cloud computing offers a likely solution to this, as the software is updated frequently and automatically during the year, so clients will always have the latest version. Since many breaches result from an intruder gaining full access to, and privileges within, a network, measures to control and limit access are compelling. For example, the concept of the principle of least privilege (where every module only accesses the resources necessary for its purpose), makes sense. There are several technologies that help confirm a user’s identity on the network:

• USB drives or dongles that contain security tokens that physically confirm the users’ identity. Google virtually eliminated phishing attacks since 2017 following the deployment of physical security keys.
• Zero-trust networks do not assume that networked devices such as laptops should be trusted by default; rather, they use mutual authentication to test the integrity of these devices, even if they are connected inside the company’s own network.
• Artificial intelligence (AI)-based solutions that monitor a user’s behavior in the network and compare this behavior to a baseline.

There are several technologies such as tokenization and Secure Remote Commerce that free retailers from the burden of keeping customer payment information secure by never entrusting it to them in the first place. For example, Apple Pay generates a token (essentially a long number) that replaces the user’s credit-card information when making a purchase, and consumers that make purchases via PayPal have login credentials, eliminating the need to enter credit-card information for every purchase. Cryptocurrencies could represent a safer means of payment, since they are based on blockchain technology, which is built on an encryption layer. With its power of identifying unseen relationships among data, AI-driven cybersecurity tools are able to identify malware that has not yet been released in public. Hackers typically test new malware variants on existing detection software, which is only able to detect previously identified malware. Point-of-sale (POS) terminals represent a specific area of risk for retailers: The computerized devices connect directly to retailers’ data networks, managing payment and customer information. Following successful network incursions through POS terminals, retailers are increasingly recognizing the importance of protecting themselves against attacks through this channel, and there are innovators that specialize in shoring up their defenses. Retailers should ensure real-time visibility into POS operations and can protect themselves against the risk of attack by locking down the systems and including them in overall security solutions. Security Breaches Remain at a High Level The number of annual data security breaches remains at a high level, with millions of individuals affected, as shown in Figure 1. Since 2015, the average number of annual compromises in the US is more than 1,300, and the number of individuals affected each year averages over 1.6 billion. The decrease in the number of individuals impacted reflects the shift in breaches towards enterprises and technology supply chain companies rather than consumers.

---

Figure 1. Number of US Data Breaches and Exposures (Left Axis) and Individuals Affected (Mil.; Right Axis) [caption id="attachment_126767" align="aligncenter" width="725"] Source: Identity Theft Resource Center 2021[/caption]   Looking at the root causes of compromises in 2020, e-mail/phishing was the number-one cause, followed by remote-access attacks. The dominance of this category reflects hackers’ success in gaining entry to networks through targeted individuals, rather than other means.

---

Figure 2. Percentage of Claims by Attack Technique [caption id="attachment_126768" align="aligncenter" width="725"] Source: helpnetsecurity.com[/caption]   Particularly troubling for retailers (and consumers) is that the number of attacks on the technology supply chain (i.e., on technology providers) increased sharply during the first nine months of 2020, as consumers sheltered at home and purchased more goods online. The number of attacks in the end of 2020 likely result from technology providers reviewing and tightening up their own cybersecurity defenses.

---

Figure 3. Number of Individuals or Systems Affected by Third-Party/Supply Chain Compromises, 2020 [caption id="attachment_126769" align="aligncenter" width="725"] Source: Identity Theft Resource Center 2021[/caption]   Quantum computing could present a new, serious risk to retailers and consumers. Quantum computers perform certain types of calculations at orders of magnitude of higher speed, possibly able to break a 2,084-bit RSA encryption code within eight hours, based on work performed by Google and the KTH Royal Institute of Technology in Sweden. Future commerce could require quantum computing-fueled encryption and decryption engines. Cyberattacks The number and types of cyberattacks continue to evolve, as technology and computing power advance alongside the growing migration to cloud computing and the large number of employees accessing their corporate networks while working from home. Types of cyberattacks and vulnerabilities include the following:

• Malware—Including bots, Trojan horses, viruses and worms
• Spam—Unwanted and irrelevant e-mail
• Botnets—A large number of infected, controlled computers
• Distributed denial of service (DDoS)—A botnet attempting to overload a server with superfluous requests
• Ransomware—Malware that takes over a user’s computer in an attempt to extort payment
• Privilege escalation—Exploiting a bug or weakness to gain undeserved resources or access
• Exploits—Using a command, methodology or routine to take advantage of security vulnerabilities
• Backdoors—Secret, undocumented ways of accessing a system
• Bad passwords—Using words available in standard dictionaries, which are easily guessable
• Hacktivism/vigilantism/cyber-dissidents/cyber-shaming—Hacking to promote a political or social goal

Hacking into computer networks has expanded beyond the hobby of college students and now is the playground of professional criminals and state-sponsored actors. There are also several types of hackers wearing different colored hats, including black hat (bad actors), white hat (ethical hackers), gray hat (ambiguous aims), green hat (hackers in training), red hat (vigilantes) and blue hat (inexperienced, clumsy hackers). State-sponsored hacking, particularly from nondemocratic states, includes the use of cyberwarfare to achieve economic and foreign-policy objectives. State-sponsored hackers are believed to be responsible for the recent SolarWinds hacking (which we discuss in the next section). In 2020, less-sophisticated municipal governments were frequent targets of ransomware attacks. In another vein, code from hacking tools developed by the US National Security Agency was leaked to the Internet in 2017 and has resurfaced in tools used by other countries, according to a recent analysis by Check Point Software. Advances in computing technology create new entry points for hackers. The Internet of Things (IoT) promises billions of things connected to the Internet—Cisco projected nearly 25 billion connected things in 2021—of which each presents a potential entry point for hackers. The proliferation of smartphones and other mobile devices offers an enormous number of entry points for hackers, with market researcher TrendForce projecting more than 1.3 billion smartphones to be produced in 2021. Other potential security risks include public Wi-Fi networks, cloud computing networks and portable USB drives, which can contain code that executes automatically upon insertion of the device. Working from home presents additional opportunities for cyberattacks. Many home networking and security devices, such as Internet routers and webcams, contain software that is not updated or cannot be updated. With many people working from home, these devices are commingled with corporate devices on the same Wi-Fi networks and can be used as platforms to launch attacks. There are devices that segment home networks to ensure the security of corporate devices. The components of an attack include the following:

• Infection—The attacker enters and gains control of the host
• Persistence—The malware remains within the network until activated
• Communication—The malware establishes a communication channel with the attacker
• Command and Control—The attack is controlled, managed and updated over time.

Selected Recent Security Breaches Accellion On February 19, 2021, Kroger disclosed that it was impacted by the incident affecting Accellion, which offers file-transfer software, in which an unauthorized person gained access to certain files by exploiting that vulnerability. Kroger stressed that the event did not impact its IT systems, and the retailer believes that fewer than 1% of its customers had been impacted, primarily customers of Kroger Health and Money Services—. Some HR records of current and former associates had also been impacted. The company notified customers of its pharmacy and Little Clinic that names and personal information had been accessed. Microsoft Exchange Server  Following Microsoft’s March 2, 2021 release of a security update patching versions of Exchange Server spanning 2013–2019, the hackers stepped up their attacks on unprotected servers. A breach of the Microsoft Exchange Server e-mail software was recently discovered, affecting at least 30,000 organizations in the US, affecting businesses and local and city governments. The culprit is suspected to be a state-sponsored hacking group. SolarWinds Network management software vendor SolarWinds’ IT management software was compromised and used in hacking events orchestrated by two different nations. SolarWinds’ Orion is a platform that enables administrators to monitor an entire IT network in a single view, including on-premises, hybrid and software-as-a-service (SaaS) environments. The most recent attack was attributed to foreign hackers: In March 2020, malicious code was inserted into an Orion update that was installed by 18,000 SolarWinds customers, including Microsoft and several US government agencies (including Homeland Security, State and Commerce, in addition to the National Institutes of Health). Microsoft said that the malware gave hackers broad access inside affected systems, and the company identified 40 customers that had been targeted. Other afflicted networking and security technology companies include Cisco, Intel and FireEye. These SolarWinds software was also used to breach a payroll system within the US Department of Agriculture in 2020, which was attributed to hackers from a different nation than the most-recent breach. SolarWinds has since reported that these vulnerabilities have been patched. Other Breaches Well-publicized security breaches in retail include Home Depot in 2014 (including data on 56 million credit-card accounts), Target in 2013 (including payment data on 40 million accounts) and The TJX Companies in 2007 (including data on 46.5 million payment cards). Other companies that have suffered security breaches include Adidas, Hudson’s Bay (Lord & Taylor and Saks Fifth Avenue), Kay Jewelers, Macy’s, Marriott Hotels, Poshmark and the MyFitnessPal app, among others. With many enterprises moving their IT operations to the cloud, security in the cloud has become of paramount importance, and there have been several cloud-based security breaches, including the following notable examples:

• In late 2020, a security lapse by Prestige Software, provider of hotel management and reservation software, led to the exposure of more than 10 million files containing data from travel providers Booking.com, Expedia and Hotels.com.
• In mid-2019, a cloud misconfiguration enabled a hacker to access data from Capital One regarding more than 100 million people in the US and Canada, which led to the arrest of a former Amazon Web Services engineer.

Market Landscape The global cybersecurity market is forecast to grow to more than $60 billion in 2020, a 10% increase from the prior year, according to research firm Canalys. A broader market view of information-security spending puts total spending at twice this figure. Following several successful cyberattacks, the US government is a healthy spender on cybersecurity, planning to spend $18 billion in fiscal 2021, ending September 2021. The cybersecurity industry includes a mix of established companies and innovators. We offer examples of leading global players in each group below. Established Companies

• Check Point—The company offers a consolidated cybersecurity solution across cloud, networks, endpoints, mobile and IoT, as well as a 24/7 incident response team.
• Cisco—Solutions include secure access service edge (SASE), cross-layered detection (XDR), and zero trust, based on the SecureX security platform.
• CrowdStrike—The Falcon platform leverages cloud-scale AI and offers real-time protection and visibility, preventing attacks on endpoints and workloads on or off the network.
• Fortinet—The company provides security fabric architecture for large enterprises, service providers and government organizations in the networked, application, cloud and mobile environments.
• IBM—Offerings include security platforms, data-security products, and identity- and access-management products and services.
• McAfee—Positioned as a device-to-cloud cybersecurity company, McAfee offers solutions for consumers and businesses.
• Microsoft—Security is built into the Azure cloud platform and the 365 suite of office apps.
• Palo Alto Networks—The company claims to be the global cybersecurity leader, offering technology for a cloud-centric future.
• RSA—RSA provides solutions to detect and respond to advanced attacks, manage user access and reduce operational risk, fraud and cybercrime.
• Trend Micro—The company offers solutions for businesses, governments and consumers across cloud workloads, endpoints, email, IIoT (industrial IoT) and networks.

Innovators More than 3,900 cybersecurity companies have been founded during the past 15 years, according to financial data company Pitchbook. Selected cybersecurity companies include the following:

• Cato Networks—The company’s SASE platform merges converging software-defined networking in a wide-area network, network security and zero-trust network access into a global, cloud-native service.
• Cybereason—The company’s platform combines detection and response, next-generation antivirus and proactive threat hunting for analysis of every element of a malicious operation.
• Darktrace—The company offers a self-learning AI-based technology that autonomously detects, investigates and responds to advanced cyber threats, including insider threat, remote working risks, ransomware, data loss and supply chain vulnerabilities.
• Illumio—Products operate on the principle of least privilege to provide visibility and segmentation for endpoints, data centers or clouds.
• OneTrust—OneTrust offers privacy, security and governance programs for compliance with GDPR and other global privacy and security laws.
• SentinelOne—The company focuses on endpoint security with a platform that combines behavioral-based detection, advanced mitigation and forensics in real time.

There are likely to be a number of innovators emerging in the cybersecurity market in the near future, based on steady increases in VC (venture capital) funding for cybersecurity startups. Funding totaled $11.4 billion in 2020, up 16% from the prior year, according to private equity and market intelligence company CB Insights, the increase fueled by a higher number of mega-rounds of over $100 million.

---

Figure 4. VC Cybersecurity Funding (USD Bil., Left Axis) and Number of Mega-Rounds (Right Axis) [caption id="attachment_126770" align="aligncenter" width="725"] Source: CB Insights[/caption]  

What We Think

Defending customer and payment data is becoming ever-more urgent, as bad actors continue to step up their game, most recently attacking the providers of software tools. Moreover, many of these actors represent state-sponsored or organized crime groups. Fortunately, there is an industry of innovators developing tools to thwart bad actors, fueled by technologies such as AI. Implications for Brands/Retailers

• Brands and retailers need to stay current on the latest tools and techniques for protecting their networks and data.
• Technologies such as tokenization enable the encryption and storage of payment information in a secure location outside the retailer.
• The retailer’s reputation as a safe place to shop depends on maintaining data security.

Implications for Real Estate Firms

• Real-estate firms have their own data on their tenants, which also needs to be protected.
• The estate firms also possess data on their retailer tenants, which also needs to be protected to maintain the retailers’ reputations.

Implications for Technology Vendors

• Technology vendors have received recent wakeup calls that their tools are now the target of security breaches and need to step up their defenses.
• There is a robust sector of innovators providing cybersecurity tools for enterprises.
• Technologies such as AI, which excel in finding unseen relationships among data, are strong in identifying behaviors and patterns that do not match historical data.
• Quantum computing is an emerging field that is likely to have massive implications for encryption and commerce.