New research has warned retailers are facing a major ransomware threat to their business ahead of a make-or-break holiday shopping period.
Research suggests that UK shoppers are set to halve their Christmas spending this year, forcing retailers to fight for every last penny, but Trend Micro data revealed that three-quarters (74%) of global retailers have been hit by a ransomware compromise over the past three years.
Some 88% of these had data encrypted and 79% had that information leaked online by their extorters. A further 86% said the compromise impacted operations, which 80% claimed took days or weeks to recover from.
“Threat actors are past masters at choosing the perfect moment to strike in order to optimise their potential ROI, so expect more targeted ransomware attacks against retailers in the run-up to Christmas,” said Bharat Mistry, technical director at Trend Micro.
“Whether it’s an operational outage or a breach of customer/employee information, a serious attack could cost retailers dear, but many don’t currently appear to have adequate protection or detection and response capabilities in place.”
Furthermore, a key problem could be visibility into threats targeting an extensive supply chain. Over half (54%) claim a supplier has been compromised by ransomware in the past, and most (54%) believe their partners make them a more attractive target.
They could be right. Over three-fifths (62%) said a “significant” proportion of the supply chain is populated by SMBs – which could be less well protected than larger firms with more resources to spend on security.
Yet despite acknowledging these risks, retailers are struggling to gain insight into their attack surface. Half or fewer respondents said they can detect key ransomware activity such as data exfiltration (50%), initial access (48%) and lateral movement (38%).
This lack of visibility may be why relatively high numbers of respondents admit to not sharing threat intelligence with partners (29%) and suppliers (43%), which could otherwise help to improve supply chain security.