Why is Indian retail prone to cyber threats?

India’s retail and wholesale sectors faced a 22% increase in cyberattacks in 2023. Here’s what’s making us more vulnerable

New Delhi: In April 2021, hacked customer data complete with names and contact numbers related to 18 million Domino’s Pizza orders went on sale on the dark web. The number of cyberattacks in India has increased by 15% per week on average in 2023, as per a report by cyber security firm Check Point.

The findings further revealed that the retail and wholesale sectors faced a 22% increase, indicating a change in the attacker’s focus. According to the latest Norton Cybersecurity Insights Report, Indians lose an average of Rs 20,000 when shopping online. Surprisingly, 74% of them are not aware of the next steps to be taken if they are a victim of a shopping scam.

Ransomware attackers are increasingly targeting retail businesses, causing financial losses and disrupting online shopping experiences. Cyber security software company Trend Micro in a study said that attacker surface visibility—possible points or attack vectors from where an unauthorised user can access a system and extract data—is challenging today for several reasons.

These include the lack of the right tools with organisations, opaque supply chains, the sheer size, complexity and distributed nature of modern IT environments and constant technology innovation.

The smaller the attack surface, the easier it is to protect.

What makes India prone to retail cyber threats?

Attacks on data take place due to the complexity of retail operations which include several vulnerable attacker surfaces such as the IT infrastructure, supply chain, evolving technology and payments. “One of the primary reasons is the complex web of IT infrastructure in retail,” said Kartik Shahani, country manager, Tenable India, an exposure management company.

“With many retailers regularly implementing new software as they continue to remain nimble and adaptive to customer needs, cyberattack surfaces have expanded,” added Shahani.

In addition to this, increasing adoption in the digital landscape is also what makes the entire system of data handling fragile and risk-prone.

“The industry becomes a more appealing target for cybercriminals looking to take advantage of weaknesses as it embraces digital transformation. An increased attack surface is produced by the increasing use of data-driven technologies, digital payment mechanisms, and e-commerce,” Ritesh Chopra, India Director, Norton, an antivirus and security software provider said.

E-commerce and digital businesses are more vulnerable to such attacks and this is increasing due to a surge in the adoption of digital shopping and payment modes by consumers.

“E-commerce and D2C companies are fledgling outfits with probably a lesser than optimum focus on cybersecurity (this is not to say that larger firms are any safer but with the relatively better focus on cyber security, they are a trifle better off),” said Siju Narayan, a retail industry practitioner and chief experience officer, Rexemptor Consult LLP. Narayan added that cyber attackers too are leveraging advancements in technology, which is why the quality of intrusions has only gotten better with time.

The weak links in retail cyber threats

Supply chain: An area that is vulnerable to cyber-attacks is the supply chain. Attacks here mainly arise due to the interconnections between a retailer’s network and those of its suppliers or third-party vendors. Any loopholes or lack of security measures from the supplier’s end would result in making the retailer’s network susceptible.

Dependence on multiple suppliers, third-party partners and logistic systems for different tasks makes the data handling more complex.

“Supply chain attacks offer malicious actors the opportunity to maximize their impact by infecting multiple organizations through a single supplier’s network infiltration,” explained Shahani of Tenable India.

Payments: With digital payments becoming standard when shopping online, UPI frauds, and credit card skimming are on the rise. “The range of attacks has grown due to the widespread use of digital payment methods and online purchasing platforms,” said Chopra of Norton.

“Considering the amount of first-party data stored on retail systems, retailers are becoming an easy target of all attackers as their security systems are not up to the mark. The demand for first-party data has increased after the recent deprecation of third-party cookies,” said Vivek Bajpai, co-founder and chief technology officer (CTO), GoKwik.

“Most retail merchants rely on technology provided by some small SMBs or they rely on open-source systems, although the cost of having these systems is very low, patching the vulnerabilities of these systems is usually ignored, as most of the retail companies don’t have enough engineering bandwidth,” added Bajpai.

What Retailers are doing

Retailers adopting digital systems and handling data are constantly working to safeguard their data and systems. Measures include storing data behind a firewall, different encryption protocols, intrusion prevention systems, security operation centres, password management, and updating cybersecurity measures.

Retailers in India have all invested a substantial investment in strengthening the measures. In addition to this, companies are compliant with industry standards like the International Organisation for Standardisation (ISO), Payment Card Industry Data Security Standard (PCI DSS) and others.

They also use cutting-edge technologies like artificial intelligence (AI) and machine learning in fraud detection with specialised algorithms.

However, experts still emphasise that retailers in India need to adopt exposure management to reduce cyber risk effectively. Exposure management provides retailers with complete visibility and context into what attackers see, helping them prioritise remediation efforts so the most critical business assets are protected. Investing more in cybersecurity technologies that focus on prevention, detection, and incident response should also be increased at regular intervals.