The latest report of cybersecurity firm Sophos reveals that as companies shifted to online trading, they became the top target of ransomware attacks. The “State of Ransomware in Retail” saw that retail, along with education, faced the highest level of ransomware attacks in 2020, with 44% of organizations hit (compared to 37% across all industry sectors).
The report looks at the extent and impact of ransomware attacks on mid-sized retail organizations worldwide at the height of the COVID-19 pandemic in 2020. The survey polled 5,400 IT decision-makers, including 435 retail IT managers, in 30 countries across Europe, the Americas, Asia-Pacific, and Central Asia, the Middle East, and Africa.
“The retail sector has always been an attractive target for cyberattacks, with its complex, distributed IT environments, including a multitude of connected point-of-sale devices, a relatively transient and non-technical workforce, and access to a wide range of personal and financial customer data,” said Chester Wisniewski, principal research scientist at Sophos. “The impact of the pandemic introduced additional security challenges that cybercriminals were quick to exploit.
The survey revealed that more than 1 in 10 or 12% (nearly double the cross-sector average of 7%.) of respondents fell victim to the “small but growing new trend” — extortion-only attacks. Unlike the known ransomware attacks, cybercriminals only threaten to leak the stolen information online if the ransom was not paid. They don’t necessarily encrypt the data.
Still, there are still incidents where attackers encrypted the data affecting over half (54%) of the retail organizations surveyed. A third (32%) of those whose data was encrypted paid the ransom.
“The comparatively high percentage of targets hit with data-theft-based extortion attacks is not entirely surprising,” Wisniewski said. “Service industries such as retail hold information that is often subject to strict data protection laws, and attackers are only too willing to exploit a victim’s fear of fallout from a data breach in terms of fines and damage to brand reputation, sales, and customer trust.”
According to Sophos, the total bill for rectifying a ransomware attack in the retail sector, considering downtime, people time, device cost, network cost, lost opportunity, ransom paid, and more, was $1.97 million on average, compared to a cross-sector average of $1.85 million
Cost of ransomware
The average ransom payment was $147,811 (lower than the global average of $170,404.) However, those who paid recovered on average only two-thirds (67%) of their data, leaving a third inaccessible; and just 9% got all their encrypted data back
“It’s not all bad news for retail IT managers,” Wisniewski said.” While enabling, managing, and securing IT during the pandemic increased the overall IT workload for three-quarters of retailers, the sector was also the most likely (at 77%) to see a positive return in terms of enhanced cybersecurity skills and knowledge.
“To secure retail IT networks against ransomware and other cyberattacks, we advise IT teams to focus resources on three critical areas: building stronger defenses against cyberthreats, introducing security skills training for users including part time and temporary staff, and, where possible, investing in more resilient infrastructure.”