Cyberattacks targeting retailers have more than doubled in the last year, leading merchants to invest in AI and machine learning to protect customer data. While they can be powerful weapons, Shamoun Siddiqui, Neiman Marcus’ VP and chief information security officer, says merchants need to do more to protect themselves. In the latest Omni Security and Authentication Report, Siddiqui weighs the costs and benefits of using AI for cybersecurity, and explains how Neiman Marcus is trying to outsmart cybercriminals.
As the holiday shopping season approaches, retailers large and small are preparing for the coming rush of consumers looking to cross items off of their wish lists.
They’re making sure that stores are fully stocked with consumers’ favorite gifts, that they’re decorated and sparkling with holiday cheer and that there are enough associates to handle the increased workload. Stocking and décor aside, it’s also important for businesses to make sure that their cybersecurity systems can handle the increased workload, as well.
Cybercriminals tend to ramp up their attacks against retailers around the holiday season, when revenues are highest and opportunity is ripe. Half of all surveyed retailers in a recent report said they had been victims of cyberattacks — a more than 100 percent increase from the year before.
Fraudsters are not just increasing the frequency of their attacks against retailers, they’re also getting smarter and changing how and when they attack retailers in order to cause the most damage and reap maximum rewards, according to Shamoun Siddiqui, vice president and chief information security officer at Neiman Marcus.
The Changing Face of Omnichannel Fraud
As retailers and companies in all industries have begun to look at cybersecurity as a larger priority, those in the space have passed new legislation and regulations to protect customers, the companies they do business with and the money exchanged. While many of these regulations have had the intended effect, they’ve also had unintended consequences.
For example, the adoption of EMV has helped cut down on in-store and card-present fraud, but, as a result, fraudsters have turned to other forms of attack that use new tools and technologies to target retailers.
“With the introduction of the EMV standard, the industry has seen a dramatic shift from card-related fraud to online, card-not-present fraud,” he said.
As the amount of transactions made online increases, many cybercriminals have been targeting those shopping channels. Gift cards have also become an appealing target for fraudsters in recent months, Siddiqui said, noting that botnet attacks are especially common in these incidents.
“Hackers and fraudsters have been relentless in the past year or two, attacking retail websites, scraping gift cards and probing accounts for weak passwords,” he explained. “We have seen a significant amount of botnet activity against our online portals, primarily targeting our gift card systems.”
Combatting Card-Not-Present Fraud
As cybercriminals adopt more sophisticated attack techniques, retailers like Neiman Marcus must implement new methods to safeguard transactions. Siddiqui and his team have made significant efforts to utilize artificial intelligence (AI) and machine learning (ML) systems, which detect suspicious behaviors or transactions and curb the number of successful cybercrimes.
“Whether the data resides in a traditional data center or in a public cloud, layered controls have been implemented to protect the confidentiality and integrity of that data,” he said. “We are also investing in artificial intelligence and machine learning technologies across a wide spectrum of areas. This includes fraud management, whereby AI and ML are being used to determine patterns of fraudulent transactions that may otherwise be invisible to the naked eye.”
AI and ML can be powerful tools, but they do come with challenges. Establishing these programs is often very expensive, Siddiqui said, and, therefore, they can be difficult for smaller retailers to afford. This is especially true when it comes to investing in AI and ML infrastructure, which must often meet certain regulatory requirements.
What’s more, despite the fact that AI and ML have become hot topics in the space, there’s a shortage of qualified professionals who can establish such offerings.
“Skilled individuals are very hard to come by. True data scientists with AI and ML expertise are few and far between and very expensive to hire and retain, and developing or growing that expertise in house takes time and patience,” he explained. “These are the reasons why a lot of companies, [though they recognize] the immense value of these technologies, have still not been able to implement viable programs.”
The Future of Retail Cybersecurity
Despite the challenges surrounding the use of AI and ML, Siddiqui maintained that these technologies offer the most promise for combatting cybercrime going forward.
“The roles of AI and ML are expected to become increasingly dominant over the next two to three years. We are accumulating and synthesizing an unprecedented and overwhelming amount of data, and traditional business intelligence has reached its limits,” he said. “The next generation of data analysis and correlation will come from the use of supervised, and especially unsupervised, machine learning.”
This is especially true as more business is performed via online, mobile and other connected channels. Customers expect top-flight service and convenience from retailers — especially luxury brands like Neiman Marcus — and they also expect digital transactions to be not just convenient and simple, but also safe and secure.
To that end, Neiman Marcus is investing in more than just AI and ML: it has implemented protections such as identity and access management, firewalls, intrusion prevention systems, malware protections and advanced threat monitoring and logging systems.
“We are modernizing our systems and environments to leverage open source platforms and public cloud environments,” Siddiqui said.
If Neiman Marcus’ strategy is any indication, retailers would be wise to invest in advanced cybersecurity technologies before the holiday shopping season descends.