"It’s not just a group of hackers in hoodies anymore. It’s nation-state attacks. It’s organized cybercrime divisions,” warned Jason James, CIO of retail tech provider Aptos, speaking at a panel session "Retail Under Attack," at the National Retail Federation’s annual Retail’s Big Show in New York City January 12.

James appeared along with Roger Delph, head of security at apparel company Oxford Industries; Krithika Ganesamoorthi, solutions architect at Amazon Web Services; and Rosemary DeAragon, global head of retail & consumer goods at Snowflake.

The increasing sophistication of cyberattacks makes them harder to anticipate, identify and fend off than ever before. Perhaps more importantly, it means that most people – even savvy ones – are likely to get caught out. Delph at Oxford Industries, which owns Tommy Bahama and other retailers, related a story about his cybersecurity team testing a phishing attack that appeared to offer free sandwiches at the Jimmy John’s chain to workers at one location. "Everyone got caught," he said. “Even CEOs get caught.”

Point-of-sale systems have recently become a particular favorite when it comes to finding vulnerable chinks in the armor, said James. “And the last thing you want is a delay at the point of sale,” he said. Delph said there were increasing incidents of retail associates being approached with offers of cash, and even a share of a successful hack.

That gives a new twist to what’s known as social engineering – targeting an individual after gathering personal information. In the past, that has meant piecing together enough intel on a person’s private life that a cybercriminal can trick them into believing they’re being contacted by a bank or trusted family member. But it also means identifying who might be sufficiently unhappy at work, or stretched financially, or just greedy enough to be open to handing over a couple of passwords.

For that very reason, data remains the core of what needs protecting. It’s also what can aid in preventing or minimizing the impact of cyberattacks. Ganesamoorthi takes the case of employees being co-opted by cyber-baddies as a prime example. AWS allows retailers to match up computer vision with transaction data from individual POS terminals to look for anomalies that should raise red flags. That means including scrutiny of all the “edge” devices now being used, both on the retail floor and elsewhere in the retail supply chain – smartphones, tablets, other handheld devices. The proliferation of those has substantially increased the “attack surface,” said Ganesamoorthi. “There’s a lot of entry points for attacks,” she said. “And then you have digital and online storefronts, and there the difference is the scale of the attack, and the speed. It’s exponential.”

DeAragon at Snowflake, a cybersecurity services provider, also pointed to the proliferation of digital IDs and logins in business in general, but especially in retail. “Protection starts at the data level, but it’s also about making sure you’re aware of all the different IDs, edge applications, and so on,” she said. “You need to apply security protocols across them all.”

You also need to decide who gets access to which systems at which level of security, to lessen the chance of a breach. Maybe the COO doesn’t need always-on access to the HR files. “That can get heated,” said James.

On the other hand, over-reacting to the risk can be a real problem too. “You have to balance security with versatility and elasticity,” said James. Delph agreed. “It has to be pragmatic. No one’s going to die if you get something wrong, and security teams sometimes go too far. So choose the right technology,” Delph advised. Cybersecurity is not supposed to get in the way of selling goods to consumers, after all. “The most perfectly secure system is one buried six feet underground!” Delph said. Security teams need to be approachable enough that, if an employee clicked on something that turned out to be funky, they have the confidence to tell someone. AWS runs a forum for its clients to share stories about how they got played, and to share tips on how to spot a threat.

Artificial intelligence that deploys natural language modeling offers good ways forward, said DeAragon, because it can not only make predictions about where and when attacks are likely to occur but, after an attack, it can model the impact and even next best actions to take.

But, of course, AI also presents a heightened risk because of the astonishing capabilities of bots combined with large language models. “Right now, there’s no game plan,” said Delph. “We’re going to see a surge in fraud again until we figure this out.”

Agentic AI also offers benefits to retailers, in the form of agentic AI-aided shopping. But the risks are that it will be harder as a result to combat chargeback fraud.

All in all, Delph said, in terms of retail businesses’ vulnerability “We’re back to where we were a few years ago: It really is up to the human. The sales associate. The head of IT.”

With deepfakes, fake Zoom personas, text phishing, email spoofing, social engineering and malware presenting a constantly moving target, the emphasis on applying good old-fashioned skepticism remains, James said. “The best security weapon is training.”