2025 Cybersecurity Trends & Threats: What Convenience Stores Need to Know
Supply chains and retail landscapes are getting more digital, but not all companies are adapting. In fact, too many seem to be turning a blind eye. In a survey for the 2023 Convenience Store News Technology Study, only 38% of respondents called improving data security a top business priority.
As we enter 2025, the new year presents an opportunity for convenience store leaders to learn more about the key cybersecurity threats and what can be done to mitigate these threats.
The Supply Chain Is the Priority
As supply chains become more complex and digitized, bad actors are seizing on opportunities for cyberattacks — and there are many more than most retailers realize.
Consider the recent discovery of vulnerabilities in automatic tank gauge (ATG) industrial control systems (ICS). Researchers revealed critical vulnerabilities in six ATG systems from five vendors across critical infrastructure, including retail and hospitality. Should attackers exploit these vulnerabilities, they could gain control of ATG systems to disrupt fuel supplies, leading to physical, environmental and financial harm.
In 2025, risks like these will only multiply. To become more resilient in this new year and beyond, convenience store executives and store owners must turn their attention to supply chain risk management, specifically vendor risk management.
In recent years, there's been a steady increase in attacks originating from third-party vendors. Once bad actors have compromised a supplier's network, they can use it as a foothold to gain access to retailers' systems, making way for data breaches, credential theft, ransomware, malware, etc.
Of course, retailers cannot simply stop working with much-needed suppliers. Instead, to shield themselves from cyberattackers, retailers should ramp up vendor risk management. This may mean adding cybersecurity requirements to vendor contracts to outline security measures vendors must uphold (e.g., data encryption, access controls, etc.).
Additionally, teams should conduct regular risk assessments to screen vendors for potential cybersecurity risks. Resources are available for vendors who need some assistance in developing a more robust cybersecurity posture, such as LinkSECURE, a program for small to midsized vendors and service providers that have limited IT or cyber resources.
Beyond vendors, retailers need to pay greater attention to the supply chain as a whole. Increased supply chain visibility empowers retailers to understand not only what makes up the supply chain, but who — and what their weaknesses are. Again, regular auditing and monitoring processes are helpful as they allow staff to identify visibility gaps, uncover weaknesses and find areas for improvement.
Don't Neglect New Tech
The supply chain is indeed a big source of cybersecurity threats for convenience stores, but there are plenty of other threats closer to home.
Consider self-checkout kiosks. While self-service registers may bring new efficiencies for store owners in the name of faster, cheaper operations, they also introduce new cybersecurity risks. These kiosks handle scores of sensitive customer information every day, which spells plentiful opportunities for cyberattackers. Phishing attacks, where bad actors rig kiosks to prompt customers to enter personal details to "create" an account, are just one nefarious example. But even without duped customers, self-checkout kiosks still pose risks. Because they're connected to a store's network, they're another point of entry for attackers to target and infiltrate.
Retailers face cyberthreats beyond the shopfront, too. As the electric vehicle (EV) market continues to expand, convenience stores are uniquely positioned to host EV charging stations. This is a service many customers will appreciate, but cyberattackers will too. Like self-checkout kiosks, EV charging stations are often connected to a store's network, giving bad actors another entry point through which they can exploit network vulnerabilities to gain access and inject malware, deploy ransomware, steal sensitive data, etc.
Once again, third parties create challenges. Many store owners rely on third-party providers to manage their EV charging stations. But if these providers have cybersecurity weaknesses, they can open the door for attackers to infiltrate retailers' networks via charging stations. So, convenience stores will need to be vigilant when implementing new technologies.
Above All: Train the Staff
What are convenience store operators to do in the face of rising cybersecurity threats?
Perhaps above all, retailers should make cybersecurity training the priority of 2025. When educated about cybersecurity risks and bad actors' tactics, staff can better detect and deflect threats on the job.
Many executives, however, make the same mistake: creating cybersecurity training that is too technical (and dull) for non-IT staff. Instead, store owners should tailor cybersecurity training to the non-techie's point of view. For instance, providing real-world examples of cybersecurity risks, eliminating dense jargon, and engaging staff in diverse practice activities.
Cyber risks will only worsen in the next year, with threats from the supply chain, third-party vendors and new technologies creating a dangerous landscape for retailers. One of the best lines of defense is education, training staff to understand the risks and arming them with the knowledge to respond safely to threats, in 2025 and beyond.
Pam Lindemoen, is chief security officer, vice president of strategy at Retail & Hospitality ISAC. The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) is a trusted community for sharing sector-specific cybersecurity information and intelligence. The RH-ISAC connects information security teams at the strategic, operational and tactical levels to work together on issues and challenges, to share practices and insights, and to benchmark among each other — all with the goal of building better security for consumer-facing industries through collaboration.
Editor's note: The opinions expressed in this column are the author's and do not necessarily reflect the views of Convenience Store News.