Retailers are turning to new, innovative technologies to withstand the onslaught of the industry’s megaplayers (looking at you, Amazon and Walmart), but the bigger—and more insidious—threat to the future of retail is a lack of cybersecurity. Retail IT decision-makers know that when the likes of Target, Home Depot, and Neiman Marcus are vulnerable to hackers, a tight IT security strategy is needed, stat.
As the number of people shopping on their mobile devices rises, there’s a huge opportunity for cybercriminals to rake in unsuspecting victims. Kaspersky Lab found that in the first quarter of 2017, for instance, the number of mobile ransomware files detected had reached 218,625, compared with 61,832 in the previous quarter. Yet according to a survey from KPMG, less than half (45 percent) of senior retail security executives reported investing enough in cybersecurity strategy in the last year. As many as 42 percent said they didn’t even have a leader in charge of information security.
What can your IT team do to formulate a solid retail cybersecurity strategy?
1. Beef up the basics first
By leveraging the NIST Cybersecurity Framework, you’ll have a set of guidelines and assessments to determine your current capabilities, set goals, and establish a plan to improve and maintain your infrastructure. The Framework was developed by the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO), and the most recent version was published in April 2018, which clarified and enhanced it, making it easier to use today.
2. Train everyone on IT security policy
Human error has been the culprit behind several major breaches, so you need to make sure every employee is trained appropriately to raise awareness and ensure best practices are followed. That means they need to bone up on IT security for both business and personal use.
Industry partnerships can facilitate teaching and supply the latest information on threats and attacks. For instance, the Retail Cyber Intelligence Sharing Center (R-CISC) and the Information Technology Information Sharing and Analysis Center (IT-ISAC) are two great resources if you’re looking for educational material or general security guidelines. The National Retail Federation also started a threat alert subsystem in consultation with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the US Department of Homeland Security.
3. Frequently update and patch everything
Back in 2016, SecurityScorecard found that a whopping 83 percent of retailers had unpatched vulnerabilities and 62 percent were using software that wasn’t getting any security support from the manufacturer. “The longer the patch goes unapplied, the longer the hacker has to exploit that vulnerability,” Brian Engle, executive director of the R-CISC, told Retail Dive. Regular software updates are the easy—yet often overlooked—way to secure older parts of the infrastructure until investing in new systems and software.
While you’re at it, keep high traffic areas clear so only necessary personnel has access. “Compartmentalizing, or segmenting networks—to keep corporate environments, support environments, and store environments where retail payment occurs at the point of sale separated—is important in limiting the success of cybercriminals,” R-CISC’s Engle said.
4. Keep data anonymous
The highest profile cybercrimes are those where thousands of people’s personal information has been compromised. And the criminals’ level of sophistication is only getting better. According to Booz Allen Hamilton, “The elite Russian-language cybercrime forum Exploit has had, throughout much of 2017, a steadily increasing inventory of web injects that can be used for harvesting customer data, including account credentials, for various financial organizations and retail customer accounts.”
That’s why retail technology provider Ipsos suggests that customers’ details should be anonymized and stored according to ISO standards. “When we work with retailers, we do not store any personal information—all data is collected anonymously. IP addresses and mobile signals identify repeat shoppers rather than individuals’ data, such as mobile numbers and email addresses.”
5. Tighten up your endpoint security
The most vulnerable pieces of equipment for a retailer, or any business, are the ones everyone has access to but no one really thinks about from a security standpoint, like a copier, printer, or other endpoint device. These devices can be vulnerable points to attack—but they don’t have to be. A smart endpoint device can ensure the entire network is secure by offering real-time threat detection along with self-healing capabilities.
Technology is evolving all the time, and it’s redefining the way customers shop and sell. But the evolution comes with the potential for more complex security threats. Retail IT decision-makers know it’s not enough to cross your fingers and hope for the best. Preparing for the worst demands an advanced security strategy and an investment in infrastructure, staff, and processes to bring your IT security position in line with other industries while building customer trust and loyalty.