Request your free Security Rating Snapshot to find the gaps in your security program and how you compare to others in your industry.
The retail sector has proven that when top minds put their heads together, they can make real headway against pernicious cyber threats. Case in point: the industry-wide adoption of EMV chip cards has played a role in reducing point-of-sale malware attacks by 93% since 2014.
Rendering POS malware less effective was a major victory for retail network security. To continue to stay one step ahead of would-be attackers, retail security and risk professionals will need to engage in out-of-the-box thinking and adopt some creative strategies.
Focus on Mobile App Security.
Many large retailers have mobile apps that are designed to unify the online and in-store shopping experiences. Apps that engage customers by pushing coupons, sales, and cross-platform shopping have been one of the first forays into “omnichannel retail,” a trend which is likely to gain traction in the next few years.
Mobile applications also enable customers to pay from their devices, and they give retailers access to user data that can help them customize shopping experiences.
All of these features also make retail mobile apps a tantalizing target for cyber criminals. Because apps “live” on customer’s phones and not in a retailer’s own infrastructure, it’s sometimes difficult to bring them in line with policies designed to protect consumer information.
Retail security professionals must ensure that their apps use secure code and that any mobile payment integrations follow all PCI DSS best practices. In addition, retailers should use discretion when deciding what kinds of customer data they’d like to collect. After all, the more data an organization keeps, the bigger the target on their back becomes.
It’s not just retailers’ proprietary apps that can pose a risk to exposing customer data, either. Vulnerabilities in mobile PoS systems and other third-party mobile apps that touch customer data must also be monitored for risks.
Focus on Third-Party Security.
What do Target, Home Depot, and Macy’s have in common? They all suffered data breaches that originated in the networks of third parties they worked with.
Beefing up your own network will help protect your company from hackers, but when third parties have access to your sensitive data, their cybersecurity posture must be monitored as well.
As retailers ramp up e-commerce activities, the number of third parties they’ll need to monitor will increase. Our research indicates that the median number of IT service providers for retailers is 52. How should a retailer go about assessing the security of all these vendors?
In addition to traditional third-party risk management strategies like sending cyber risk assessment questionnaires and conducting penetration tests, retailers should implement a continuous monitoring solution. These solutions use externally observable data to provide a daily update on a vendor’s overall security posture, and can indicate where in a vendor’s network the problems lie.
Update Software on all IoT Devices
The internet of things (IoT) is already revolutionizing retail, from manufacturing to storage to sales to shipping. IoT devices have been used for inventory tracking, pushing notifications to the phones of in-store shoppers, and even monitoring mall foot traffic.
However, the internet of things is as dangerous as it is promising. Gartner reports that 20% of organizations experienced at least one IoT-based attack between 2015 and 2018. Across industries, regulators and security groups are struggling to keep up with the explosion of internet-connected devices.
Here’s one simple strategy retailers can implement to limit their risk — make sure all IoT devices are running the latest versions of their respective software.
When developers become aware of vulnerabilities, they usually push out updates over the web. However, not every device can be updated automatically. Retail security professionals should track every IoT endpoint in their networks, and have a regular program in place for applying software updates.
Create Effective User Awareness Training Programs
Using technology to improve retail network security is only half the battle. No matter how many tools and procedures an IT department implements, something as simple as a phishing email can still give attackers access to sensitive data.
According to Verizon, user-related risk vectors like phishing, privilege abuse, and misdelivery made up three of the top five action varieties in data breaches in 2017. One of the most effective ways to protect against these risks is to implement a comprehensive cyber risk-awareness program.
You can find our suggestions for creating an effective cyber risk-awareness program in this ebook.
Practice your Data Breach Recovery Plan
If you haven’t developed a data breach response and recovery plan, make it a top priority. You never know when disaster will strike, and no retailer is impervious to data breaches.
If you have developed a data breach response and recovery plan, when was the last time you practiced it? Being constantly ready to face the public and repair one’s network is one of the best ways to prepare for a cyber attack. Think of it like a fire drill — practicing breach response is a time investment, but you’ll be thankful for it should it ever prove necessary.
The cyber risk landscape is constantly changing, but with a little creativity, retailers can add a few more victories to the war against cyber attacks.