In some ways, you have sympathy for CIOs of retailers. The sector has some of the most advanced and streamlined companies on the planet, the intense competition between large rivals and the constant pressure of hopeful, innovative smaller players has led to an industry-wide obsession with staying on the cutting edge of technology. With more and more business being conducted online, this love-affair with technology is unlikely to decrease over the next decade.
The retail industry may still be reeling from the number of high profile retail security breaches including Home Depot, JP Morgan and Target, but one thing is clear: data security is very much front and centre with retailers, who are looking at ways to improve security and protecting critical customer data in 2015.
Why were so many (especially physical) retailers hit hard over the past 12 months? Some have speculated that hackers increased their wave of attacks ahead of the US’ 2015 plans to shift to chip-and-pin technology, which intends to pave the way for more secure credit and debit card payments. This created a sense of urgency to exploit major retailers whilst it was still possible. This may indeed be the case, but it’s a non-issue for online-only based retailers and will soon be a ‘patched’ opening for their physical counterparts.
What’s more concerning to internet retailers is that they are being perceived as high-value and somewhat ‘soft’ targets – both for the customer data they retain and for their high priority on business efficiency versus carefully maintained security practices.
In any case, these breaches have put security at the top of nearly every retail executives’ list of priorities. They know now that they are on cyber criminals hit list, so what should they be doing in 2015 to prepare for the worst?
Close the SecOps gap
Security and IT Operations teams (SecOps) within organisations have traditionally been siloed functions making it difficult to quickly identify and respond to potential vulnerabilities. This siloed structure undermines efforts around security and compliance, and puts an organization at risk for attack. Bridging these two functions can significantly reduce the response time to threats and speed the time to remediation, to ultimately strengthen the overall security posture against potential attacks.
Continue to practice good cyber hygiene
Practicing good cyber hygiene is like sports in that it is typically the team that consistently executes on the basics that wins. Ensuring retailers protect and maintain systems and devices appropriately can be achieved by leveraging cyber security best practices. For example, ensuring that only authorized devices are connected to company networks, limiting the applications or software running on company assets, securely configuring corporate assets, including removing default usernames and passwords and restricting the use of administrative privileges. Just as important is continuously scanning and remediating vulnerabilities and misconfigurations in company assets.
Prepare for new payment systems
If you run hybrid internet and physical locations, be aware that while chip-and-pin technology will likely decrease the severity of POS system breaches, a new wave of contactless e-payment systems being introduced, such as Apple Pay and Google Wallet, could provide new attack surfaces for hackers to exploit. Similarly, Internet-of-Things (IoT) based devices such as printers and security cameras must be considered as threat vectors and retailers should consider these new systems and network points to ensure they have a plan in place to protect their systems from the security vulnerabilities systems that could expose customer data.
In today’s complex security landscape, it’s critical to be proactive and vigilant to protect against cyber threats in order to be as secure as possible. While retailers won’t be able to completely stop breaches and attacks, what they can do is minimize the risk, proactively address threats as they arise and be prepared.
Amol Sarwate is director of engineering at Qualys