Point-of-sale (PoS) terminals were compromised for more than two weeks. 40 million card details and 70 million records of personal information swiped—part of which was “backlist,” historical transaction information dating back to more or less a decade ago. Card unions paid over $200 million in cost for card reissues. They then filed a class-action lawsuit against Target to regain this cost.
And the most mind-blowing fact of all? Target actually had (and still does have) cybersecurity measures in place and a security policy for employees to follow. How and why the breach even happened the way it happened remained the subject of discussion for a long time, and hard lessons were learned.
The good news for retailers is that it doesn’t (always) have to be this way.
Pose the right questions
Retailers of all shapes and sizes care about their businesses and clients. No merchant would want to be in the shoes of Target or TJX for a minute, post-breach. In fact, if they can keep something as big and messy and costly from happening to them, they would do anything.
It’s understandably challenging to add more to an already tall order of “things to do” in the retail industry; however, cybersecurity should no longer be seen as an afterthought, nor should it be treated like an option that one can get hyped up about today and then forget tomorrow. It has quickly become an integral part of any organization for the sake of business continuity, client retention, and brand integrity.
If you remain unconvinced whether you really need to incorporate cybersecurity in your business, perhaps this is a thought you can consider: If your organization uses any form of technology that connects to a data communication avenue and/or the Internet, chances are you need cybersecurity.
“Where do I start?” is probably not the right question to ask once you decide to kick off this journey, for you’ll most certainly receive an “I don’t know” or “I have no idea” just as instantly. Instead, be specific and practical. Come up with questions that you think you can answer. We have listed some below that you can use to guide you on your way.
What am I using in business that needs protecting?
Here, you can list down your valuable assets, beginning with the tangible (the retail store, CCTV cameras, mobile phones, point-of-sale machines, etc.) and then the intangible (your website, customer data, intellectual property, etc.). Once done, you can then find out ways to secure them individually according to your business’s needs. Most of the time, all you need to do is to configure your devices and peripherals to make the most use of security-related settings.
For example, installing smart CCTV cameras on-premise can both lessen the risk of physical theft and aid law enforcement in capturing criminals should something terrible happen in the shop. But who is watching your watcher? Better yet: Who else could be watching through your watcher? A lot of CCTV cameras can be accessed publicly via the Internet. You can secure these cameras and ensure that you and your staff are the only ones who can use them by setting them up to local-only mode and changing their admin names and passwords.
You may also decide to seek help from your service provider with more complicated devices and systems.
Should you wish to invest in software or tools, pick those that protect as many of your assets as possible. For example, many endpoint security solutions allow users to install it on multiple devices running on Windows.
What are the threats that can potentially affect my business?
Cybersecurity threats to retail businesses can come in the form of people or technology. We’re quite familiar with the former: from the petty thief to an organized crime group. There are also malicious insiders and basically anyone meaning to make money out of your business.
On the other hand, one thing merchants miss when identifying what could potentially introduce threats to their companies are the very technology (apps, modern payment systems, and others) they use or invest in to remain competitive. The dangers or risks introduced by these are usually accidental, and can be avoided entirely.
Customer data remains the primary target of fraud in the retail industry. For those who may not be in the know, one customer data may contain their credit or debit card details, spending patterns or habits, and loyalty behaviors, which can be retrieved from online shopping, digital marketing, and loyalty schemes they’re enrolled in.
Other threats retailers must keep in mind that they must defend themselves against malicious insiders, spear phishing, DDoS attacks, brute force attacks, reconnaissance and suspicious activity attacks, supply chain attacks, and more. If you’re a merchant that uses the omni-channel approach, be aware that there is now a new type of fraud in this environment. We’ll tackle this in depth in a future post.
How can I keep cybersecurity threats away from my business?
Merchants have gotten really good at handling traditional risks and threats to their businesses. But managing potential physical risks, which is fantastic, is one thing, and managing digital risks is another. For new and old merchants alike, thankfully they don’t have to start from scratch. There are already industry standards in place, such as the Payment Card Industry Security Council’s Data Security Standard (PCI DSS), that they can readily glean from. The Object Management Group (OMG), an international technology standards consortium, also has a cybersecurity standard that merchants may want to look into as well. And, oh, if you have clients in the UK and EU countries, let’s not forget GDPR.
As for other cybersecurity threats that need addressing, such as those that affect a merchant’s website, our Labs blog has a lot of great resources:
- DDoS attacks are growing: What can businesses do?
- All rise! Mind these digital crimes and arm yourself against them
- Part 2: All rise! Mind these digital crimes and arm your business against them
- How to build an incident response program: GDPR guidelines
The National Federation of Retail Newsagents (NFRN), an organization composed of thousands of independent retailers in the UK and Northern Ireland, published a booklet that also serves as a checklist for merchants regarding assessing retail crime risk. This list includes physical security and cybersecurity.
Lastly, merchants must decide on a regular time to conduct a risk assessment—monthly, quarterly, biannually, or annually.
Should my employees get involved in mitigating cybersecurity risks?
Absolutely. When it comes to implementing good security practices in a retail business, merchants cannot do it alone. One way they can start employees off is by creating a culture of cybersecurity at the very beginning. Merchants can even incorporate awareness and basic cybersecurity concepts in their training process for new hires. Get them up to speed with the kinds of digital threats the business may come face-to-face with at some point in the future and provide them the steps on how to respond efficiently to red alert cases.
Note that training must be done on a regular basis and not just a one-off occurrence. It must also be relevant, practical, and engaging to employees. Use familiar case studies like the Target breach, or if your organization has experienced a form of cyberattack in the past, use that as a teaching moment, too.
What else can I do once I’ve secured the business’s assets?
Once you’ve done a great deal of securing, realize that the job doesn’t end there. There are still some things that need to be done:
- Monitor your PCI environment on a regular basis. Doing so will notify you in real-time of potential intrusions in your payment system so you can nip the thread in the bud before the circumstance escalate.
- Schedule a regular audit of security and compliance. This will ensure that your retail business remains in compliance with security and industry standards.
- Join a community. Information sharing among fellow merchants is becoming a trend when it comes to cybersecurity. Firms learn from each other’s victories and mistakes. After all, cybercrime is not just a problem of one but of every organization in the industry. Cybersecurity, in this regard, is now a community effort.
- Keep learning. Staying on top of the latest security news and industry challenges can help merchants familiarize themselves with tactics threat actors are using against retailers, assess their current situation, and make adjustments to their defenses and protocols accordingly.
- Prioritize security and privacy when creating apps. Make sure that should you choose to develop software, such as apps, that you encourage your clients to install, make sure that you have security in mind in making these apps.
- Create a security policy. This makes good computing practices not just feel like guidelines but actual procedures employees need to adhere to. Here are sample templates merchants can use as and tweak to their preference.
Stop chasing the wrong answers
Breaches are inevitable. This is a known fact and an often-repeated line by people in the cybersecurity industry. Companies have been advised to prepare.
That said, perhaps a merchant’s next and final question would be this: If a breach is inevitable, then what’s the point of doing all this?
It’s true that no one wants to invest a lot of time and money in security tools, services, and people to fight off breaches only to be told it’s not possible. The message they’re hearing is “the bad guys always win, and there’s nothing you can do about it.” However, this isn’t in-line with reality at all.
While there’s no such thing as perfect security, the protocols a multitude of companies have in place already helped them stop many breach attempts.
Unfortunately, sometimes threat actors do succeed in infiltrating a retailer’s network. In this case, the logical action is to contain it to prevent it from escalating and causing more damage. But containment and preventative steps cannot be done if proper security measures, guidelines, and a good security architecture aren’t in place, to begin with. Also, identifying what made it successful so the organization can make changes is part of the overall cybersecurity strategy. So putting them there isn’t really for naught.