'Tis the season to be shopping, as some might say. Holiday seasons are very good for retail businesses, with increased traffic in both online and brick-and-mortar stores. Unfortunately, business is good for cybercriminals during these busing shopping times, too – and, as a result, retailers need to ensure that their physical and cyber resources are safe and secure. This is never an easy task, especially at busy times like Thanksgiving and Christmas. However, a few extra steps to increase security can go a long way. Here are a few tips to become a more prudent retailer:
1) Awareness, awareness, awareness
Businesses that increase their staffing seasonally, as with the Christmas holidays, should ensure that their seasonal (and regular employees) are aware of security impacts for the business. Employees should be told about processes such as using strong passwords, keeping terminals locked when not in use, refraining from writing down passwords or sensitive information, etc.
2) Principle of least privilege
For seasonal workers, retailers should have good on-boarding and off-boarding processes in place. These times of the year can be very busy (hence, the need for extra staffing). This is not a good time to let critical processes slip through. Ensure that seasonal staff only have limited access to cyber resources; ensure they are given adequate training on security aspects of the business, both physical and virtual; and ensure that accounts are disabled and/or removed during the off-boarding process.
3) Physical security
Brick-and-mortar retailers should ramp up physical security measures during the holidays. Special attention should be paid for Point of Sale (POS) terminals. Any signs of tampering should raise concerns. Also, credit card terminals should be regularly inspected for credit card skimming devices.
4) Trust but verify
Fraudulent check and credit card usage can increase during the holidays. Good verification processes should be used for verifying customer identities during brick-and-mortar transactions.
5) Disaster recovery
Retailers should have a disaster recovery program in place. During the holidays, criminal activities increase in both the physical and cyber worlds. POS malware can infect critical payment systems. Vulnerabilities in e-commerce sites can be exploited by cybercriminals to do things like siphon sensitive customer data and payment details or spread malware such as ransomware or cryptojacking. Many other examples exist. In the event such a disaster occurs, retailers with good disaster recovery programs can recover much more efficiently.
6) Monitor, evaluate and alert
Retailers should have technologies that provide foundational controls in place. These technologies, when used appropriately, can increase security for online retailers and their cyber assets. Monitoring for vulnerable systems, unauthorized system changes, unauthorized file access and such is very important for maintaining an organization’s cybersecurity hygiene. Good technologies in this space will provide reporting and alerting that retailers and their IT groups can use for managing their security posture. Another good practice is to periodically bring in ethical hackers/pentesters to conduct security assessments.
7) Patch, patch, patch
Install patches for your operating systems and third-party applications. This should be done as soon as patches are available and have been tested. This is a very important defense measure, especially for internet facing systems such as retailer’s e-commerce sites.
