With $4.45 billion (£3.1 billion) spent during a major online shopping weekend in November 2015 alone (Fortune), it’s clear that the need for retailers to safeguard credit card data, consumer data, transactions, and other sensitive data is becoming ever more pressing. Such a large volume of critical data is passed between various points every second, making it essential for the infrastructure to be protected from end to end. To overcome this, here are five essential cybersecurity Dos and Don’ts for retailers to keep in mind when putting strategies in place to keep customer data protected from the hackers.
Don’t: Assume your system is safe
Do: Accept a breach is going to happen
Breaches are happening all the time. It’s an unfortunate fact, but one that retailers must come to terms with: data breaches are inevitable. The amount of data breaches hitting the hacking headlines this year alone shows that retailers need to accept that hackers will get in, and instead should focus on using crypto-segmentation strategies to limit what the hackers can access.
Don’t: Rely on breach detection and protection policies alone
Do: Focus on breach containment to keep the hackers at bay
With the acceptance that breaches are going to occur must come the recognition that breach protection and detection policies are no longer enough to keep the hackers out. Instead, retailers must open up to the world of breach containment, a strategy that focuses on limiting the scope of a breach by containing it to a single segment of the network, instead of leaving the hackers to move laterally throughout the system at their leisure.
Don’t: Define your software strategy by the network
Do: Make security application and user specific
Long gone are the days where it’s acceptable for an effective security strategy to focus purely on the network. Instead, modern, software-defined security positions the security policies and protection functions around applications and users, which, in a retail environment, means only giving access to customer data to those that need it.
For example, a sales transaction and the accompanying payment card and consumer data should be accessible to only the authorised sales person conducting the transaction. The company logistics managers, corporate managers, HVAC contractors, and others do not need access to the transaction data. Yet the primary security model used by retailers has no effective isolation of the payment card application. In breach after breach, hackers have compromised a user unrelated to the payment card systems, then moved laterally to get to the payment card information.
Don’t: Focus security on individual silos
Do: Manage security end to end across all silos
The enterprise IT environment is fragmented across many silos, including LAN, WAN, Internet, mobile, Wi-Fi, cloud, data centre, remote facilities, disaster recovery and backup, and others. Each of these silos has its own method of application protection and access controls, and is commonly managed by separate teams in the enterprise.
What’s more, enforcing consistent policies and protection from end to end across all these zones is enormously difficult given the fragmented nature of the technologies and teams. To combat this, a strategy is needed that enforces protection and policies horizontally across all silos, requiring no changes to the network or applications, and putting all control in the hands of the security manager.
Don’t: Allow any network to be trusted
Do: Put in place segmentation and isolation to protect applications on all networks
The multiple hacks of 2015 show retailers must adopt a 'No Trust' security model, which assumes that there is no such thing as a trusted network or IT environment. Instead, every user, device, network, and application must be treated as untrusted, and all enterprise systems should be considered already compromised. Additionally, applications must be segmented, which simply means that an isolation method such as encryption is used to isolate the application flow and prevent access by unauthorised users. However, the most effective approach is to isolate the sensitive data with strong cryptography and tightly control access to it based on user roles.
This segmentation should then be applied consistently across all silos, for all users in the enterprise. An effective cybersecurity strategy needn’t be complicated; however, it’s about knowing which strategies are effective and which approaches to take in order to protect valuable customer data and avoid the PR catastrophes faced by many retailers in the ongoing wave of headline-grabbing data breaches.
Paul German, VP EMEA, Certes Networks