Digital networks are now the backbone of every retail operation. But they are also a very attractive target for cyber criminals. Paul Leybourne of Vodat International examines the key cyber security threats facing retailers – and how they can better protect their businesses.
Every day, retailers’ in-store voice and data networks are used to manage a staggering level of business-critical data – from purchase transactions, stock data and merchandising to promotions, health and safety alerts and, of course, customers’ personal details.
With the British Retail Consortium estimating the annual cost of retail cybercrime at £100m, there’s a great deal at stake. So, what are the key cyber security threats? And how can retailers fight against them to better protect their businesses?
Threat 1 - Vulnerable Wi-Fi networks
Wi-Fi has become a key retail tool in recent years. Many organisations use Wi-Fi to connect in-store POS and staff devices, while others offer free Wi- Fi to increase customers’ on-site dwell time. Wi-Fi networks are also increasingly relied upon to give customer-facing colleagues access to core apps and systems. Unfortunately, Wi-Fi is also a very attractive target for cyber criminals.
Without sufficient Wi-Fi security a hacker can access a network and monitor data traffic, disrupt transactions and even launch a distributed denial of service (DDoS) attack, even stopping a store from trading altogether. A hacker can also set up a fake Wi-Fi hotspot on-site, tricking both staff and customers into logging and then harvesting personal details, including identities and passwords.
Securing your Wi-Fi network
- Go beyond simple passwords: Multi-factor authentication such as tokens and push notifications sent to mobile phones are significantly more secure than traditional password access to Wi-Fi networks.
- Divide and secure your network: Make it difficult for hackers to move around if they manage to breach your Wi-Fi network.
- Use automatic monitoring: Deploy software that can automatically monitor a network and look for suspicious activity or strange data flows.
The PCI Security Standards Council recommends the use of a WIPS (Wireless Intrusion Prevention System) to automate wireless network scanning. This layer of security is also useful for monitoring network performance and discovering access points with configuration errors.
Threat 2 - Weak POS Security
With around 60 percent of all EPOS transactions paid by electronic cards, the consequences of a security breach are potentially spectacular.
First, a criminal must contaminate an EPOS system with a specific type of malware. With retailers operating from multiple locations and with various employees and third-party IT professionals accessing EPOS systems, this is a lot easier than many would imagine. Hackers can also attempt to do this remotely by hacking an online server.
Once malware has been introduced to an EPOS system, it can automatically begin to harvest customers’ card data as it passes through a system. The hacker can either use this information themselves, or sell it on.
How to secure an EPOS system
- Use end-to-end encryption: Leading EPOS terminal suppliers provide software designed to ensure customers’ data is never exposed to hackers. It encrypts credit card details as soon as it is received by the POS device, and again when it is dispatched to the software’s server. This means customers’ data is never vulnerable, no matter where a hacker may install malware.
- Install antivirus software on the EPOS system: This will ensure malware doesn’t breach the system. Antivirus software will scan devices, identify suspicious files or apps and create alerts so that threats can be removed.
- Isolate EPOS terminals: Hackers can break into a device and view and steal customers’ details, especially if end-to- end encryption hasn’t been used. Account for all terminals at the end of the day and store them in a secure location.
Threat 3 - Poor network configuration
No network can ever be 100 percent secure from a cyberattack. However, a pragmatic retailer will install measures that severely limit the chances and impact of a breach. Hackers generally look to infiltrate a soft target first, for example a contractors’ system or in-store Wi-Fi, before moving on to areas with sensitive business data.
A common tactic is to target a contractor with a phishing email to steal their log-on credentials and then use these to infiltrate a network, for example breaching their POS system.
How to optimise network configuration
- Segment the network: Group applications and databases together depending on how sensitive or business critical they are and then keep them together on specific virtual local area networks (LANs) within your system. Once important functionality is isolated it is possible to monitor usage more easily and strictly limit traffic.
- Role-based access: An administrator should either approve or deny access rights based on an employee’s function. For example, only customer service reps should be given access to customer profile information.
- Apply granular controls: Once a network is segmented, settings can be finely tuned so that the system is optimised further.
Having a fully managed network ensures that a retailer benefits from the securest configuration available. Unified management of mobile devices, PCs and the entire network can be done from a centralised dashboard, with live troubleshooting.
Threat 4 - Inadequate staff education
Cyber criminals often target the weakest point of a network, and in many instances, this may be the employees. No matter how strong a retailer’s security is, or how robust their network configuration, they are at risk of scoring an own goal if they don’t adequately train their staff.
Business email compromise attacks involve sending scam messages to company employees in an attempt to extract sensitive information. A lost or stolen mobile device, such as a laptop or smart phone, can also present a hacker with a treasure trove of opportunities. Hackers can also target specific individuals they know will have access to sensitive data.
Cyber security training
- Phishing attacks: Train staff to recognise a phishing email or a spam attack so that they can alert the IT department to prevent other colleagues from being tricked.
- Create an acceptable-use policy: Staff should be given clear guidance on the websites they’re allowed to visit, what kinds of files they’re allowed to download and the Wi-Fi networks that are safe.
- Cultivate an open-door reporting culture: Employees should be encouraged to report anything suspicious to the IT department, even if it resulted from clicking on a website or downloading a file they shouldn’t have.
- Manage mobile devices effectively: Make sure employees know when to update their mobile devices to ensure they have the latest security updates and patches.
- Use secured Wi-Fi networks: When employees are on smart phones and tablets they should always use the device’s mobile data plan, rather than an unknown and unsecured Wi-Fi network.
With a Mobile Device Management solution in place, it is possible to automatically update an entire estate of mobile devices with the latest security patches and with the minimum of fuss.
Threat 5 - GDPR non-compliance
The collection, storage and use of customers’ data has just become much more challenging due to the EU’s General Data Protection Regulation (GDPR), which aims to give individuals back ownership and control of their personal information.
Retailers that breach GDPR regulation face graded penalties depending on the severity of the case. The maximum fine is 4% of annual global turnover, or €20 million, whichever is the highest.
Ensuring GDPR compliance
- Create a comprehensive data log: Retailers need to create one clear and comprehensive log of all the data they hold, including details of where it is stored.
- Improve security and create a data breach plan: Under GDPR, retailers must notify affected customers within 72 hours of a data breach. This makes an effective, well-rehearsed data breach plan essential.
- Review current processes used to obtain consent: GDPR requires all retailers to gain unambiguous, active and explicit consent for the use of customers’ personal data. They also need to explain in simple language what data has been collected and what it is used for.
- Create processes allowing customers to access and download their data: Retailers must create processes that enable customers to download their own data within 30 days of a request.
- Review all third-party contracts: Retailers are likely to work with vendor partners who act as data processors. It is the retailer’s responsibility to clearly set out comprehensive guidelines on how the vendor should use the data.
Overall, it is important for retailers to work with experienced partners who can help guide them through the key network security threats – and provide the solutions to fight them.
Paul Leybourne, Head of Sales at Vodat International
Image Credit: Hywards / Shutterstock