These days, most of us can’t go without the internet for even a moment. Last Friday, many had their worst nightmares come to life when they turned on their computers. Hackers, who call themselves the ShadowBrokers, had managed to infect more than 200,000 devices, across 150 countries with the aptly named ransomware, “WannaCry”. Utilizing a vulnerability in certain Microsoft Windows systems which allows it to gain access and encrypt all data contained within, the virus effectively turned the devices into expensive bricks. The malware then demanded payments in BitCoins to decrypt the data and return access.
Almost every possible vertical including retail and consumer brands were potential industries affected by WannaCry, which is now being called the largest such ransomware attack, forcing cybersecurity professionals to work over the weekend to protect the systems of their corporate clients.
As the scale of the internet has increased tremendously, such attacks are also predicted to stay on the rise. Retail is an industry that has always been a hot target for hackers. This is because of the abundance of customer data including payment information that most retailers have access to and the innumerable devices connected to a retail network that hackers could gain access from. By diverting attention of the IT teams to improve sales performance instead of security, many retailers are left vulnerable to the constant threat of a cyber attack.
It’s imperative that retailers take steps to protect sensitive business data, especially in an omnichannel environment as the cost of a breach includes not just the loss of data but also that of reputation, which may have cascading negative effects on overall business performance.
The following are a few of the best practices that retailers should follow in order to effectively protect themselves in today’s ever connected world.
Having a Backup
According to a PwC report titled, Global State of Information Security Survey 2015, only 54% of retailers had an accurate inventory of how and where they collect, transmit and store data. Maintaining detailed logs and monitoring all the data exchanged in any company network is paramount to information security. It is wise to constantly backup important data in a secure, and isolated environment, though it is not as pervasive a practice within corporations as one would assume. Segmentation and isolation of different data types such as cardholder data, customer data, vendor/partner data, operational data and backup data etc. can be helpful in mitigating risks coming from the various devices omnichannel retail networks are connected to today. Apart from just having a backup in terms of data, one must also have a security breach response plan which details what needs to be done in case a business inevitably becomes the victim of a cyber attack.
Microsoft had already identified the vulnerability now known as Eternal Blue, and released a patch to secure it two months before the WannaCry attack. The infected systems hadn’t installed the latest security patch, making them vulnerable. This shows how important it is to constantly be up to date on the latest security measures available. Hackers are constantly innovating to exploit any weaknesses they could find. Businesses are now forced to ensure their security by doing the same. According to PwC, due to the scalability and agility of the cloud, businesses have the opportunity to enable safer information transfer through technologies such as deep analytics and machine learning which could help with cybersecurity. Infact, 23% of businesses surveyed in the year 2017 study said they were going to invest in Artificial Intelligence and machine learning over the next 12 months.
A tool is only as good as the person using it. The same is true for security measures as well. Phishing and social engineering are often used and surprisingly effective methods of data breach. Educating each employee (especially the store staff) on the best practices in terms of security that they must adhere to will significantly bring down the vulnerability any business faces. This is especially true of the omnichannel environment that most businesses work on with a myriad of different devices being connected to any network, including mobile devices both personal and official, tablets, laptops, beacons etc. Each employee must be aware of the risks involved and trained on detecting suspicious, fraudulent behaviour.
Having a detailed view of all data streams in an omnichannel environment is paramount for data security. Like stated above, maintaining detailed logs would also help you to detect and prevent attacks. Since a lot of the tools businesses use today are hosted on the cloud, these applications may also have access to sensitive data. It’s important to monitor such third party applications as well and ensure they have effective security measures in place. It also helps to create tighter access controls such as granular role-based access controls which will only allow access to the information a particular employee or application requires at the time and no more, could improve security drastically. Stringent security models such as Forrester’s “Zero Trust” which always verifies all entities within and outside a network before allowing access could give businesses immense control over their data.
Compliance with security standards such as PCI-DSS, ISO, HIPAA etc. may already be the top priority for many retailers, but it’s important to note that one must not build their security program by just completing checklists to fulfil the terms required. Remember that these standards are the minimum requirements that need to be maintained. Organisations should also follow a holistic approach towards security to ensure there aren’t any gaps that are left unprotected.