Four Key Practices for Stronger Retail CybersecurityMarry long-term vision with short-term actions for stronger retail IT security now and in the future By: Secureworks
Seventy-three percent of consumers in a 2016 survey said they would reconsider using a company if it could not keep their data safe. That's a sobering statistic for retailers, especially when your IT teams are tasked with making your company easier to do business with, more transparent and more accessible to customers. You want to focus budget dollars on the exciting technology-based innovations that enable more personalized interaction with customers. Can you do that while also maintaining strong protection for company and customer data?
Omnichannel initiatives, personalization, mobile and social media marketing—all of the exciting new ways to connect to your customers can also pose risks, not to mention the existing vulnerabilities that are just a part of every enterprise IT ecosystem. While the EMV chip-based payment system is designed to prevent some types of fraud more commonly perpetrated on magnetic-stripe credit cards, it's still not a panacea against fraud and could potentially introduce new vulnerabilities.
Where should you focus precious human and capital resources in order to support innovation, back-end operations, and a happy and safe shopping experience for your customers? Our latest white paper, "Strong Security for a Brighter Future in Retail," offers some helpful guidance for achieving resilience against cyber threats in alignment with your important business and customer initiatives. For a brief checklist of helpful security practices you can implement right away, read on.
1. Review your last penetration test.
Remember that last pen testing engagement? Did it cause you to shore up any particular systems, policies and processes? Were the gaps successfully closed? Vulnerabilities can arise whenever you conduct online transactions with customers and suppliers, introduce new in-store devices, adopt new cloud-based environments or allow for employee logins.
2. Consider an incident response retainer.
Some of the most damaging retail data breaches went unnoticed for a significant duration of time, enabling cyber criminals to steal reams of customer data. Rapid and thorough incident response is essential to minimizing a threat inside your network. Several providers offer an incident response retainer service and/or emergency incident response services within minutes of a reported network security breach. This can reduce your time to respond to an incident and improve your overall effectiveness. With a retainer or an emergency engagement, security experts will work to contain the breach, mitigate the threat and protect your assets. As a result, the duration and impact to your organization from an active cyber security breach is minimized.
3. Conduct an incident management risk assessment.
Unless a threat can exploit a vulnerability, it does not pose a risk to an asset. Mapping threats to assets and vulnerabilities can help identify potential security risks with a laser-like focus. Having a focused approach to cyber threats can be valuable when you're trying to protect more with existing security investments. Without requiring technology purchases or implementations, an incident management risk assessment can help you determine how prepared your organization is to detect and respond to a targeted or advanced threat. It can also align policies, procedures and controls against targeted threats, and be used to evaluate the access levels for your normal and privileged users.
4. Promote security awareness training for your employees.
When employees have access to customer data, they need heightened security awareness. Vendors, business partners and third parties may require training as well. You may need to reassess the third parties you currently share data with to ensure their policies and procedures do not put you at risk. A security awareness training doesn't have to be long and drawn out, but it can be a helpful refresher for employees during other major program or technology implementations when busy staff could be prone to cut corners.
Preventing cyber threats is a 365-days-a-year activity that also requires visionary thinking to accommodate protection for your future business initiatives. You can engage in some near-term prevention strategies, while also looking ahead to more strategic security operations improvements in the new year and beyond.