Secure retailing: Six steps to making it happen

Of late, the words 'secure' and 'retailing' have rarely been seen in the same sentence due to the fact that the retail industry has emerged as a favourite playground for hackers. This is underscored by the British Retail Consortium’s Retail Crime Survey, which found that the majority of retailers see cyber attacks as a critical threat to their business, with nearly two-thirds targeted by hackers in the last 12 months. It's no wonder that the same survey showed that a third of consumers do not trust retail information security.   

In another survey, the 2015 Cloud Security report by Alert Logic, it was also observed that the types of attacks hackers will use depends on a business’ online presence and how that business interacts with its customers. In the case of retail, there are many touchpoints for a customer, including a significant presence online, where customer details, buying behaviour, loyalty data, financial and credit card information are all stored, and are highly valuable to cyber criminals. 

These hackers are looking to exploit any weakness they see to obtain this data and monetise it as quickly as possible through a readily available secondary market of criminals specialising in committing fraud. And offloading these stolen ‘goods’ has never been easier with the advent of the ‘dark web’ and online auctions and stores to sell these goods in an anonymous way.

As hacker techniques are becoming more widespread and sophisticated, it is important to have a comprehensive security strategy in place. This is particularly pertinent given that IDC found that it takes on average 205 days for companies to detect attacks. The impact of these breaches can be catastrophic, especially in retail where brand reputation and loyalty are the keys to success. 

While securing a retail business can seem like a daunting task, there are six steps that can be taken immediately to help retailers take some of the power back and not feel helpless against cyber attackers.  It is important to add here that these steps are in no particular order. They are each significant, so choosing any as a starting point will put retailers well on their way to becoming more secure.

1. Secure web applications

This may seem obvious, but for retailers that use the internet to attract consumers to their goods, securing these applications is vital, especially if they collect any kind of consumer data like passwords and email addresses. Crucially, it's not just the payment and personal details sections that need securing. Any script or click through need protecting as well. Just ask the team that manage the Jamie Oliver website which was hacked twice last year whereby malicious code was inserted into his (legitimate) website that triggered a nasty exploit kit that would infect visitors' computers. 

2. Create access management policies

In short, know who has access to what information within your organisation. If lower level employees have no reason to be able to access critical business information, don't allow it. It can be a lengthy process to sort this one out depending on what kind of information your organisation keeps, but there are tools out there to help identify critical information and make sure that only the few who need to know it can gain access to it.

3. Adopt a patch management approach

Yes, there's "Patch Tuesday" where Microsoft acknowledges the latest patches available - some are important, some less so. Don't ignore them. Prioritise the fixes and make the changes; and try and do so in a timely fashion. Make this someone's job, because once these are public, there may well be nuisance attackers that will still try and take advantage of the vulnerabilities - we always talk about the path of least resistance when it comes to cyber attackers; generally, the easiest way in to an organisation is going to be favoured over something more sophisticated. Attackers know that organisations are fighting this uphill battle when it comes to patching these vulnerabilities. Don't be caught out.

4. Review logs regularly

Security logs contain records of login/logout activity or other security-related events specified by the system's audit policy making them a goldmine of information, but are often one of the most under-utilised facets of security. A hacker’s attempt to get into your system will leave a digital trail that is obvious if you know what you are looking for. Creating a process which takes into account the revision of these logs to review the data against application, system and network level threats and having steps in place to respond accordingly helps organisations to identify and remediate attacks in a more timely way. This can either be the job of a person or set of people on premise or as part of managed service. There is also plenty of technology out there to help with this task.

5. Stay informed on latest vulnerabilities and build a security toolkit

Any security professional worth his or her salt will know that understanding the anatomy of an attack is the key to combating it. When they are kept up to date on all the latest threats, it will go a long way towards building best security practices around this knowledge. There are plenty of free resources to help, including blogs, newsfeeds and forums. Using the information can help towards building an arsenal of security tools that will be vital in the protection of the organisation.

6. Understand your cloud service provider's security model

The majority or retailers will have some sort of cloud aspect to their IT infrastructure, and increasingly this is the ecommerce website that is the storefront for the retailer and interaction with customers. It is important to acknowledge and understand that CSPs are clearly on the hook for securing their foundational infrastructure (which they do very well) but the ecommerce applications hosted on that infrastructure are the responsibility of the retailer. This includes all the security monitoring, vulnerability scanning, network threat detection, etc. There is nothing more critical than understanding where each of the party's responsibilities lie, that way there is no blame game if the worst happens 

Traditionally, in the retail sector, security has been evaluated in terms of "risk" to the organisation and security policies have been put in place to minimise that risk. What retailers should instead be focusing on is reducing the threats, which are tangible and can be mitigated now; and this need not be an insurmountable task. By focusing on the continuous monitoring of systems and adopting an approach which takes into account people, processes and technology as in the above steps, retailers can start addressing the actual threats posed to the organisation and crucially reduce the window of opportunity for criminals to take advantage.

Richard Cassidy is technical director EMEA, at Alert Logic.