How to Secure Increasingly Complex Retail Networks

While data security is paramount in retail, complex networking technologies and legacy architectures often leave IT leaders scratching their heads on how to fully protect the integrity of retail transactions. 

Further, security is becoming more complex each day as retail operations involve more people across greater geographic distances than ever, with information spread not only across office buildings but also within cloud applications and, further, with customers bringing their own devices into stores. 

For retailers, data security is critical to maintaining customers’ trust. But the question of when a breach will occur is “becoming not so much a matter of if as much as a matter of when,” says Jim Fulton, senior director at Forcepoint, a company that provides security solutions for the rapidly changing technology landscape, in the webinar Retailers Face Unique Network Security Challenges by CDW and Forcepoint. 

“Retail presents just an enormous attack surface for cybercriminals,” says Michael Osterman, principal analyst at Osterman Research, in the webinar. “There are many venues at which they can attack.” 

The good news is that the right network security can ensure businesses have the right infrastructure in place to keep pace, but first retailers must understand the threat landscape. 

Where Are Modern-Day Retailers Vulnerable? 

To understand the cyberthreats and vulnerabilities facing large retailers today, in April and May 2017 Osterman Research surveyed 100 IT decision-makers from retail, hospitality and rental car organizations with at least 1,000 employees. 

“We found that there were a wide variety of problems that organizations had experienced over the last year,” says Osterman. 

In the past year, 87 percent of organizations surveyed had experienced one of the following: an accidental leak of sensitive data, a point-of-sale system compromise, malware infiltration from an unknown channel or an undisclosed security problem. 

Most organizations reported experiencing more than one threat. The most prevalent issue, which 39 percent of organizations experienced, was that confidential or sensitive information had been maliciously or accidentally leaked through a variety of outlets, including social media and cloud apps. 

For 36 percent of organizations surveyed, a point-of-sale system had been compromised in the past year. An equal number reported that malware had infiltrated their systems but, significantly, were not certain through which outlet the breach had occurred. 

“That’s a significant problem because as organizations are trying to deal with the forensics of how these threats occurred, how data was stolen, how malware infiltrated systems, how ransomware entered – whatever the case may be, if they don’t really know how it entered, it is going to complicate the issue of providing remediation and preventing those problems in the future,” Osterman says. 

This issue is exacerbated by the lack of visibility into retail data, with only 1 in 10 retail organizations reporting complete visibility into data on their corporate systems. More than 2 in 5 have only minimal visibility. 

“If organizations don’t know where their data is, what data they have, it’s sensitivity, what have you, that’s going to create problems in terms of protecting the data,” says Osterman. “And you’ll be that much more liable for data breach or data loss in some way.” 

3 Ways Retailers Can Protect Against Data Breaches 

Luckily, tech-minded retailers can take these steps to combat the ever-expanding threat landscape. 

1. Understand your data. As retail networks shift from being centralized to using the internet as a fundamental communications channel, often with data flowing across four or five channels, it is paramount to understand how the data is being used and how it’s moving. This is particularly important as organizations across the sector adopt cloud computing practices. “Even in the context of things like encryption, if you don’t know what data you have or how sensitive it is, if it hasn’t been classified properly, it is going to be that much more difficult to know what to encrypt,” says Osterman. 

2. Deploy automated processes. Traditional manual or onsite protection methods aren’t just outdated, but they also create the opportunity for risk, says Fulton. Next-generation firewalls can help eliminate this risk by automating threat detection and providing full visibility into where and how data is moving. “The system should do the heavy lifting through automation to be able to apply [high-level security] policies,” says Fulton. Moreover, automated processes can create operational efficiencies across organizations by providing centralized control of a distributed environment, “freeing up resources necessary to move the business forward as opposed to the technology,” says Fulton. 

3. Employ microsegmentation. As the WannaCry and Petya attacks showcase, keeping patches up to date is proving key in protecting organizations. But while most security vendors are relatively quick to patch vulnerabilities once they are identified, retail organizations themselves are much slower. In fact, only 3 percent of organizations will apply patches within 24 hours after they are issued. The vast majority take at least three days to patch vulnerabilities. 

This is not just because retailers are sitting on patches. Many highly distributed organizations often require security teams to test patches to ensure there are no unintended consequences. 

So, while many organizations may not patch systems right away, they can create segmentation in their security infrastructure to ensure that critical data cannot be reached even if a breach occurs. 

“Organizations, in light of some of the POS terminal breaches, have begun [microsegmentation] to segment out the critical systems — the POS terminals, the card validation infrastructure and the data storage — so there are only a limited number that access can be had to that critical data,” says Osterman.