Don’t Ignore These Holiday Security Issues
In the lead-up to this year’s holiday season, retailers across the country are already making important preparations in the hopes of increasing sales, improving customer service, and preventing data breaches. This last concern carries with it a heavy price tag; according to a survey from the Ponemon Institute, the average cost of holiday season cyber attacks is $8,000 per minute or nearly half-a-million dollars per hour.
In addition to the high monetary cost for retailers, these types of breaches also impact a significant amount of individual customers by exposing sensitive information. For example, between May 2013 and January 2014, Michaels suffered a data breach that compromised the information of potentially 2.6 million payment cards.
With this and other past breaches in mind, here are four security issues that retailers should be aware of in anticipation of the upcoming holiday shopping season.
Sacrificing security
Often during the busy holiday season, a retailer’s number one priority is to ensure sales. With a heavy influx of customers both in-stores and online, and therefore an increased number of transactions, security can sometimes suffer. An example of this is frequently found in retailers’ point of sale (POS) systems.
POS devices are constant targets for cyber criminals primarily because of their highly distributive nature. A third party is usually involved in the management of a company’s POS system, which in some cases can lead to a lack of understanding by the in-store employees of how the system actually operates and its potential vulnerabilities. This, paired with a retailer’s desire to execute as many transactions as possible in the quickest amount of time, explains why POS devices are frequently the starting points for many intrusions — the Michaels data breach originated in a POS system infected with malware.
Once retailers find a POS system that works for them, they often look for practices that will help ensure it remains reliable for employees and buyers throughout the holiday season. The closer it gets to the busy season the less likely a system update will be performed, as it can prevent possible malfunctions that would slow down transactions and inconvenience holiday shoppers. It is very commonplace for production systems to be "frozen" during peak use periods. Unfortunately, it can also lead to major problems if a hacker is able to find vulnerabilities in the system’s setup. As a result of the frozen configuration, criminals who gain access to a POS system can remain undetected for a great length of time with known vulnerabilities at their disposal. The longer they can persist, the more data they can collect.
Vulnerabilities of the franchise model
When opening a new franchise location, owners are often given a specific playbook on such things as branding, employee practices, and business models. However, when it comes to cybersecurity, these franchise owners sometimes experience a shortage of guidance and support from corporate.
Smaller franchise owners often do not have the resources to build a model on their own that is as effective as enterprise-grade security and monitoring platforms. Yet, the damage of a security breach to a company’s brand occurs at a national level, even if the breach itself only takes place at a handful of franchises in a single city or town. Consumers will ultimately blame the entire company for an instance of compromised data, rather than the individual owners at the affected location.
By creating stronger corporate to franchise/top-down cybersecurity policies and equipping franchise owners with more security resources, both the franchises and companies can better protect their bottom lines.
Prioritizing physical over digital
Though a major focus in past holiday seasons has been physical loss prevention at the inventory and store levels, theft has become more and more digitized. In order to fully address the large spectrum of threats affecting today’s retailer, technologies used for both physical and digital loss prevention need to be paired together.
From a sales perspective, this marriage has already occurred. We have seen the presence of market analytics injected into the physical retail environment in order to better gauge sales information and opportunities. For example, many retailers use video surveillance; Apple’s iBeacon technology, which enables them to track the location of customers near or inside stores and send appropriate sales messages to their mobile devices; and eye-tracking, which measures where consumers look when viewing an advertisement or online article, in order to optimize sales opportunities. Apart from being useful for analyzing shopper behavior, such technologies are also valuable to enhancing retail security.
A truly effective retail security operation makes sure that a company’s digital security and physical security operations are aligned. The retail environment is unique because many cyber breaches are perpetrated through physical action. For example, POS systems become infected with malware after a person is physically able to tamper with a device at the actual point-of-sale. These frequent occurrences illustrate the convergence of digital and physical threats, thereby creating a new type of risk that requires a combined protection plan.
Creating a narrow security timeline
The highest volume of customers, and therefore the greatest payoff for hackers, occurs during the period between Thanksgiving and Christmas. This timeframe, which includes the two holidays along with Black Friday and Cyber Monday, has heightened purchase and transaction activity. As a result, security operations centers are watching more closely for irregular retail activity at this time. However, it is equally as important to begin these operations in the months prior to and after the holiday season.
Most sophisticated hackers have embedded themselves in a store’s system long before Black Friday or Cyber Monday. Just like retailers, hackers take time to make preparations — they patiently wait to spot vulnerabilities that they can exploit or insert malware into. These preparations allow them to strike immediately when the transaction frenzy of the holiday season begins. Recognizing that the setup for holiday hacks begins far before the actual holidays allows retailers to spot potential hacks early on.
By understanding these four issues and constantly monitoring their systems for behavioral changes, retailers can better identify security vulnerabilities early and protect their sales and customers during the upcoming holiday season.