How Retailers Can Protect Consumer Data
Customer information yields incredible power for today’s data-driven retailers. Yet with growing volumes of individual consumer data flowing across the network, cybercriminals are eager to exploit both online and offline vulnerabilities.
Customer relationship management (CRM) analytics platforms fuel highly personalized, targeted marketing campaigns and programs, driving top-line and bottom-line results. But whether it’s being transported between your cloud service providers (CSPs) or simply being pulled from the data center, personally identifiable information (PII), financial data and other valuable customer data must be protected as it is collected, connected and distributed across the network. With IT resources overloaded and data analytics platforms in overdrive, security controls must be kept top of mind.
This is true across the omnichannel environment; however, some retail channels are more vulnerable to exploitation than others. To avoid losing ground, pay special attention to certain critical aspects of your organizational defenses.
3 Weak Links to Fortify
Here are three vulnerable omnichannel attack vectors IT security teams should consider in 2018:
1. Customer Contact Centers
Contact centers are a gateway into fraudulent activity and social engineering aimed at stealing customer data. All those reward points? Cybercriminals want to cash in or transfer your customers’ loyalty points to redeem digital gift cards, making account takeover and loyalty program fraud a growing concern. In fact, 61 percent of fraud losses occur from account takeovers through call centers. And it’s easy for call-center agents to become targets of cyberthieves testing dark web-acquired credentials and making fraudulent purchases. Gartner estimates that “by 2020, 75 percent of omnichannel customer-facing organizations will sustain a targeted, cross-channel fraud attack with the contact center as the primary point of compromise.”
2. POS Infiltration
In recent years, the majority of retail breaches have resulted from point of sale (POS) compromise and exploitation of zero-day vulnerabilities. Since affected retailers were unaware their networks had been infiltrated, attackers were able to continue stealing credit card data and PII undetected for four months to six months. This time frame corresponds to the average 197-day dwell time experienced by breached retailers. Imagine the amount of stolen data cybercriminals could obtain if left undetected inside your network.
3. In-Store Endpoints
With more retailers deploying digital capabilities to drive in-store conversions and customer loyalty, the physical environment becomes a more magnified attack surface for cyberthieves every day.The latest in-store endpoints and bleeding-edge technologies accelerating digital transformation — augmented reality (AR), Internet of Things (IoT), Wi-Fi, mobile POS — are difficult to secure and create complex security architectures ripe for compromise. Ensuring the safety of data collected across omnichannel endpoints is paramount. And yet more than half of respondents to the Retail Edition of the 2017 Thales Data Threat Report said their organizations deploy advanced technologies such as cloud computing, big data and IoT before having the security in place to protect them.
3 Areas to Bolster
Fortunately, even with the constant influx of traffic crossing retail platforms and systems, it’s not too late to shore up organizational defenses and security controls to help protect sensitive consumer and corporate data.
1. Patch Management Review
In security, the basics are essential. Given the KRACK WPA2 Wi-Fi vulnerability announced late last year, it’s vital to ensure your store Wi-Fi systems are patched.
Attackers can exploit the WPA2 vulnerability to decrypt a wealth of sensitive data, such as credit cards, passwords, email addresses and more. With guest Wi-Fi systems feeding analytics platforms, you need to make sure your customers’ data is protected when they connect in-store. Luckily, you can patch and update your network to protect vulnerable equipment.
And patching goes beyond the store environment. Corporate servers may not be patched against the recent Apache Struts software vulnerability, putting sensitive data and the corporate network at risk.
2. Threat Intelligence
Focus your security controls not only on prevention, but also on detection capabilities to help minimize dwell time. Attackers will find a way to penetrate your network if they want; it just takes one employee clicking on the wrong email link to embed malware that can penetrate deep into your network.
According to a recent survey taken during the annual Black Hat conference, the largest hacker conference in the world, 59 percent of hackers identified phishing as the best strategy for data exfiltration.
Furthermore, with 80 percent of consumers indicating they would stop doing business with a company because their PII was affected in a security breach, you can’t afford to ignore advanced threat detection capabilities.
3. Encryption Technology
End-to-end encryption is fundamental to your data protection practices, with 96 percent of retailers estimated to leverage end-to-end encryption by the end of 2019.
Deploying wavelength encryption technologies vs. application layer or IPSec enables retailers to double down on data security without performance issues or latency degradation. Today’s real-time retail environments require IT leaders to architect secure, efficient and low-latency networking solutions to drive competitive advantage.
The bottom line for retailers? Your network architecture and infrastructure can harbor vulnerable endpoints across today’s complex customer journey. With an ever-expanding retail attack surface, you’re only as secure as your weakest link.
Susan McReynolds is the retail strategy manager for CenturyLink, where she works with customers, analysts and industry leaders to keep a finger on the pulse of the IT trends and challenges facing today’s omnichannel retailers.
