Make Cybersecurity as Omnichannel as Your Business: 5 Questions to Ask

As retail companies advance new strategies to reach customers, they must also advance cybersecurity. Complying with the PCI Data Security Standard alone is not enough. Compliance didn't prevent major retailers from suffering breaches in 2018. Bypassing PCI-mandated controls, attackers exploited weaknesses in point-of-sale systems, created “backdoor” access through third-party partners, used stolen credentials to hack web applications, and devised ways to syphon payment card data as consumers typed it into web forms. Where there's digital innovation, attackers are on the trail.

Because retailers are typically short on budget and technical staff, focusing on what’s most important to the business is critical. Here are five questions retail leaders can ask to forge improved cybersecurity:

1. Have we set broad sights on the threats?

Credit card data commands US$7.00 to $35.00 on the dark web, so cybercriminals have good reason to steal it. However, there’s no shortage of other attractive targets. Worth $40 to $200, personally identifiable information (PII) can enable loyalty program fraud. Other potential risks include inventory or supply chain tampering, manipulation of physical security systems, or exposure of proprietary logistics or M&A plans. Every company needs a clear view of its unique risk profile.

2. Are we protecting the most critical assets?

Next, make sure security controls, monitoring and incident responders are laser-focused on the specific systems and data associated with top risks. Which systems should be patched first? Which employees especially need security training? Is sensitive data secured at each point in the business process? Which security alerts deserve immediate attention? A recent Ponemon Institute report highlights how difficult this asset awareness is. A good inventory can only be compiled and maintained through collaboration between business and IT teams.

3. Are we securing new business initiatives?

Whether innovation takes the form of brick-and-mortar expansion or new loyalty programs, it always ushers in new cybersecurity concerns. By involving security specialists in the planning cycle, new security mechanisms can “go live” along with other innovations, rather than being bolted on after problems emerge.

4. Can we detect attackers regardless of where they enter?

The need to secure retail applications in the cloud is well-known — but all the more reason attackers may seek less-attended points of entry. Your corporate network should be defended against phishing emails or other efforts aimed at back-office employees. Most retail breaches, like other high-impact incidents, share a key feature: once inside the network, perpetrators move “laterally” to their ultimate targets. At striking range, data can be extracted in seconds. Therefore, retail executives should ask what approach their security leaders are taking to detect attackers early.

5. Are we protecting credentials?

A recent report revealed that 80 percent to 90 percent of online retailers’ log-in traffic was from attackers using stolen credentials. This astounding statistic underscores the urgent need to protect usernames and passwords — of both customers and internal users. Besides using stolen credentials to silently access web apps, attackers use automated tools to “scrape” credentials from computers inside the corporate network as they traverse the network. Many technologies and services address aspects of credential security, but again, retail leaders should ask what methods their security leaders have employed.

Starting these conversations to stimulate advances in cybersecurity can help retailers ensure the success of their innovation agenda and reduce the risk of major cyber incidents in 2019.

Ofer Israeli is the founder and CEO of Illusive Networks, a cybersecurity firm at the forefront of deception-based cybersecurity.