5 Cyber Threats Retail Businesses Need to Know Right Now

Convenience is the natural enemy of security. Even though security often means creating a process of more sophisticated checks and verifications, convenience often means less of those things actually happen. People are in a rush and they want to get things done now, even if that means they may jeopardize their online safety. Retail businesses now find themselves in a similar situation, as inconveniencing the customer in any way can result in the loss of sales if the problem is not corrected—and fast. An antsy customer may choose to go with a competitor if they provide a simpler and quicker path to completion.

In the world of retail, ignoring security is also a recipe for disaster, as the chance of being hacked, infected, or targeted for data theft could spell the end of profits. Customers want to transact with retail establishments who offer as much convenience as possible with a reasonable level of cyber defenses in place, a situation that is not always easy to achieve.

At the end of the day, it’s important to implement an effective cyber defense policy that doesn’t break the bank, one that can be set up with convenience as a top priority. To accomplish this, businesses must identify the key threats they are facing and how they can be mitigated. Here are some to consider:

1. Mandatory GDPR Compliance
The General Data Protection Regulation (GDPR) is a regional legal framework that took full effect last May 25, 2018. Under GDPR, the European Union has decreed all businesses operating in EU-member states must follow strict guidelines when handling and storing the personally identifiable information of customers. Breach of the regulation comes with a hefty fine—namely, four percent of the company’s annual global income or €20 million, whichever is higher. Non-compliance is not an option for any retailers, a reality that is sure to affect their bottom line.

How can GDPR compliance be met?

•  Do not deal with any suppliers who may have questionable backgrounds.
•  Ensure there is a system on your official website about how customers can download their data that has been collected.
•  Make sure to explicitly ask for customer’s consent when personal data from the customer is needed to process a transaction.
• Set up an elaborate logging capability where all actions performed on customer data can be consistently tracked.
• When a data breach happens, be transparent. Hiding any security incidents for more than 72-hours after the discovery is enough to warrant a penalty.

2. Employee training
Because they sit on the front line of security, all employees need to be knowledgeable about how the retail system works. The human aspect of cybersecurity has been highlighted for decades, particularly as cybercriminals make good use of social engineering and phishing attacks designed to deceive unsuspecting personnel. For example, unencrypted data containing important retail information could be lost to ransomware, a problem that could have been prevented if only the employee had not clicked that strange link. This type of phishing is known as spear phishing because it targets individuals users who have access to a system and unwillingly enlists their help in a larger breach of the system.

What can be done with undertrained or unaware employees?

• To motivate employees, implement an open door policy where they can report any incident without fear.
• Formulate policies around the use of computers at work and what employees should do and not do.
• Educate employees on how to use business facilities through an acquisition of a web-based learning system. This reduces the cost of employee education and focuses on creating a safer and more informed environment.
• Establish an acceptable BYOD (bring your own device) policy. There are certain procedures a retail business can implement to lessen the chance of a cyber attack or virus infection invited through the personal devices of unsuspecting employees.

3. Misconfigured Network
Network misconfiguration has been a problem for a long time, especially in a work environment where employees regularly come and go. System administrators who made changes to a network configuration—but failed to properly document it— invite future problems. As the replacement sysadmins take control of the network, they face the inevitable problem of inspecting the network and learning its functions from scratch. There will be times when the new sysadmins may just keep a certain portion of the network setup untouched, mostly because any changes made on their end my create unwieldy problems down the line.

How can you deal with a misconfigured network?

• When it comes to fixing a problematic, undocumented network startup from scratch, there is no quick fix. The only real option is to start from scratch and write high-quality documentation. Successors will then use this written documentation to avoid guesswork and make real improvements down the line.

4. Questionable Electronic POS System
An Electronic Point of Sales (EPOS) system may be developed internally, through a third-party vendor, or in partnership with a bank. Whichever a business chooses, the EPOS system must have a way to regularly update itself to fix newly discovered bugs and security exploits. EPOS systems have a certain “lifetime” and cannot be used beyond this service life, as they gradually become unsupported by the vendor.

How can you deal with the EPOS problem?

• Because new technologies are always being developed to increase the security of EPOS systems, it’s important to acquire one that is guaranteed to patch against newly-discovered exploits.
• As with step 1, make sure the EPOS is GDPR-compliant.
• Insist on upgrading to a market-supported EPOS system. Never use an outdated machine with unsupported software.

5. Untrustworthy and Unverified Wifi-Networks
Some devices used in retail are wifi capable. Only connect to the official wifi network setup for business purposes. Connecting to an open wifi is risky because the owner of the network can feasibly monitor all the connected devices and decrypt all the data transfers.

How can you deal with wifi issues?

• Use DHCP and mac-address registration on the official wifi network. This simplifies network connection and  prevents employees from accidentally connecting with other wifi networks. For the wifi network, use secure wireless protocols like WPA2 or newer.