How to give your network better security than the Louvre

The recent Louvre heist exposed shocking security lapses at one of the world’s greatest museums – make sure your cybersecurity has higher standards.

I don’t need to revisit all the details of the recent daylight robbery at the Louvre, the art museum in Paris which stores some of the most valuable art treasures. Thieves got through some surprisingly lax security measures to make off with priceless items including the crown jewels of France; and it remains to be seen how many stolen pieces will be recovered.

While protecting a physical building is obviously a different task than securing a digital network, there are still some lessons retailers can learn about what to do (and not to do) with their cybersecurity efforts.

[READ MORE: Verizon: Retail cyberattacks on the rise]

Watch for social engineering

Social engineering is the practice of bad actors using research or deception to obtain information about a company or its employees. They can then leverage this data to obtain entry into a company’s protected networks or receive classified materials in a variety of ways.

In the case of the Louvre robbery, the thieves apparently gained access to the museum’s internal surveillance camera system by guessing its password, which was “Louvre.” This enabled them to deactivate the cameras, which helped the robbers slip by guards undetected.

At minimum, ensure all your network systems have strong passwords that cannot be easily guessed and are regularly updated. Also make sure your employees are trained on how to spot social engineering scams, such as “phishing” emails which spoof legitimate requests for personal or company information that can be used to compromise the integrity of your network security.

Check every window

The Louvre thieves initially gained entry to the museum by using a basket lift to reach a rear window, which they then forced open without triggering an alarm while the large, clunky basket lift went undetected.

The “windows” to your network are any device or access point an intruder could compromise to directly or indirectly gain entry to your network. They include elements like corporate websites and portals, email addresses, social media accounts, computers and mobile devices. 

In an age of remote employment, network windows also can include personal employee devices, emails, social media sites, etc. Any employee whose personal equipment or online postings (a prime source of social engineering information) could be used to break into your corporate network needs to follow strict corporate security protocols.

Network windows also include the devices, systems and online presence of your third-party partners and contractors. Many retailer cyberattacks have been traced back to the successful hack of a partner’s network  which allowed bad actors to slip into the retailer’s systems under the guise of being a trusted outside entity.

Follow up promptly

Even the best security precautions can never 100% guarantee a network intrusion will not occur. When one does, it is critical to immediately launch a multi-pronged follow-up initiative that includes cooperating with law enforcement, utilizing internal and third-party security experts, and notifying any customers or employees who may have had personal data exposed. 

In terms of following up on the heist, the Louvre deserves credit for immediately engaging with the authorities and initiating a search for the stolen property (obviously there was no issue of notifying anybody as it was global breaking news). As of the posting of this column, three of the four suspected thieves are in custody, although most of the stolen property remains unrecovered. 

However, the Louvre failed to perform another critical follow-up to a 2015 security audit that warned its security was seriously out-of-date. The museum has been in a long, slow security update process that was on track to conclude in 2032. 

Retailers should perform regular cybersecurity audits and follow up on any recommendations immediately, rather than give criminals 17 years to discover and exploit their network shortcomings.