Tech Guest Viewpoint: POS - Point of Weakness: Five Security Steps
Retailers and hospitality enterprises have a weak point unique to their business – the point of sale (POS) device. Despite significant investment in security, it’s still too easy for cybercriminals to access corporate networks via POS.
POS devices handle most of the payment card transactions around the world for retailers, restaurants, hotels, grocers, and gas stations. Because these systems are highly interconnected and accessed by numerous employees and other devices, they remain a highly lucrative target for organized cybercrime.
Compromised POS systems were the source of recent, major data breaches at Target, Hilton Worldwide, Trump Hotels, Neiman Marcus, Subway and many others. Experts speculate these systems are targeted because they are often outdated and unpatched. Third-party vendors using default and shared passwords, poor enforcement of corporate password policies, and phishing attacks are often to blame for providing bad actors with initial access points.
Once inside a retailer’s corporate network, lax internal controls and configuration errors mean cyber criminals often have unfettered access to every cash register, allowing them to remotely install POS-specific malware that collects customer credit card information and transmits it straight to black market crime rings.
It’s past time for businesses to examine and enhance POS security capabilities. Taking the following five steps can mitigate your risk of a compromised POS, while preserving the powerful business benefits of these systems.
1. Take a Hard Look at Your Baseline Security Practices and Act on Critical Gaps
POS security breaches typically start with a breach of the corporate network. The first step in protecting POS devices is to ensure baseline security practices are being followed. Are your users creating strong passwords? Are they changing them regularly? Are your network connections protected by a firewall? Is your network traffic filtered for malware? Are your employees’ BYODs screened before coming onto your network?
While these read like standard operating procedures, buttoning them down will substantially reduce your risks. During installation, POS vendors often use system default passwords for simplicity but fail to change them later. It’s a simple matter for hackers to find these passwords online.
2. Enforce Your Security Standards with Outside Vendors
Your security is only as good as the weakest link – and that may be your outside vendors who have access to your network. Are they adhering to your security standards? How do you know? Target’s record-breaking data breach came through a the hacked credentials of a Target refrigeration vendor – resulting in 110 million compromised customer records, lost business, class action lawsuits, government investigations, and the resignation of the CEO.
3. Implement all POS-specific Security Measures
Today’s POS devices are mission-critical, sophisticated business devices. Every POS implementation should have a robust, modern security solution. It should leverage the power of the cloud, continuously update in real time to keep pace with dynamic POS-specific malware, and guard against today’s multi-layered threats. It should not shut down the POS – and shut down sales – through too many “false positives” or limit the POS’s functionality – and its value to your operations – by handcuffing its use.
4. Develop Patch Protocol: Update POS Applications Regularly
POS systems are function-specific computers and, like any desktop or notebook PC, they are vulnerable to attacks when software updates and patches are not downloaded and installed. Application vendors spend considerable time bug-fixing and addressing critical security fixes. Make sure that good work makes it onto your POS devices as soon as possible.
5. Raise Awareness: Continuous Training Strengthens Front Line Defenses
Even the best laid plans still rely on people to execute them. Despite all the publicity about the risks of infected emails and websites, over 23% of recipients open phishing emails, and 11% click on phishing attachments. Nearly 70% of attacks involve inadvertent download of a malicious file from an infected website.
Employees need to be kept informed of risks, trained in proper security precautions, and retrained regularly to ensure the messages stick. Regular emails to your team and online training can make this a much more streamlined and effective process.
Taking these five steps will ensure your organization realizes the benefits of its POS investment to maximize sales and productivity, while still maintaining control over POS security. As we approach 2016, the very real business, legal and regulatory risks of a data breach can no longer be ignored. Securing your POS systems is a critical first step in strengthening your entire organization from the inside out.