The Rush to Deploy the Latest In-Store Technology is Compromising IT Security
Digital transformation is accelerating the pace of change within the store environment. Retailers are under pressure to move quickly to implement the latest in-store capabilities to help separate themselves from the competition and provide a reason for repeat trips to the store. These retailers are blurring the physical and digital worlds to drive deeper customer engagement, loyalty, and emotional connections with a brand.
In practice, this translates to an avalanche of new technology and data analytics tools sweeping into retail outlets large and small. Self-checkout kiosks and mobile point-of-sale devices promise to enhance convenience for customers. In-store Wi-Fi, dressing room tablets, RFID, and augmented reality capabilities aim to enhance engagement and customer service capabilities.
Connected devices that monitor heating and cooling, on-shelf inventory, and interactive digital signage are transforming operations and optimizing the way stores are managed. To the customer, these changes and technology implementations should appear seamless. But to the retailer, adopting these capabilities creates many challenges and represents a radically different way of doing business within the store environment.
The Risk Behind the Reward
Retail is prime for fresh ideas and new approaches; the technologies being introduced in brick-and-mortar locations really do help to elevate the customer experience and create an incentive for shopping offline and driving purchase intent.
At the same time, these new technologies and endpoints in retail environments — mobile devices, SaaS applications, kiosks, IoT, mobile point of sale, and Wi-Fi — offer an expanded attack surface for bad actors to exploit. And, alarmingly, many store networks rely on outdated on-premise hardware models that introduce single points of failure and open the door to vulnerabilities, malware attacks, breaches, and just about every threat the digital age presents.
Omnichannel retail has created complex security architecture for retailers to manage and maintain on their own, leaving traditional defenses outdated and ineffective. This is exacerbated by the fact that many new technologies, particularly IoT devices, have not been designed with security in mind. As a result, many new in-store technologies have increased complexity for IT teams to manage and unruly security environments to tame and control.
Consumer-driven technologies and rising expectations will only continue to accelerate change, forcing retailers to rethink long-term security strategies, adopt agile network security architectures, and replace legacy patchwork solutions that heighten risk. According to The State of Network Security report for 2016-2017 from Forrester, 40% of enterprises are upgrading or planning to implement next-gen firewalls within the next 12 months.
Investing in adaptive security architecture, such as cloud-based firewalls, helps retailers keep pace with the rate of change in the evolving retail landscape. Otherwise, legacy defenses may work against you, creating an environment ripe for compromise.
Bolstering Digital Defenses
Considering how much variety exists in physical retail environments and how many new technologies and endpoints have come into play, there is not a one-size-fits-all approach to security. However, there are specific strategies and considerations that all retailers should focus on as they strive to turn current vulnerabilities into strengths:
1. Be mindful of segmentation. Today’s retail environments are full of dozens of new endpoints, and many are vulnerable to malware infections and exploits that can bring down the entire retail network if not segmented properly. The risk is even greater when seasonal and contract employees are added to the mix — remember that threats arise both internally and externally.
Protecting the retail environment begins with retailers securing access methods to the internet from the physical store, especially for IoT devices and guest Wi-Fi systems. They must also properly segment the IoT subnet from employee, POS, and guest Wi-Fi subnets — with separate policies for the internet — while ensuring that in-store devices have restricted communications with only whitelisted IP addresses. This year, 85% of enterprises plan to introduce IoT devices, but only 10% feel confident in their ability to secure them. Make sure you fall into that minority.
2. Cut down on operational complexity. Moving from on-premises hardware models to the cloud reduces management complexity, especially for retailers that operate large store networks but have strained IT resources and limited budgets. With cloud-based firewalls, updating and refining security policies for the various store subnets across the retail network is streamlined, resulting in simplified and more robust security architectures.
The days of retailers managing and patching anti-malware on individual endpoints across the retail network are over. The time cost is too great, and the risk introduced by a single unpatched endpoint is too high. According to Forrester’s Top Cybersecurity Threats In 2017 report, software vulnerabilities accounted for 42% of external intrusion attack methods in 2016.
3. Don’t stop at PCI compliance. While PCI compliance is a critical part of a retailer’s security strategy, it’s a little like making sure a lock is on the front door, but not guaranteeing the door stays bolted shut. Cybercriminals are constantly uncovering new entry points and vulnerabilities to invade your store network outside of the cardholder data environment, with the aim of stealing sensitive company and customer data.
It’s vital for retailers to focus not only on the prevention of cyberattacks within the retail environment, but also on the detection of suspicious and malicious activity. Retailers should implement supplementary security measures beyond PCI compliance to build layers of defense. Next-gen firewalls that offer intrusion protection and detection, web content filtering, and sandboxing enable retailers to do just that.
4. Prioritize threat intelligence. Because retailers cannot prevent all attacks, leveraging actionable threat intelligence is imperative to alert retailers when devices and network assets have been compromised and are communicating with unapproved or malicious IP addresses, which could be C2 servers and their botnets. Threat intelligence analyzes for suspicious network communications and alerts to policy violations and vulnerabilities.
Gartner predicts that by 2020, 60% of digital businesses will suffer major service failures due to the inability of IT security teams to manage digital risk.* What’s more, Gartner also predicts that by 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches, up from less than 30% in 2016. The implications for retailers are clear — the time to act and invest in threat intelligence defenses is now.
Innovative technologies help retailers differentiate the customer experience and bring the best of online digital engagement into the store environment. Retailers can build robust layers of defense with adaptive security architectures to better prevent and detect threats or exploits. And within a rapidly evolving omnichannel threatscape, that’s a priority everyone can agree on.
Susan McReynolds is retail strategy manager for Level 3 Communications, where she works with customers, analysts, and industry leaders to keep a pulse on the IT trends and challenges facing today’s om