It’s never been more important for retailers to harden their cybersecurity posture— especially given the documented trend of intensified attacks on retailers during the rapidly-approaching holiday season. We’re excited to attend the 2018 Retail Cyber Intelligence Summit in Denver and look forward to learning from and sharing perspective with the R-CISC community, including some of the top retail companies in the world.
A CISO recently came to us with an all-too-common concern: Despite state-of-the-art investments in security solutions and a leading team, nothing was tying their security framework all together from a threat standpoint. We hear this repeatedly from security teams in industries across the board, and particularly in retail.
At Preempt, we work with numerous retail companies, including brands like Charlotte Russe and Scotts Miracle-Gro, and we place tremendous importance on closely following the needs of our retail partners and customers. Many of the challenges facing retail are unique across industries. Here are three key areas to keep in mind in the lead-up to the 2018 Summit.
Expect increased interest in retail from malicious actors during the holiday season.
The retail industry’s seasonal nature means hackers have particular times where they know disguising their activity is easier than others. We already know that attacks against retailers are on the rise, and a July report found that U.S. retailers lead the world in data breaches.
Retail enterprises represent unique target for attackers, given the wealth of real-time personal data many maintain around customers, as well as complex supplier and partner relationships. R-CISC has previously highlighted the importance of increased security awareness during peak retail months (typically October to January), given the dramatically increased shopping activity and overall pace of business operations, increased staffing needs, and greater stress on supply chain and logistics. The National Retail Federation expects retail sales to increase 4.5 percent this year, and depending upon which forecast you’re reading, holiday season sales could be a record (eMarketer forecasts ecommerce to grow 15.3 percent in the holiday season this year). As R-CISC points out, attackers know that the holiday season is time-critical for retailers and presents an opportunity to place additional pressure for ransomware and other malicious activities. Stay vigilant!
Shifting assets to cloud shouldn’t mean a weaker security posture.
Retailers are increasingly shifting assets to the cloud, in an effort to improve operations, increase visibility into the supply chain and overall business, and scale at greater speeds, among other reasons. Analyst firm Markets and Markets estimates the size of the retail cloud market will grow to more than $28 billion in 2021, up from approximately $11 billion in 2016. As organizations move to the cloud, they often sacrifice visibility and security, with cybersecurity solutions increasingly siloed. Retailers beware: with complex IT environments, a transition to cloud should not mean losing visibility, access or control.
It’s important to avoid the false sense of security enterprises often experience when they transition to a cloud environment, given the trust placed in cloud providers. It’s a common misconception that the burden falls on the cloud provider: Gartner predicts that between this year and 2022, “at least 95% of cloud security failures will be the customer’s fault.”
By embracing identity and access threat prevention, your cloud strategy can safeguard your organizational assets while enjoying the flexibility and scalability of cloud computing. First, you must maintain visibility into all platforms (on-prem, cloud and hybrid) and applications, and gain a complete understanding of which users are accessing what, including applications like Office 365 and Workday. You should consider scoring every user based on identity, behavior and risk to maintain a fluid and adaptive security posture.
Along with this holistic visibility into your enterprise environment, you should be ready to anticipate and respond to threats in real-time before they impact your business. Whether it’s a malicious actor looking to steal credentials, conduct reconnaissance or move laterally within your environment, or even a simple insider threat where employees make mistakes (over-privileged accounts, weak and improperly shared passwords), you will want to put a proactive approach in place to protect your organization. Identity and access threat prevention has never been more critical.
Education is key: Every member of your organization should be cyber aware.
Every employee is on the frontline of your organization when it comes to cybersecurity. With phishing, malware and stolen credentials on the rise, you need to equip your organization’s personnel, and not just security or IT, with an understanding of the rapidly evolving threat landscape. Invest in training and education, particularly with the holiday season approaching.
Of course, employees aren’t always receptive to training. But you need to start with the fundamentals and ensure consistent policies are enforced, such as by requiring strong passwords and consistent multi-factor authentication. Your employees, from IT and beyond, should clearly understand that your organization is a 24/7 target, and your organizational data is a prime target for malicious actors.
Your strategies for employee education might include:
- Encourage them care about cybersecurity: Explain how security affects each and every employee regardless of job role, and consider rewarding them for their efforts to deflect malicious actors and attempts
- Start early: Consider teaching best practices during the onboarding process, and having refreshers throughout the year—particularly during the holiday season
- Find advocates: Identify people within your organization who can lead on the issue and incentivize them to help their colleagues stay vigilant
- Consider a live exercise for your IT / SOC: your experience wargaming a potential threat can be invaluable—and even fun
By emphasizing seasonal readiness, holistic visibility and security controls in the cloud, and organization-wide cybersecurity awareness, retailers can build their security posture to face today’s complex array of cybersecurity threats. We look forward to meeting with our customers, partners and peers at the third annual Retail Cyber Intelligence Summit in Denver.
A version of this post originally appeared on the R-CISC blog here.