BASKING RIDGE, N.J. -- Today (Nov. 26) is Cyber Monday, the online retail equivalent of Black Friday and the ceremonial launch of the online holiday shopping season. With a significant spike in traffic expected today, retailers must do everything they can to protect themselvesand their customersfrom sophisticated data thieves.
With this in mind, Verizon Business offers this list of top security tips for retailers:
- Go into lockdown: The period between Thanksgiving and two weeks after New Years Eve is fraught with security threats. At the same time, Web site requests and network activity may be at the years highest levels. Retailers should not makeor allowany significant changes to their IT systems leading up to the holidays. They should focus instead on establishing a stable, secure snapshot-in-time of their network to establish a baseline should a breach occur.
- Batten down store networks: Traffic moving between stores and between headquarters and stores is commonly overlooked in retail environments. During the holiday season lockdown, network traffic should be closely monitored for activity that might characterize a security incident. If possible, consider blocking all non-essential store-to-store and store-to-headquarters traffic.
- Know your data: Businesses often do not have a keen sense of their own data what is vital to the business, where the data is stored, where it flows and who has access to it. At this time of year, retailers must know their data intimately. It is virtually impossible to protect data if a business does not know it exists or where it resides.
- Manage your data retention: Unnecessary data retention is a major trap for retailers. Sensitive data such as consumer- and identity-related information are a goldmine for data thieves, and therefore can be a retailers greatest exposure. Retailers should inventory all desktops and servers for sensitive data. They should evaluate where and how long data are stored, and whether retention of that data is essential to the business. Unnecessary sensitive data should be purged.
- Protect third-party interactions: While interactions with business partners are part of everyday business, they can also expose organizations to heightened risk. Many third parties can connect remotelyand directlyto a retailers network without expressed consent. To enhance security within third-party interactions, retailers should only allow third parties to connect to their network with specific approval and/or a trouble ticket, and they should require unique IDs and use two-factor authentication, such as a user name/password and token.
- Pay attention to areas of known vulnerability: Hackers often use in-store wireless access points as entry into retail networks. These areas can be easily exploited. Before the holiday lockdown, ensure wireless store networks are secure and encrypted. Wireless networks should be isolated from other in-store IT systems. Also, consider regularly scanning store-level networks for the presence of unknown devices, particularly those connected via wireless. This can be an effective way to identify a security breach before it becomes a major problem.
- Use strong access controls: Weak usernames and passwords can lead to trouble. Each user accessing a retailers system, whether an employee or outside vendor, must use a unique ID and strong password. Verizon Business recommends that retailers require two-factor authentication.
- Scan, scan, scan: Retailers should scan their headquarters and store networks regularly for unknown devices and IP addresses. This is especially important for retailers using wireless networks, which are easier for hackers to manipulate. Retailers also should monitor system and application logs for evidence of unauthorized access. Finally, retailers should augment regular scanning with network and application penetration testing.
- Maintain accountability: Retailers should always maintain a thumb on the pulse of what is happening in their networks, particularly at the individual store level. Closely monitor system logs and other sources of security event-driven information. Be prepared to reconstruct security events at any point in time, going as far back as six months. Pay careful attention to vendors and other third parties that have access to sensitive data. When it comes to security, there is no silver bullet all factors must be weighed and handled carefully and thoroughly.
- Respond quickly: Respond swiftly and decisively to a security incident before it can become a full-fledged breach. Having a thorough, established incident response plan already in place enables businesses to respond in a timely fashion. As retailers know, breaches are expensive and can impact revenue, tarnish company perception, and expose and alienate customers.