Retail Security Hygiene: The Case for Seasonal Checkups

The winter holidays offer big potential for retailers, with some companies earning around 30 percent of their annual revenue during the season, according to the National Retail Federation. Big sales numbers, however, also drive increased risks of fraud and theft, and businesses are now spending on extra security measures to keep physical stores safe.

But this is only half the battle. With retail stores moving online and hiring seasonal staff to bridge the holiday gap — not to mention handling employees who are more focused on holiday breaks than network breaches — it’s worth taking stock of retail security hygiene and revisiting how to protect consumer data from opportunistic cybercriminals.

Here’s how a seasonal hygiene checkup can help mitigate three top retail risks.

Fight E-Commerce Fraud During the Holiday Season

Online fraud jumps during the holiday season. As reported by PYMNTS, while total transactions rose 19 percent, online fraud increased by 22 percent from Thanksgiving to the end of 2017. There’s no single point of fraud failure across retail e-commerce stores, but threat actors continue to prioritize phishing emails as the primary point of compromise. If attackers can convince customers or employees to open attachments or follow malicious links, both purchase fraud and network infection are possible.

So how can companies assess their current security hygiene around e-commerce? It starts with simple questions: What do common attacks look like? What are the likely threat vectors? What are the potential costs? If retail organizations aren’t sure of the answers, they’ve got work to do. As U.S. Attorney Erin Nealy Cox wrote in Forbes, companies should create common threat profiles that allow IT teams to focus on vulnerable areas and develop specific countermeasures.

Simple processes — such as locking accounts after multiple failed login attempts and putting a limit on multiple purchases made over short timespans — can help, but it’s also a good idea to leverage automated, real-time fraud detection solutions to help identify attack patterns and reduce total risk.

Seasonal Staffing Concerns

To handle seasonal crowds without compromising customer service, many organizations hire extra staff during the holidays. According to Retail Dive, experts predict that retailers will bring on 650,000 seasonal employees to help offset consumer demand this year. To do their jobs, seasonal workers need access to point-of-sale (POS) networks, checkout systems and any mobile applications used by the company. This is the next hygiene shortfall for many companies: Hiring new employees without effective security onboarding and offboarding.

Consider a staff member who receives access to POS systems that are connected to back-end corporate networks. Inadequate training has them leaving sessions open and sharing passwords with co-workers, while minimal offboarding means they may retain login details and/or remain on internal permissions lists. As noted by Channel Partners Online, better security in this case starts with segmentation: POS and other sales systems should always be logically separated from other network services to prevent unintentional — or malicious — compromise.

Identity and access management (IAM) tools are also critical. IT teams need a way to control access for all retail workers — even those employed for only a few months — at a granular level to help protect consumer financial data and corporate intellectual property (IP). By assigning seasonal workers access roles with privileges that allow the completion of day-to-day tasks but don’t permit extraneous activity, retailers can boost both in-store and online security. Additionally, IAM solutions make it easy for network administrators to remove seasonal accounts and privileges when the holidays are over.

How to Protect Consumer Data From Insider Threats

No seasonal security checkup is complete without taking stock of internal employee risks. While Security Magazine noted that 75 percent of these insider threats are accidental, they’re no less risky to retail bottom lines, especially if users accidentally give threat actors complete access to network resources.

Improving security starts with a look at employee time off. Are workers putting in extra hours, pulling double shifts or working straight through the holidays? As noted by Harvard Business Review, 94 percent of employees who take time off for vacation come back to work with more energy and a better outlook. This may not be possible for retail companies during the holiday season, in turn lowering productivity and putting organizations at risk. It’s also worth assessing the number of employees working from home. As the holidays approach and weather gets worse, more and more employees may opt for home offices instead of slippery commutes. But are they logging into network services safely?

The first step for better internal security is to implement two-factor authentication (2FA). This practice helps reduce the chance of accidental logins and limits the ability of threat actors to compromise networks if less-than-productive employees have clicked on infected links or opened malware-laden attachments. It’s also a good idea to invest in virtual private networks (VPNs) and other network safeguards to help prevent bad actors from eavesdropping on remote workers. Email management solutions, meanwhile, can prevent messages with sensitive attachments from leaving secure corporate environments.

Give the Gift of a Security Hygiene Checkup

With the winter holiday season already upon us, retail companies would be wise to conduct a quick, but thorough security hygiene checkup. Start as early as possible to make it easier to identify key threats across e-commerce systems, seasonal staffing policies and employee behaviors. Then, develop a formal process to address these issues and improve security outcomes. This prevents security best practices from sitting on a shelf while retail risks rack up, and provides a blueprint for technology deployment and implementation.

Listen to the podcast: Examining the State of Retail Security