Stuart Facey, VP of EMEA at Bomgar
From Target, eBay and TalkTalk, to this year’s Oracle data breach, it has become increasingly common for big retailers and brands to be victims of large security incidents. In fact, the retail sector has now overtaken the financial services industry generating the most incident responses following a cyber security breach. These retail responses account for 22 per cent of all those tracked across the 17 verticals that were investigated, according to the annual NTT Global Threat Intelligence Report.
The retail sector is amongst those at the forefront of IoT adoption, driven by the need for seamless customer engagement. There’s a multitude of connected devices being used, from monitored freezer and chiller cabinets, distribution centre drones, smart garment tag scanners and even to simpler things such as free customer Wi-Fi.
The increasing number of access points and users entering a retailer’s network connection through IoT, is opening up the possibilities for cyber criminals looking to infiltrate or utilise user credentials to access a network. With this in mind, it is essential that retailers of all sizes invest in technology that allows them to closely monitor and control who has access, and to what areas, of their network.
From the customer logging on in-store to see the latest sales, to the cleaner at HQ linking his smart phone to the network to listen to music, every point of access needs to be monitored and controlled to stave off any malicious users’ intent on breaching security defences.
However, it’s not just customers and employees that should be in focus.
The expansion of product lines is a reality for most growing retail businesses, which often means expanding third-party suppliers and merchant networks. In doing so, retailers are having to share access to platforms, data, customer information or other intellectual property. Retailers need to be aware of the exact level of access these third-party vendors have to their networks. If this isn’t sufficiently controlled or monitored, hackers can easily use the vendor’s access to piggy back onto a retailer’s system.
The 2013 breach of American retailer Target’s systems is a perfect example of this danger, as a hacker entered the company’s system via their air conditioning vendor’s access. They captured the credit and debit card information of approximately 40 million customers (data the vendor shouldn’t be allowed to access) and became known as one of the largest data breaches in history.
Unfortunately, many retailers don’t have the visibility and hence don’t realise they are using these unsecure remote access methods, which is providing a viable attack pathway that can be used by hackers to gain access to sensitive systems and data.
Research shows that only 35 per cent of IT professionals are confident in knowing the actual number of vendors accessing their IT infrastructure, and just 34 per cent actually know the number of individual log-ins that can be attributed to vendors. This is a vulnerability that can be addressed by implementing an access management solution that provides the ability to control when a vendor can access a network and what data they can access. This solution can also manage access by a retailer’s own privileged users including their IT support teams and IT Administrators. Retailers should look for solutions that record each remote access session and safeguard the transferred data with SSL encryption. By recording and monitoring sessions, if a breach happens, the point of access is easily traceable and the threat can be addressed quickly.
Retailers are investing in firewalls and data encryption tools to protect sensitive customer information. However, hackers still have the ability to work around some of these defences to combat this. It is vital that they all understand who is accessing their systems at any time.
It is advisable that they have the software and processes in place to actively manage who has access to the most privileged credentials like domain administrators and root accounts in their environment. By regularly changing password credentials retailers can also neutralise any attacker’s ability to compromise their accounts. The latest PCI announcement called for multi-factor authentication as a requirement for any personnel with administrative access into environments handling card data. The Payment Card Industry Security Standards Council recognises that just a password should not be enough to verify an administrator’s identity and grant access to sensitive information. This alone should be a wakeup call for retailers to quickly address the management of access to their systems.
In the end, it’s not just about data and compliance that you need to worry about, but your reputation. After an attack takes place and becomes public, the perception by media and customers can quickly become negative and could have a devastating effect on the future of your business. To safeguard future operations, it’s essential that retailers act now to protect themselves from the immediate and lasting effects of a breach. Only through implementing stricter processes to monitor and control network access across the countless number of access points and devices, will a retailer be able to fully gain the appropriate insight into who is doing what on their network.