Physical security is important in retail. Yet cybersecurity is something that retailers shouldn’t ignore either. This article takes a look at cybersecurity best practices for retailers.
Needless to say,
physical security is important in
retail. Yet
cybersecurity is something that retailers shouldn’t ignore either. This article takes a look at cybersecurity best practices for retailers.
Cyber risks against retailers
Statistics have shown that retailers are targets of cyberattacks and threats. According to StationX, 38 percent of retailers see cybersecurity and theft of customer data as one of the top three threats to their business. There’s also no shortage of cyber incidents against retailers. In September 2023, news broke of a ransomware attack on two of the biggest U.S. hotel and casino chains – Caesars and MGM – in one stroke, according to Kaspersky.
“Retailers have suffered from severe cyberattacks by cybercriminals seeking to harvest credit card data and customer information,” said Rui Barbosa, Category Manager for Surveillance Products at i-PRO. “Installing inexpensive surveillance cameras or other IoT devices that don’t conform to rigorous standards, such as FIPS 140-2 Level 3, is a way to increase the likelihood that such devices are used as an attack vector.”
According to Steve Womer, SVP of Engineering at Interface Systems, one of the most common attack vectors has been through compromised Point of Sale (POS) systems. “Hackers have targeted POS systems to gain entry into the retailer’s network since these systems are generally the least secure link in any retailer’s network infrastructure. Most POS attacks succeed because of vulnerabilities in the operating system. The reality is that many retailers often struggle to manage the sheer number of in-store terminals, self-service kiosks, and mobile payment devices,” he said.
Addressing cybersecurity challenges
To address the aforementioned cybersecurity challenges, retailers should follow a set of best practices to prevent hacks and customer data theft.
“Retailers should prioritize robust cybersecurity measures such as network segmentation, encryption of sensitive data, regular security audits, and employee training on phishing and malware awareness. Implementing advanced threat detection systems and incident response plans is crucial for early detection and mitigation of cyber threats. Additionally, maintaining up-to-date software patches and collaborating with cybersecurity experts can enhance resilience against evolving cyber threats in the retail sector,” said Scott Thomas, National Director for Signature Brands at Genetec.
Since security devices may be threat vectors, these devices should be properly protected and preferably NDAA-compliant.
“The risk of unauthorized access to surveillance footage – which can lead to privacy breaches, theft of sensitive information, and penalties from regulators – was one of the factors which motivated the introduction of NDAA requirements in the U.S. Choosing equipment certified to NDAA standards provides an obvious and easy way for retailers to reduce their risk,” said Jamie Barnfield, Senior Sales Director at IDIS.
He added: “We are also seeing increasing sophistication of cyber threats such as malware and ransomware, which can compromise the integrity of surveillance systems. This risk can be mitigated by putting surveillance on a separate VLAN, this not only limits bandwidth impact (which can be a factor in busy shopping malls where multiple stores are all using the same network) but helps protect mission critical retail and payment systems, as well as customer data such as financial information.”
As for attacks against POS systems, retailers must make sure their POS systems are well protected.
“If point of sale systems are on the same network as security systems, care must be taken that hackers cannot piggyback onto POS systems from an inadequately secured camera or door reader, for example. Using a VMS adds security to cameras by default and builds resilience into the security system to ensure it remains protected from cybersecurity attacks including distributed denials of service, a popular way for hackers to overwhelm and take over a system,” said Martin McGrath, Sales Manager for UK and Ireland at Milestone Systems.
Interface’s Womer, meanwhile, offers the following advice to secure retailers’ POS systems:
- Encrypt all POS data end-to-end
- Accept EMV chip cards and NFC (contactless payment) technologies
- Whitelist applications to run on a POS system
- Keep their POS software up to date
- Address PCI-DSS compliance gaps proactively
- Segment the POS network
- Physically secure POS devices, including mobile POS devices
- Watch out for unusual transactions
- Integrate security cameras with POS transactions
A word for integrators
Finally, to close out on our series on security in retail, we want to point out that it’s integral for integrators to fully understand customer sites and listen to customers to make the security implementation successful.
“Integrators must carefully study each customer location's unique vulnerabilities to avoid blind spots. Regarding Organized Retail Crime, perpetrators have studied locations in advance and know where cameras are located before they smash and grab merchandise. Some cameras must be mounted low enough to effectively capture identifying details of criminals wearing hats to conceal their identity,” Barbosa said.
“One of the biggest issues for security integrators is balancing the old with the new for retailers. A lot of retailers will want to deploy the latest AI or multi-lens cameras on older, more proprietary VMS solutions. The integrator will often have to change the setting on those cameras so the VMS can support a basic video feed for example. In addition, integrators have to make sure their retailer customers are building a solid foundation to support their future video needs and evolving technology,” said Grant Cowan, VP of Strategic Accounts at Salient Systems.