Guidelines For Retailers This Holiday Shopping Season

Posted on by Fahmida Y. Rashid

Retail Data BreachThe holiday shopping season is looming, and retailers are gearing up for Black Friday and other sales. It's been a year since criminals infiltrated Target's networks with malware and made off with millions of credit card details. Retailers are scrambling to get everything ready for the shoppers and deals; we hope their networks are secure and ready, as well.

Or will cyber-criminals have another jolly holiday season?

Over the past year, several major retailers disclosed attacks against point-of-sale terminals. While many stores have accelerated their rollout plans to get point-of-sale terminals which could handle chip-based payment cards, that switchover is not complete. A recent survey by BitSight Technologies found that 75 percent of retailers that suffered a data breach over the past year have improved their security effectiveness since then.

Retailers secured their networks, but as Black Friday looms closer, security teams are likely wondering if they've done enough to keep the attackers at bay. Here are some of those tasks, according to Trey Ford, global security strategist from Rapid7.

Guidelines for Keeping Data Safe
Before Black Friday, security teams at retail organizations should make two-factor authentication mandatory for remote access to the corporate network and enforce strong password management policies.

Nearly a third of all breaches in the retail sector over the past year began with a compromise at a third-party vendor, according to BitSight's survey.

Wireless networks should be secured to use the highest level of encryption available and keys rotated. Handheld devices should also be encrypted, Ford said.

Retailers should double-check everything in their environment before Black Friday. The network needs to be segmented so that payment systems are not on the same network as the corporate one, for example. Instead of assuming that's the case (because it was supposed to be done), administrators should check and verify that is the case. The network restrictions in place should be reviewed and verified, along with access levels assigned to third-party service providers, customers, contractors, and the rest of the supply chain.

Before Black Friday, it's important to perform a thorough security and vulnerability assessment of the entire infrastructure. That assessment should cover the corporate network, all endpoints, servers, and other critical systems. Patch where possible and harden others. The vulnerable systems should be prioritized for when anomalies occur.

This is a good time to remind employees to be alert for suspicious messages and social engineering schemes. Review the security standards and expectations so they know what to do. "Empower them as custodians and caretakers," Ford says.

Detection, Not Prevention
Retailers will be focusing on breach detection more than prevention over the holiday season, Arthur Tisi, co-founder and CEO at The Praescripto Group, told Dark Reading Radio this week. The former CIO for Natural Markets Food Group, Tisi said retailers are prepared for how to respond after the fact. They are also thinking about how to improve their communications with customers, partners, and investors.

"I don't know if the presence of the holiday season will really result in more disclosure of breaches," Nick Pelletier, senior consultant at Mandiant, told Dark Reading Radio. It's possible more breaches may be detected this season, but Pelletier said he didn't think there would be a sudden surge in the number of attacks.

Retailers need to be "prepared to do as much analysis as possible in real-time," Tisi said.

Fahmida Y. Rashid

Information Security Journalist, Editor-in-Chief, RSA Conference

security awareness

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community