10 questions retail organizations must answer to align themselves with the right cybersecurity products
With so much to consider when choosing cybersecurity solutions, vendors or even individual components for the security stack, it is important to ask the right questions. The answers will help an organization determine their specific needs and in turn help determine the best providers and solutions for their company’s requirements. For instance, which integrations will be needed? Which vendors can provide the largest portion of their stack in one place? How many vendors will be needed? Which vendors’ strengths match the organization’s unique business needs?
Let’s consider some of the most important questions a retail organization can ask themselves in order to help steer them in the appropriate direction.
1. What kind of network infrastructure do we utilize?
- On-premise physical/virtual
- Cloud infrastructure
- Hybrid cloud
- We’re full SASE
Requirement: SD-WAN or SASE
Gone are the days of organizations managing their entire network through on-premise protocols and physical methods. Technology handles itself these days. Infrastructure is increasingly handled as a service, in the cloud or virtually. For performance reasons, retailers will often look at SASE solutions for at least their web-presence needs – if not all of their infrastructure. Regardless, properly architected network infrastructure is foundational to the cybersecurity of the organization.
2. Can our security team handle all of the requirements of cyber security risk and compliance?
- We have team members sitting around waiting to jump on any anomaly or maintenance task
- Our team is busy but they handle all of our needs effectively without burnout
- Our team can barely find time to handle the live incidents and tickets let alone maintenance
- Our team handles everything well, currently, but they can’t handle any more responsibility
- We don’t have a dedicated security team
There is so much to consider when dealing with retail cybersecurity that it just makes sense to push the responsibility of threat analysis, detection and response to a 3rd party. They have highly skilled teams that have cutting-edge and constantly updated technology stacks that can provide the best available response to digital attacks. If an organization chooses to keep their cybersecurity solutions in-house, they can still deploy XDR platforms that will use technology to augment their teams and provide next-level optics into their organization’s network traffic, threats and processes, giving the organization much needed visibility, insights and ultimately confidence.
3. Are we prepared to handle insider threats?
- We believe most people are generally trustworthy and our security is effective enough to handle those who might betray our trust
- We have the correct safeguarding for our employees but the executives won’t change their ways or allow our intervention
- We have no visiblity into employee beahvior and may not be able to detect employees acting against the company’s best interest
- We constantly improve our security measures based on public information sharing and ensure all access is permitted through the use of behavior analytics
Requirement: MDR/XDR, IAM, PAM, DLP, UEBA
Strict identity and access management with insights into potential abuse should be a major factor that retail organizations consider in their solutions. Retail organizations have a large ‘people’ attack surface and they’re not technology companies, so solutions need to be flexible and scalable for lot of people with a lot of different needs. Authorized users need fast and reliable access, but unauthorized misuse needs to be as easy as possible to spot. With the changes in work culture recently, authorization verification and monitoring must be central to cybersecurity strategy.
4. Are our devices centrally inventoried, tracked, and managed?
- We deploy a BYOD (bring your own device) program and make sure all of our employees use the latest Apple products and use secure passwords but we don’t invade our employees privacy
- We try our best to monitor and track our device inventory but with so many devices and high turnover it’s hard to have 100% visibility
- We have an effective and scalable inventory tracking and monitoring solution that our IT team takes a lot of pride in
- We outsource this responsibility and our provider tells us it’s going well
Requirement: EDR/Endpoint Management/Mobile Device Management
(MDM)/Asset Tracking and Management
With high turnover common in the retail industry and the sheer amount of people involved in keeping the retail machine’s wheels turning, the importance of proper inventory, management and monitoring of IT assets is huge and can be daunting – but it’s critical to cybersecurity. And, it’s becoming even more important with work-from-home (WFH) initiatives becoming the new norm and pushes for bring-your-own-device (BYOD) policies. There are many ways to handle this either internally or using a 3rd party, but the scalability and integration to the greater security stack is something that should be checked over thoroughly before choosing a solution for any retail organization.
5. Are our Internet-of-Things (IoT) devices and endpoints on latest firmwares and software versions, and are they monitored for abnormal behavior?
a. Yes, we maintain and monitor our devices and analyze their traffic in order to detect and respond to possible threats and abnormal behaviors
b. We always update our devices but we don’t monitor the network traffic or application processes on the devices
c. We monitor all network traffic and inspect all application activity on all of our assets, including our IoT devices
d. We have an intrusion prevention or detection (IPS/IDS) solution for the IoT network
e. We have intrusion prevention or detection (IPS/IDS) solution for the network, but we’re not sure if it covers IoT
Requirement: IoT Security/Anomaly Detection
The difficulty with IoT security is that devices and applications are so varied in their purpose, protocols and attack surface. It isn’t always possible for every solution provider to easily manage these types of devices. Also, these devices are commonly grouped in the thousands of devices at a single physical location making the monitoring and response very difficult. So, whether the organization outsources anomaly detection and response or does it in-house, it is important to understand the complexities and scope of how a business’ use of IoT devices impacts their security needs.
6. Do we utilize any cloud solutions for hosting customer data, applications or services?
- We try our best to host everything on cloud as we don’t like to maintain physical servers on-premise
- We keep everything on-premise because we don’t trust cloud providers with our sensitive data
- We are trying to modernize our infrastructure and processes but haven’t gotten everything onto the cloud just yet
- We haven’t decided what we will utilize the cloud for, if anything
Requirement: Cloud Security
Cloud processing, storage and networking is becoming commonplace in the retail industry and therefore the security of all identities, data, transactions and infrastructure are of the utmost importance. A single failure to update an application or a driver on a server could lead to severe breaches that could cost the organization millions and lose clients trust. Still, the efficiencies and scalabilities of cloud technologies can’t be ignored and in many cases a fully-managed cloud solutions can be significantly more secure than on-premise infrastructure.
7. Are our physical locations constantly being monitored and improved for gaps in security coverage?
Specifically, is the training we provide our staff effective in helping them understand and manage our environments physical security or social engineering risks?
- We do not have physical locations – we’re online-only
- Our physical locations are monitored by a 3rd party physical security provider and we rely on them to ensure there is no physical access to our networks that is unauthorized
- Our IT team tries to investigate physical locations for vulnerabilities, but their time is better spent on other projects
- Our asset protection team occasionally performs training exercises with our staff to ensure that they can respond effectively to new threats
Requirement: Penetration testing or Red Team Engagement with Social Engineering
This is something that not all organizations will embrace, but effectiveness cannot be over-emphasized. Security assessments are not meant to get people in trouble or point out shortcomings – they exist to show an organization their weak spots and areas that they can improve. This is especially important for organizations with physical infrastructure and publicly accessible endpoints. Providers offering these services can also assess internal and 3rd party security teams on their ability to apply their knowledge and test their solutions against a more realistic threat, up to and including advanced persistent threats (APTs).
8. Are our employees constantly improving their understanding of cybersecurity risks and our compliance requirements?
- We have required trainings once a quarter that our employees go through ritualistically
- We are constantly implementing and trying new methods to train our employees and keep them on the defensive when it comes to cybersecurity risks and management
- Our team isn’t technically savvy enough to keep up on cybersecurity threats
- We just hire a 3rd party to come train all new employees in groups on cybersecurity and email them updates every so often
Requirement: People Education and Training
As one of the most critical attack vectors, people are always going to be one of the most difficult security challenges to manage. It is essential that proper consideration has been and continues to be given toward the education and constant reinforcement of best practices and company policies for all the humans involved in the organization, from facilities and frontline staff to IT administrators and C-level executives. Ensure that the solution the organization deploys has the proper program for training and educating the organization’s members.
9. If we were audited today, do we have full confidence that there would be no gaps?
- No, last time we were audited everyone was running around trying to figure out what to do
- Yes, everyone has been trained and equipped to demonstrate compliance with applicable regulations and we audit internally regularly
- We try to ensure everything is ready and organized in the case of an audit, but we have limited resources and we are still managing some compliance tasks in spreadsheets that should be in a more proper system-of-record
- We have a comprehensive compliance tracking and monitoring solution that is regularly audited for accuracy and completeness
Requirement: Compliance Tracking and Monitoring
Depending on an organization's business, there can be extensive applicable regulations to keep on top of. It is crucial that the organization has their records up-to-date, accurate, and repotable to ensure that any anomalies will be known well before an audit takes time and/or money out of the company’s bottom line.
10. Are all communications between employees secured and encrypted to safeguard sensitive data?
- We monitor all of our corporate communications and use public databases to monitor for leaked data or communications that should be private
- We use Google Chat and Gmail
- We just use e-mail and our internal Exchange server so we can keep record of everything sent to and from a company email
- We allow our employees to use whatever communication services they like, but train them on information security and company policy to ensure they know the proper way to handle sensitive data
Requirement: Communication and Collaboration Security
Communication and collaboration security is critically important today because a lot of sensitive information, assumed to be safe and internal, is shared via email, text message (SMS) and chat applications. Collaboration software often needs to be even more secure due to the nature of the content being shared (for example, product design ideas or go-to-market strategies) and its need to be accessible from anywhere for WFH.