Use the Netify comparison tool to find out which SD WAN & Cybersecurity solutions match your Retail business needs.
Potentially applicable regulations:
Compliance and cybersecurity resources:
The risk posed to the retail industry by cyber threats and digital attacks is very real and is demonstrated frequently. In fact, one of the largest security breaches in history as well as one of the earliest memorable incidents was the attack against the retail giant Target in the holiday season of 2013. These breaches stem from different sources, ranging from ransomware, to payment system exploits to vendors on the corporate network. The risk is ever-increasing and retailers are one of the first and largest industry verticals hit by bad actors so it is important that they maintain good security posture by taking proactive measures and ensuring compliance with security regulations to manage their risk in the digital world. Targeted assets for the retail industry include payment systems, customer data storage, customer lists, physical retail locations, web applications and logistics and warehousing backends.
One of the hardest to fully understand, let alone mitigate, attack vectors hit especially hard in this industry are the people – at all levels. From floor workers to web application designers and even C-level executives are commonly targeted in phishing or spear phishing attacks (digital attacks crafted to target specific people or groups of people). With the people in retail being highly vulnerable, e-mail used by retail industry personnel are commonly exploited. The human factor and attack vectors like e-mail and other communication mediums should be top-of-mind when considering cybersecurity, risk management and incident response for the retail industry.
Below: The Netify Mind Map guide to Cybersecurity.
Considering the risks associated with financial transactions that retail relies on, several forms of regulatory protections have been created or made applicable to the retail industry. Specifically aimed at retail is the PCI DSS v3.0 (Payment Card Industry Data Security Standard) which must be abided by when dealing with payment cards or the processing of transaction data. PCI compliance is widely applicable from development of payment systems in web applications through to the physical capture of card data at a terminal in a store and everywhere in between. It is important to understand the flow, storage, and sharing practices for customer card/payment data. PCI has various levels of compliance requirements which depend on where an organization sits in the payment process or how many transactions an organization handles on an annual basis. Small retail operations may not have much to worry about if they only occasionally process transactions using a credit card terminal that is provided and secured by their bank. Larger operations or organizations involved in handling the payment transactions themselves have a significantly larger responsibility in complying with PCI standards. Some organizations might manage this internally while others may need to outsource it. Regardless, any retail organization needs to consider PCI compliance when choosing security solutions and providers. Finally, it should be noted that PCI is an international standard adopted by payment card providers, processors and financial institutions around the world.
Also applicable to larger organizations in the United States retail sector is the SOX (Sarbanes-Oxley Act of 2002) which was created to prevent fraudulent financial data reporting by publicly traded companies in effort to manipulate stock prices. With this comes data retention and transparency standards mandated by the United States government that must be followed and maintained. While SOX requires data retention to curb fraud, more retention means more storage and processing of sensitive data which comes with security risks of its own. Therefore, retail organizations as well as any publicly traded organization in the United States need to consider data retention requirements for regulatory compliance as well as mitigation plans for potential attacks on storage and processing systems.
Retail organizations who do business online may also be subject to local privacy regulations like CCPA in California or GDPR in the European Union, but PCI is the primary compliance standard that the retail industry deals with. Fortunately, compliance with PCI data security requirements will also help organizations comply with the data security requirements that are typically included in privacy regulations as well.
This may seem like a lot to consider – and it is. That’s why industry leaders get together to provide resources to help retail organizations understand and maintain their own security posture. Some of these resources include RH-ISAC (Retail and Hospitality Information Sharing and Analysis Center) and R-CISC (Retail Cyber Intelligence Sharing Center), which are aimed at maintaining a community for sharing information on threats and threat management as well as discussing the implications and implementations of security solutions and regulations in the industry.
In any industry, the NIST Cybersecurity Framework is a great resource to help organizations manage risk and map compliance to relevant standards. Finally, NIST Special Publication 1800-17 provides specific guidance for online retailers to reduce risk associated with internet-based purchases.
In retail operations, there are a lot of moving parts and even without worrying about cybersecurity, it can be difficult to keep track of things. Additionally, retail organizations typically aren’t technology companies, so solutions for retail need to be complete, automated and focused on a desired outcome. One of the most important security issues in the retail industry (as first demonstrated by the Target incident) is vendor risk management and closely related to that are people attacks. To cover these areas, it is vitally important that organizations develop a vendor management process, deploy secure email and communications systems and use endpoint protection. Continuous employee education and training is often required for compliance, but an often overlooked yet effective security control is penetration testing. When people are often an attack vector, penetration testing, social engineering assessments and red team engagements can help to ensure that an organization and its people are prepared for various types of attacks, while helping to avoid unintentional actions that could lead to breaches. Therefore, retail organizations may benefit from managed security providers who can capably provide this type of security testing and assessment in addition to traditional security products and services like e-mail and endpoint protection.
Another important aspect of retail cybersecurity is web application security, including protection of internet-facing systems like shopping carts, customer portals, and of course payment systems. When retail organizations look to secure their public-facing digital assets, Web Application Firewalls (WAF), proxies, distributed denial-of-service (DDoS) protection, and identity and access management should be considered, as these should be constantly maintained and integrated across an organization’s digital estate. Larger organizations with internal security teams have who can integrate these solutions into their stack have more than a plentiful selection of solutions available to choose from, while others may consider a managed security provider or telecommunications provider who can provide a comprehensive secure SD-WAN solution which incorporates these security components.
Finally, with specific regard to retail organizations, Internet of Things (IoT) device security is extremely important considering the physical devices commonly found on today’s retail network. They could include thermostats, lights, printers, cameras, smart speakers, card readers, access cards, RFID tag readers and other connected devices. These devices need to be inventoried, tracked, monitored, and isolated as they often offer easy access to the company’s network through physical and digital breaches. That is because they are physically deployed in publicly accessible areas that are difficult or impossible to protect. For this type of security retailers will often turn to Managed Detection and Response (MDR) and/or Extended Detection and Response (XDR) solutions. There are many competent vendors who can provide these managed services but it is important to consider how they will work with the rest of the security stack. Some retailers might want to consider fully managed solutions where all data storage and processing is done on managed cloud services and connectivity is provided through secure SD-WAN solutions managed by the same vendor to reduce the burden on the organization and it's IT and security teams.
With so much to consider when choosing cybersecurity solutions, vendors or even individual components for the security stack, it is important to ask the right questions. The answers will help an organization determine their specific needs and in turn help determine the best providers and solutions for their company’s requirements. For instance, which integrations will be needed? Which vendors can provide the largest portion of their stack in one place? How many vendors will be needed? Which vendors’ strengths match the organization’s unique business needs?
Let’s consider some of the most important questions a retail organization can ask themselves in order to help steer them in the appropriate direction.
Requirement: SD-WAN or SASE
Gone are the days of organizations managing their entire network through on-premise protocols and physical methods. Technology handles itself these days. Infrastructure is increasingly handled as a service, in the cloud or virtually. For performance reasons, retailers will often look at SASE solutions for at least their web-presence needs – if not all of their infrastructure. Regardless, properly architected network infrastructure is foundational to the cybersecurity of the organization.
Requirement: MDR/XDR
There is so much to consider when dealing with retail cybersecurity that it just makes sense to push the responsibility of threat analysis, detection and response to a 3rd party. They have highly skilled teams that have cutting-edge and constantly updated technology stacks that can provide the best available response to digital attacks. If an organization chooses to keep their cybersecurity solutions in-house, they can still deploy XDR platforms that will use technology to augment their teams and provide next-level optics into their organization’s network traffic, threats and processes, giving the organization much needed visibility, insights and ultimately confidence.
Requirement: MDR/XDR, IAM, PAM, DLP, UEBA
Strict identity and access management with insights into potential abuse should be a major factor that retail organizations consider in their solutions. Retail organizations have a large ‘people’ attack surface and they’re not technology companies, so solutions need to be flexible and scalable for lot of people with a lot of different needs. Authorized users need fast and reliable access, but unauthorized misuse needs to be as easy as possible to spot. With the changes in work culture recently, authorization verification and monitoring must be central to cybersecurity strategy.
Requirement: EDR/Endpoint Management/Mobile Device Management
(MDM)/Asset Tracking and Management
With high turnover common in the retail industry and the sheer amount of people involved in keeping the retail machine’s wheels turning, the importance of proper inventory, management and monitoring of IT assets is huge and can be daunting – but it’s critical to cybersecurity. And, it’s becoming even more important with work-from-home (WFH) initiatives becoming the new norm and pushes for bring-your-own-device (BYOD) policies. There are many ways to handle this either internally or using a 3rd party, but the scalability and integration to the greater security stack is something that should be checked over thoroughly before choosing a solution for any retail organization.
a. Yes, we maintain and monitor our devices and analyze their traffic in order to detect and respond to possible threats and abnormal behaviors
b. We always update our devices but we don’t monitor the network traffic or application processes on the devices
c. We monitor all network traffic and inspect all application activity on all of our assets, including our IoT devices
d. We have an intrusion prevention or detection (IPS/IDS) solution for the IoT network
e. We have intrusion prevention or detection (IPS/IDS) solution for the network, but we’re not sure if it covers IoT
Requirement: IoT Security/Anomaly Detection
The difficulty with IoT security is that devices and applications are so varied in their purpose, protocols and attack surface. It isn’t always possible for every solution provider to easily manage these types of devices. Also, these devices are commonly grouped in the thousands of devices at a single physical location making the monitoring and response very difficult. So, whether the organization outsources anomaly detection and response or does it in-house, it is important to understand the complexities and scope of how a business’ use of IoT devices impacts their security needs.
Requirement: Cloud Security
Cloud processing, storage and networking is becoming commonplace in the retail industry and therefore the security of all identities, data, transactions and infrastructure are of the utmost importance. A single failure to update an application or a driver on a server could lead to severe breaches that could cost the organization millions and lose clients trust. Still, the efficiencies and scalabilities of cloud technologies can’t be ignored and in many cases a fully-managed cloud solutions can be significantly more secure than on-premise infrastructure.
Specifically, is the training we provide our staff effective in helping them understand and manage our environments physical security or social engineering risks?
Requirement: Penetration testing or Red Team Engagement with Social Engineering
This is something that not all organizations will embrace, but effectiveness cannot be over-emphasized. Security assessments are not meant to get people in trouble or point out shortcomings – they exist to show an organization their weak spots and areas that they can improve. This is especially important for organizations with physical infrastructure and publicly accessible endpoints. Providers offering these services can also assess internal and 3rd party security teams on their ability to apply their knowledge and test their solutions against a more realistic threat, up to and including advanced persistent threats (APTs).
Requirement: People Education and Training
As one of the most critical attack vectors, people are always going to be one of the most difficult security challenges to manage. It is essential that proper consideration has been and continues to be given toward the education and constant reinforcement of best practices and company policies for all the humans involved in the organization, from facilities and frontline staff to IT administrators and C-level executives. Ensure that the solution the organization deploys has the proper program for training and educating the organization’s members.
Requirement: Compliance Tracking and Monitoring
Depending on an organization's business, there can be extensive applicable regulations to keep on top of. It is crucial that the organization has their records up-to-date, accurate, and repotable to ensure that any anomalies will be known well before an audit takes time and/or money out of the company’s bottom line.
Requirement: Communication and Collaboration Security
Communication and collaboration security is critically important today because a lot of sensitive information, assumed to be safe and internal, is shared via email, text message (SMS) and chat applications. Collaboration software often needs to be even more secure due to the nature of the content being shared (for example, product design ideas or go-to-market strategies) and its need to be accessible from anywhere for WFH.
(measured in billions USD)
Netify will arrange either a 1 hour demo session of Gartner rated vendors, niche players and startups with walkthroughs of features and benefits or opt for our vendor briefing session to learn more about high level capability.
Netify has created the ultimate retail SASE cybersecurity and SD WAN IT decision makers checklist. Learn about the key areas you must consider when evaluating vendors and managed service providers.