Compare SD-WAN Services for Retail

What are retail regulations across cybersecurity and SD WAN?

Potentially applicable regulations:

• HIPAA (Health Insurance Portability and Accountability Act of 1996)
• PCI DSS v3.0 (Payment Card Industry Data Security Standard)
• SOX (Sarbanes-Oxley Act of 2002)
• CPRA (California Privacy Rights Act)
• GDPR (General Data Protection Regulation)

Compliance and cybersecurity resources:

• RH-ISAC (Retail and Hospitality Information Sharing and Analysis Center)
• R-CISC (Retail Cyber Intelligence Sharing Center)

The risk posed to the retail industry by cyber threats and digital attacks is very real and is demonstrated frequently. In fact, one of the largest security breaches in history as well as one of the earliest memorable incidents was the attack against the retail giant Target in the holiday season of 2013. These breaches stem from different sources, ranging from ransomware, to payment system exploits to vendors on the corporate network. The risk is ever-increasing and retailers are one of the first and largest industry verticals hit by bad actors so it is important that they maintain good security posture by taking proactive measures and ensuring compliance with security regulations to manage their risk in the digital world. Targeted assets for the retail industry include payment systems, customer data storage, customer lists, physical retail locations, web applications and logistics and warehousing backends.

One of the hardest to fully understand, let alone mitigate, attack vectors hit especially hard in this industry are the people – at all levels. From floor workers to web application designers and even C-level executives are commonly targeted in phishing or spear phishing attacks (digital attacks crafted to target specific people or groups of people). With the people in retail being highly vulnerable, e-mail used by retail industry personnel are commonly exploited. The human factor and attack vectors like e-mail and other communication mediums should be top-of-mind when considering cybersecurity, risk management and incident response for the retail industry.

Below: The Netify Mind Map guide to Cybersecurity.

What are Retail Cybersecurity regulations in 2022?

Considering the risks associated with financial transactions that retail relies on, several forms of regulatory protections have been created or made applicable to the retail industry. Specifically aimed at retail is the PCI DSS v3.0 (Payment Card Industry Data Security Standard) which must be abided by when dealing with payment cards or the processing of transaction data. PCI compliance is widely applicable from development of payment systems in web applications through to the physical capture of card data at a terminal in a store and everywhere in between. It is important to understand the flow, storage, and sharing practices for customer card/payment data. PCI has various levels of compliance requirements which depend on where an organization sits in the payment process or how many transactions an organization handles on an annual basis. Small retail operations may not have much to worry about if they only occasionally process transactions using a credit card terminal that is provided and secured by their bank. Larger operations or organizations involved in handling the payment transactions themselves have a significantly larger responsibility in complying with PCI standards. Some organizations might manage this internally while others may need to outsource it. Regardless, any retail organization needs to consider PCI compliance when choosing security solutions and providers. Finally, it should be noted that PCI is an international standard adopted by payment card providers, processors and financial institutions around the world.

Also applicable to larger organizations in the United States retail sector is the SOX (Sarbanes-Oxley Act of 2002) which was created to prevent fraudulent financial data reporting by publicly traded companies in effort to manipulate stock prices. With this comes data retention and transparency standards mandated by the United States government that must be followed and maintained. While SOX requires data retention to curb fraud, more retention means more storage and processing of sensitive data which comes with security risks of its own. Therefore, retail organizations as well as any publicly traded organization in the United States need to consider data retention requirements for regulatory compliance as well as mitigation plans for potential attacks on storage and processing systems.

Retail organizations who do business online may also be subject to local privacy regulations like CCPA in California or GDPR in the European Union, but PCI is the primary compliance standard that the retail industry deals with. Fortunately, compliance with PCI data security requirements will also help organizations comply with the data security requirements that are typically included in privacy regulations as well.

This may seem like a lot to consider – and it is. That’s why industry leaders get together to provide resources to help retail organizations understand and maintain their own security posture. Some of these resources include RH-ISAC (Retail and Hospitality Information Sharing and Analysis Center) and R-CISC (Retail Cyber Intelligence Sharing Center), which are aimed at maintaining a community for sharing information on threats and threat management as well as discussing the implications and implementations of security solutions and regulations in the industry.

In any industry, the NIST Cybersecurity Framework is a great resource to help organizations manage risk and map compliance to relevant standards. Finally, NIST Special Publication 1800-17 provides specific guidance for online retailers to reduce risk associated with internet-based purchases.

Which security products and services are must-haves for Retail?

In retail operations, there are a lot of moving parts and even without worrying about cybersecurity, it can be difficult to keep track of things. Additionally, retail organizations typically aren’t technology companies, so solutions for retail need to be complete, automated and focused on a desired outcome. One of the most important security issues in the retail industry (as first demonstrated by the Target incident) is vendor risk management and closely related to that are people attacks. To cover these areas, it is vitally important that organizations develop a vendor management process, deploy secure email and communications systems and use endpoint protection. Continuous employee education and training is often required for compliance, but an often overlooked yet effective security control is penetration testing. When people are often an attack vector, penetration testing, social engineering assessments and red team engagements can help to ensure that an organization and its people are prepared for various types of attacks, while helping to avoid unintentional actions that could lead to breaches. Therefore, retail organizations may benefit from managed security providers who can capably provide this type of security testing and assessment in addition to traditional security products and services like e-mail and endpoint protection.

Another important aspect of retail cybersecurity is web application security, including protection of internet-facing systems like shopping carts, customer portals, and of course payment systems. When retail organizations look to secure their public-facing digital assets, Web Application Firewalls (WAF), proxies, distributed denial-of-service (DDoS) protection, and identity and access management should be considered, as these should be constantly maintained and integrated across an organization’s digital estate. Larger organizations with internal security teams have who can integrate these solutions into their stack have more than a plentiful selection of solutions available to choose from, while others may consider a managed security provider or telecommunications provider who can provide a comprehensive secure SD-WAN solution which incorporates these security components.

Finally, with specific regard to retail organizations, Internet of Things (IoT) device security is extremely important considering the physical devices commonly found on today’s retail network. They could include thermostats, lights, printers, cameras, smart speakers, card readers, access cards, RFID tag readers and other connected devices. These devices need to be inventoried, tracked, monitored, and isolated as they often offer easy access to the company’s network through physical and digital breaches. That is because they are physically deployed in publicly accessible areas that are difficult or impossible to protect. For this type of security retailers will often turn to Managed Detection and Response (MDR) and/or Extended Detection and Response (XDR) solutions. There are many competent vendors who can provide these managed services but it is important to consider how they will work with the rest of the security stack. Some retailers might want to consider fully managed solutions where all data storage and processing is done on managed cloud services and connectivity is provided through secure SD-WAN solutions managed by the same vendor to reduce the burden on the organization and it's IT and security teams.

10 questions retail organizations must answer to align themselves with the right cybersecurity products

With so much to consider when choosing cybersecurity solutions, vendors or even individual components for the security stack, it is important to ask the right questions. The answers will help an organization determine their specific needs and in turn help determine the best providers and solutions for their company’s requirements. For instance, which integrations will be needed? Which vendors can provide the largest portion of their stack in one place? How many vendors will be needed? Which vendors’ strengths match the organization’s unique business needs?

Let’s consider some of the most important questions a retail organization can ask themselves in order to help steer them in the appropriate direction.

1. What kind of network infrastructure do we utilize?

1. On-premise physical/virtual
2. Cloud infrastructure
3. Hybrid cloud
4. We’re full SASE

Requirement: SD-WAN or SASE

Gone are the days of organizations managing their entire network through on-premise protocols and physical methods. Technology handles itself these days. Infrastructure is increasingly handled as a service, in the cloud or virtually. For performance reasons, retailers will often look at SASE solutions for at least their web-presence needs – if not all of their infrastructure. Regardless, properly architected network infrastructure is foundational to the cybersecurity of the organization.

2. Can our security team handle all of the requirements of cyber security risk and compliance?

1. We have team members sitting around waiting to jump on any anomaly or maintenance task
2. Our team is busy but they handle all of our needs effectively without burnout
3. Our team can barely find time to handle the live incidents and tickets let alone maintenance
4. Our team handles everything well, currently, but they can’t handle any more responsibility
5. We don’t have a dedicated security team

Requirement: MDR/XDR

There is so much to consider when dealing with retail cybersecurity that it just makes sense to push the responsibility of threat analysis, detection and response to a 3rd party. They have highly skilled teams that have cutting-edge and constantly updated technology stacks that can provide the best available response to digital attacks. If an organization chooses to keep their cybersecurity solutions in-house, they can still deploy XDR platforms that will use technology to augment their teams and provide next-level optics into their organization’s network traffic, threats and processes, giving the organization much needed visibility, insights and ultimately confidence.

3. Are we prepared to handle insider threats?

1. We believe most people are generally trustworthy and our security is effective enough to handle those who might betray our trust
2. We have the correct safeguarding for our employees but the executives won’t change their ways or allow our intervention
3. We have no visiblity into employee beahvior and may not be able to detect employees acting against the company’s best interest
4. We constantly improve our security measures based on public information sharing and ensure all access is permitted through the use of behavior analytics

Requirement: MDR/XDR, IAM, PAM, DLP, UEBA

Strict identity and access management with insights into potential abuse should be a major factor that retail organizations consider in their solutions. Retail organizations have a large ‘people’ attack surface and they’re not technology companies, so solutions need to be flexible and scalable for lot of people with a lot of different needs. Authorized users need fast and reliable access, but unauthorized misuse needs to be as easy as possible to spot. With the changes in work culture recently, authorization verification and monitoring must be central to cybersecurity strategy.

4. Are our devices centrally inventoried, tracked, and managed?

1. We deploy a BYOD (bring your own device) program and make sure all of our employees use the latest Apple products and use secure passwords but we don’t invade our employees privacy
2. We try our best to monitor and track our device inventory but with so many devices and high turnover it’s hard to have 100% visibility
3. We have an effective and scalable inventory tracking and monitoring solution that our IT team takes a lot of pride in
4. We outsource this responsibility and our provider tells us it’s going well

Requirement: EDR/Endpoint Management/Mobile Device Management

(MDM)/Asset Tracking and Management

With high turnover common in the retail industry and the sheer amount of people involved in keeping the retail machine’s wheels turning, the importance of proper inventory, management and monitoring of IT assets is huge and can be daunting – but it’s critical to cybersecurity. And, it’s becoming even more important with work-from-home (WFH) initiatives becoming the new norm and pushes for bring-your-own-device (BYOD) policies. There are many ways to handle this either internally or using a 3rd party, but the scalability and integration to the greater security stack is something that should be checked over thoroughly before choosing a solution for any retail organization.

5. Are our Internet-of-Things (IoT) devices and endpoints on latest firmwares and software versions, and are they monitored for abnormal behavior?

a. Yes, we maintain and monitor our devices and analyze their traffic in order to detect and respond to possible threats and abnormal behaviors

b. We always update our devices but we don’t monitor the network traffic or application processes on the devices

c. We monitor all network traffic and inspect all application activity on all of our assets, including our IoT devices

d. We have an intrusion prevention or detection (IPS/IDS) solution for the IoT network

e. We have intrusion prevention or detection (IPS/IDS) solution for the network, but we’re not sure if it covers IoT

Requirement: IoT Security/Anomaly Detection

The difficulty with IoT security is that devices and applications are so varied in their purpose, protocols and attack surface. It isn’t always possible for every solution provider to easily manage these types of devices. Also, these devices are commonly grouped in the thousands of devices at a single physical location making the monitoring and response very difficult. So, whether the organization outsources anomaly detection and response or does it in-house, it is important to understand the complexities and scope of how a business’ use of IoT devices impacts their security needs.

6. Do we utilize any cloud solutions for hosting customer data, applications or services?

1. We try our best to host everything on cloud as we don’t like to maintain physical servers on-premise
2. We keep everything on-premise because we don’t trust cloud providers with our sensitive data
3. We are trying to modernize our infrastructure and processes but haven’t gotten everything onto the cloud just yet
4. We haven’t decided what we will utilize the cloud for, if anything

Requirement: Cloud Security

Cloud processing, storage and networking is becoming commonplace in the retail industry and therefore the security of all identities, data, transactions and infrastructure are of the utmost importance. A single failure to update an application or a driver on a server could lead to severe breaches that could cost the organization millions and lose clients trust. Still, the efficiencies and scalabilities of cloud technologies can’t be ignored and in many cases a fully-managed cloud solutions can be significantly more secure than on-premise infrastructure.

7. Are our physical locations constantly being monitored and improved for gaps in security coverage?

Specifically, is the training we provide our staff effective in helping them understand and manage our environments physical security or social engineering risks?

1. We do not have physical locations – we’re online-only
2. Our physical locations are monitored by a 3rd party physical security provider and we rely on them to ensure there is no physical access to our networks that is unauthorized
3. Our IT team tries to investigate physical locations for vulnerabilities, but their time is better spent on other projects
4. Our asset protection team occasionally performs training exercises with our staff to ensure that they can respond effectively to new threats

Requirement: Penetration testing or Red Team Engagement with Social Engineering

This is something that not all organizations will embrace, but effectiveness cannot be over-emphasized. Security assessments are not meant to get people in trouble or point out shortcomings – they exist to show an organization their weak spots and areas that they can improve. This is especially important for organizations with physical infrastructure and publicly accessible endpoints. Providers offering these services can also assess internal and 3rd party security teams on their ability to apply their knowledge and test their solutions against a more realistic threat, up to and including advanced persistent threats (APTs).

8. Are our employees constantly improving their understanding of cybersecurity risks and our compliance requirements?

1. We have required trainings once a quarter that our employees go through ritualistically
2. We are constantly implementing and trying new methods to train our employees and keep them on the defensive when it comes to cybersecurity risks and management
3. Our team isn’t technically savvy enough to keep up on cybersecurity threats
4. We just hire a 3rd party to come train all new employees in groups on cybersecurity and email them updates every so often

Requirement: People Education and Training

As one of the most critical attack vectors, people are always going to be one of the most difficult security challenges to manage. It is essential that proper consideration has been and continues to be given toward the education and constant reinforcement of best practices and company policies for all the humans involved in the organization, from facilities and frontline staff to IT administrators and C-level executives. Ensure that the solution the organization deploys has the proper program for training and educating the organization’s members.

9. If we were audited today, do we have full confidence that there would be no gaps?

1. No, last time we were audited everyone was running around trying to figure out what to do
2. Yes, everyone has been trained and equipped to demonstrate compliance with applicable regulations and we audit internally regularly
3. We try to ensure everything is ready and organized in the case of an audit, but we have limited resources and we are still managing some compliance tasks in spreadsheets that should be in a more proper system-of-record
4. We have a comprehensive compliance tracking and monitoring solution that is regularly audited for accuracy and completeness

Requirement: Compliance Tracking and Monitoring

Depending on an organization's business, there can be extensive applicable regulations to keep on top of. It is crucial that the organization has their records up-to-date, accurate, and repotable to ensure that any anomalies will be known well before an audit takes time and/or money out of the company’s bottom line.

10. Are all communications between employees secured and encrypted to safeguard sensitive data?

1. We monitor all of our corporate communications and use public databases to monitor for leaked data or communications that should be private
2. We use Google Chat and Gmail
3. We just use e-mail and our internal Exchange server so we can keep record of everything sent to and from a company email
4. We allow our employees to use whatever communication services they like, but train them on information security and company policy to ensure they know the proper way to handle sensitive data

Requirement: Communication and Collaboration Security

Communication and collaboration security is critically important today because a lot of sensitive information, assumed to be safe and internal, is shared via email, text message (SMS) and chat applications. Collaboration software often needs to be even more secure due to the nature of the content being shared (for example, product design ideas or go-to-market strategies) and its need to be accessible from anywhere for WFH.