Small and medium business (SMB) retailers are particularly vulnerable to cyberattacks because their in-house expertise and monetary resources for cybersecurity are typically modest. In fact, according to the 2018 Security Scorecard Retail Cybersecurity Report, small retailers are more likely to be the subject of cyberattacks, accounting for 43 percent of all attacks last year in the retail space.
In addition to looking at managed security services as a cost-effective way to implement protections and mitigate cyberattacks, SMB retailers can shore up their security profile by addressing these six issues.
1. Don’t Focus Exclusively on Compliance.
Many SMB retailers orient their security strategies around maintaining compliance with the Payment Card Industry Data Security Standard (PCI DSS) for handling credit and debit card transactions; it’s mandated by law, and non-compliance carries steep penalties. However, focusing only on PCI DSS compliance often means neglecting other areas where threat actors are operating: for instance, retrieving tempting morsels of personally identifiable information (PII) from cloud storage. Make sure that any security approach takes into account the protection of all of your data, not your customers’ card information.
2. Don’t Rely on Legacy Tools.
Many existing systems and tools can’t keep up with new cybersecurity demands. As companies continue to move their applications, data, and workloads to the cloud, embrace mobility and SaaS apps, and implement IoT, the network is no longer restricted to a physical footprint. And because cyberattacks evolve so quickly, security policies and tools that were put into place even 18 months ago may be outdated. Make sure to do an audit of your existing security tools; ensure they address your entire footprint, even the parts that are off-site, and update them often.
3. Take Preventative Action.
Most cybercrime is financially motivated, with groups of hackers looking to knock over a store (digitally speaking) very quickly, grabbing lucrative information that they can sell or use for phishing attacks, and moving on. The adversaries’ business model is one built on volume. They can’t afford to spend a lot of time or effort penetrating a business, so low-hanging fruit is often the target. Instead of waiting for inevitable attacks and only focusing on remediation plans, SMB retailers should take action to stay out of the “easy pickings” category by making sure that internet-facing servers are properly protected, changing default passwords, patching all software as new versions come out, training employees on how to recognize phishing emails, and so on.
To the latter point, it should be noted that the Security Scorecard report found that 62 percent of attacks on retail SMBs arose out of phishing and social engineering.
4. Keep Up with New Threats.
Cyber criminals are always crafting new malware and stealth tactics with the goal of remaining undetected; it’s a space that never stands still. For the retail sector, new types of point-of-sale malware and ransomware variants are always cropping up. Take for instance the card-skimming crime conglomerate known as Magecart. The group generally installs a skimmer code on vulnerable e-commerce pages to scoop up payment-card data, but in March, they started injecting malicious code into third-party Java libraries used by e-commerce websites to serve advertisements. Make sure you know what’s going on out there so your security strategies can evolve accordingly.
5. Avoid Supply-Chain Woes.
Even if your own infrastructure is locked down, up-to-date, and actively assessed, many SMB retailers fail to protect their business-to-business (B2B) vendor connections. These can be significant weak links if suppliers have direct network interfaces with the retail infrastructure or are exposed to sensitive customer data. Make sure to do your due diligence around the security of your supplier connections.
6. Don’t Spend Too Little.
Organizations only dedicate an average of about 5 percent of their overall IT budgets to security and risk management, according to a recent Gartner report. That’s a woefully small amount given the damage that can come from a successful cyberattack. According to IBM’s 13th annual “Cost of a Data Breach” study conducted by Ponemon Institute, the global average cost of a data breach was up 6.4 percent in 2018, reaching $3.86 million per incident. The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8 percent to $148. These costs add up quickly, and could be enough to send many SMB retailers into bankruptcy.
Cyber criminals will continue to target retailers as long as their efforts remain successful. Given retailers’ ongoing adoption of new technology and ways of working, it’s likely that the cyber criminals will find holes in the armor that they can use to continue to compromise businesses that don’t prioritize cyber defense.
This is particularly challenging for SMB retailers, because maintaining a strong IT security posture requires skills and resources that often strain their budget. Hiring a cost-effective managed services provider like TPx could be the remedy.
Visit tpx.com or call your TPx representative today to find out how TPx can help you stay up-to-date and prepared for the latest threats, without breaking the bank.
About the Author
Erik Nordquist is the Senior Product Manager for TPx Communications’ managed security services. He’s led a broad range of critical activities, including Field Operations and the Hostmaster team where he built TPx’s anycast DNS network to service its 55,000 customer locations. His work on the Network Integrity team made him the resident expert for mitigating Denial of Service (DoS) attacks. After interfacing with customers for years, Erik is bringing his customer-focused approach to his Product Manager role, helping to deliver first-in-class security services to TPx clients with unsurpassed customer support.