8 Holiday Security Tips For Retailers

Once again, the holiday season is upon us, and for retailers, that means an especially busy time. Online sales, for example, are expected to jump 14% to 18% this year compared to 2018, according to the 2019 Deloitte holiday retail survey.

The holiday season is also a time for retailers to be proactive about security. Among the highest risk factors, according to Muktar Kelati, director of intelligence operations for the Retail & Hospitality ISAC (RH-ISAC), are employee negligence or poor security hygiene, unpatched vulnerable systems, misconfiguration or poor security of publicly accessible online resources, and older point-of-sale (POS) systems.

“The industry has realized that security is a broad problem that requires a multifaceted approach from not only the retail sector, but the financial sector that issues and manages the payment infrastructure, as well as supply chain partners, third-party service providers, the major technology players and the public sector,” Keltai says.

Retailers also should be on the lookout for ransomware attacks, including those tied to distributed denial-of-service (DDoS) attacks, adds Adam Levin, founder of CyberScout.

“Small retailers are also vulnerable,” he says. “They often don’t have the training, budget, or resources, but it’s important to keep in mind that no business is too small or unimportant for a hacker.”

With that as a backdrop, retailers can use these eight security tips to prepare for the holiday rush:

1. Secure Your Cloud

Aamir Lakhani, global security strategist and researcher at Fortinet, says retailers need to remember that cloud providers generally only protect the underlying infrastructure that the company’s resources are sitting on. It falls on retailers to protect their data, applications, and any virtual infrastructures that are in place.

Retailers also need to review their cloud exposure and harden their security posture, focusing on cloud server misconfigurations and lax password policies, RH-ISAC’s Kelati adds.

2. Segment the Network

Especially during the holidays when online traffic surges, retailers should make sure their online presence is fully segmented from their internal network resources. Fortinet’s Lakahni says it’s not uncommon for retailers to have multiple devices on the same network, such as POS terminals, video camera and security systems, and general Internet access. An attacker need only find a weakness in one of those systems to move laterally and launch attacks.

3. Protect Against Digital Skimmers

Digital skimmers are JavaScript code that sit on a Web retailer’s checkout page and steal credit card data. RH-ISAC’s Kelati says retailers should be on the lookout for potentially malicious third-party code and try to reduce JavaScript code as much as possible.

Researchers have seen a rise in cybercriminals, such as MageCart, that insert credit card skimmer malware into vulnerable websites, Fortinet’s Lakhani says. Cross-site scripting, SQL injection, and broken access controls can leave retail customers exposed, he points out. If not hosted properly, they can also compromise the retailer’s online ads.

4. Harden Your Mobile Apps

Mobile devices are a growing threat vector. If a retailer has an app that can be downloaded and run on a personal device, it needs to make sure its development team uses best practices, Fortinet’s Lakhani says. For example, retailers should ensure their development teams regularly download and run their apps to check that hackers haven’t tampered with them and injected malware.

In addition, retailers should review their vulnerability management processes and apply critical patches and systems updates to all mobile apps, adds RH-ISAC’s Kelati.

5. Protect the Company’s In-Store Wi-Fi

Retailers deploy Wi-Fi for a variety of reasons: to provide Internet access to customers, to identify frequent shoppers and customize their shopping experiences, and even to track user devices through a store to log traffic and purchasing patterns. Fortinet’s Lakhani says retailers should be aware they are susceptible to having their Wi-Fi systems hijacked and need to secure all of the communications to their stores. Lack thereof is a serious problem that can lead to man-in-the-middle attacks and users downloading malware onto their devices.

6. Prepare Your Staff Properly

Retailers must make an effort to enhance employee preparedness through phishing simulations, social-engineering tabletop exercises, and password-hygiene training, RH-ISAC’s Kelati says. Retailers also need to create and test direct lines of communication among the various security teams. These include the security operations center staff, threat intelligence, fraud and loss prevention, and physical security. Solid coordination among the e-commerce director, chief data officer, and CISO is also a must. Retailers need to create and test response playbooks for the most likely cyberattack scenarios and reassess those programs as the season moves on.

7. Be on the Lookout for Seasonal Scams

Jonathan Care, a research director at Gartner who focuses on payment systems, cybersecurity, and fraud, cautions retailers to be on guard for any number of seasonal scams.

First, in the case of POS terminals that break down and need to be replaced, watch out for scammers who show up claiming to be from a legitimate company when, in fact, they are fraudsters delivering replacement terminals loaded with malware. Don’t accept the new terminals unless they are from a company you know the retailer does business with or can confirm from a manager or the central office that the provider is legitimate.

Second, retailers should be on the lookout for fraudulent payment cards or gift cards. Train cashiers to look for crooked strips or residue from a larger piece of tape. There’s often software in their chipsets that can take out a POS.

Finally, people answering calls in the contact center need to be aware when a voice on the phone doesn’t seem to match the name on the credit card (for example, a woman calling when it’s a man’s name on the card). These type of voice scams happen all the time, especially during the holidays when call centers are super busy.

8. Partner with Industry Groups

Every retailer should know about at least a couple of industry groups. One is the National Retail Federation, which has online tutorials on topics ranging from digital skimming to access management best practices. Retailers can also work with information sharing and analysis centers such as the RH-ISAC, which issues consistent updates on the latest threats, how retailers can learn from their experiences, and detailed analysis on the most prevalent threats, such as digital skimmers, ransomware, employee negligence or malice, social engineering, and account takeover and credential stuffing.


Head to the blog to read more articles like this:

13 Tips For Good Cyber Hygiene At Black Hat And DEF CON 2019

Security Tips To Keep Your Summer Vacation Fun

ThreatList: Holiday Spam, the Perfect Seasonal Gift for Criminals

Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how we can improve your organization’s security, our services or just want to chat security please give us a shout. If you’re looking to guest blog, please send an email here.

You can also find us on TwitterFacebook,  LinkedIn.