How Small Retailers Can Take Their Cybersecurity from Zero to 60

A laundry list of major companies of which you've almost certainly been a customer have been victims of cybercrime, exposing the sensitive information of hundreds of millions of customers. Both e-commerce and brick-and-mortar retailers are appealing targets for cyber criminals. Though big merchants are usually the ones that make headlines for cyberattacks, smaller businesses are just as susceptible. It is less a question of whether an attack will occur next and more about when. Now more than ever, it is important for retailers, especially small businesses, to equip themselves with knowledge and have a game plan set in place.

According to the 2017 Trustwave Global Security Report, the retail industry faces more attacks than any other vertical. It takes time and money for retail companies to rebuild their point-of-sale (POS) systems with tighter security through EMV compliance and stronger safety protocols. They need money to hire support to secure the networks, to buy better software and to buy newer, encrypted POS machines. After all of these measures, the costs can be daunting to a small business owner. Regardless of the upfront expenses of upgrading security measures, the cost of one fraudulent chargeback or data breach alone will be more than they paid to upgrade their systems. Therefore, first and foremost, retailers must make sure they have a cybersecurity policy that makes sense for their individual business needs.

Cyberattacks are continuously growing, which is overwhelming for retailers that do not know where to begin. While keeping a secure system is an ongoing process, here are five steps that retailers can take to strengthen their security:

1) Strengthen Domain and Network Security

The fundamental building blocks of cybersecurity policies start with network security. For example, a website's content management system (CMS) could have an exposed administrative portal that is ripe for hacking. You should invest in a high-quality secure domain provider. In this case, cheaper is not always better. After the secure domain has been established, an SSL certificate to encrypt data on the site is a must for retailers that are processing personal information, such as credit card numbers and addresses for online purchases. This is a critical step that is constantly overlooked, but having the right configurations in place is non-negotiable for business owners.

2) Create a Systematic Patching Routine

Out-of-date software creates a window for hackers to climb through when they cannot get in the locked front door. Unpatched vulnerabilities are a clear point of pain for most retailers. Hackers tend to exploit older vulnerabilities, which makes it critical to update all company software frequently. If you are not keeping up with the latest fixes, that can lead to a system that is permanently exposed. Regularly updating software is a simple, but often ignored, way to reduce the number of vulnerabilities in your systems.

3) Establish Strong Passwords and Password Policies

A lot of vulnerabilities are created when employees do not change their username and password from the default login information given to them. This can leave a clear opening for hackers. Though some exposed administrative portals prompt for login information, many of those default credentials for CMS programs can be obtained easily by intruders.

You need to implement strong password policies that require employees to create a new username and multi-factor password, as well as change that information every so often. Most merchants do not know what their system looks like from the outside so they do not understand how simple password policies can have major impacts on the security of their business.

4) Segment Networks

Another aspect of filling in vulnerabilities is by segmenting various applications and grouping items of similar sensitivity. That alone allows retailers to limit traffic within high-risk zones, which will help break up data into multiple pathways in the event of a malware attack. You can limit the success of a cybercriminal by compartmentalizing networks and keeping all the various components separated. Many third-party service providers are granted access to a variety of functional components during their work, including climate control and security cameras. Segmenting that type of IT from the point-of-sale systems is crucial so that air conditioning or lighting does not become a pathway to the POS system.

5) Increase Employee Awareness

Your security is only as strong as its weakest link, which typically are the employees. Money, tools and technology aside, knowledge of security best practices is vital. Even if a company has stellar security, the most common way to break in is through social engineering, by tricking an employee into doing something they should not be doing. Hackers love to prey on employees who they presume are lacking in knowledge about their company's security policies. This is mainly due to retailers failing to provide adequate training on a regular basis. Consistently keeping security at the forefront of their employees' minds, including around phishing, will help build stronger awareness. Meanwhile, you can protect your domain name from being spoofed, forged and used in phishing attacks by using Sender Policy Framework (SPF) records.

**

Retailers are on the most-wanted list for hackers, as online shopping continues to grow. They will utilize opportunistic attacks to get in, get what they want, and then quickly get out. It is important for you to address retail security challenges and their inherent destructive potential, and come to terms with the fact that no business, no matter what size, is truly safe. It is important to determine how these opportunities for system breaches are being created and develop an end-to-end security model that fits within your budget. Protecting a business and the bottom line is no easy feat, but by addressing the severe nature of these attacks and designing a solution, it is possible to minimize security risk.

This guest post was written by Sterling Payment Technologies, a Tampa, Fla.-based payment processor.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.