Retailers are susceptible to hack and cyber attacks because they do not have tech skills, and focus more on moving products.
This is according to Andrew Henwood, CEO of Foregenix, who says there are five main challenges facing the retail sector when it comes to security:
1. Underinvestment, lack of expertise and lack of staff training, all of which means it is difficult for retailers to protect their environments. "Retailers typically do not understand security nor, frankly, do they want to, nor should they need to if they invested in embedding security from the outset and follow good security principles."
2. Security is always difficult and/or expensive to retrofit. "It is far simpler (cheaper) to build security into an environment from the ground up. An analogy is you don't get a structural engineer and architect in after you've built your building."
3. Cyber attacks are largely anonymous and may occur at any time, at the most vulnerable periods. "Hackers work 24/7/365; they strike when folks least expect it to maximise their return. We've worked a number of cases where the attack was over periods of minimal staff availability, like Christmas day."
4. Retailers often do not realise they are vulnerable to attack. "It's pretty simple to sign up as an online retailer and obtain card payment facilities without understanding the complexities of operating securely in an online world. Likewise for the physical retail world and implementing an integrated point of sale system with a bank-owned terminal, with little regard to securing the architecture."
5. There is a lack of doing even basic security, like due diligence on third-parties and connected networks, patching of systems, segregation of duties and systems. "Many of the environments we're exposed to are not even getting the basics right. Unpatched systems, running unsupported operating systems. Employees using Facebook and personal e-mail accounts on sensitive systems, etc."
Henwood explains retailers are typically not tech-savvy. "Their focus is on selling goods to consumers for profit and they typically do not understand the intricacies of securing their environment."
In addition, says Henwood, retailers need to appreciate they handle sensitive cardholder data and must take appropriate steps to address the inherent risk this poses.
"It should be noted that the vast majority of hacks could have been blocked by following very simple security procedures, like ensuring appropriate patches installed, alerts and logs monitored (if they are activated)."
Share