The rise of online shopping has opened up new possibilities for retail businesses, while at the same time, exposing the industry to greater cyber risks than ever before. In fact, Australians have already lost over $1.8 million to online shopping scams by the first quarter of the year alone as cyber crime proves to be a key challenge in our digitally driven society.
With more transactions occurring online than ever, people are increasingly providing their personal and financial information to online retailers, making cyber criminals pay special interest to eCommerce trends. The operational shift to digital has placed cyber security management high on the radar as the retail sector was targeted by data theft attacks seven times higher than other industries in 2021.
While we cannot stop the retail industry from being a lucrative target for cyber criminals, retail businesses do have the power to adopt strong preventative measures and conduct regular assessments of online platforms to protect customers. Usually, these come at a cost to user experience or speed, but is there a way that retail organisations can allow both business agility and enhancements of defenses at the same time? I believe there is, by aligning with Zero Trust.
Adopting the zero-trust mindset
Critically, retailers need to implement a Zero Trust approach to security to remain competitive, and keep their staff and customers safe from cyber crime. A strong cyber security posture is critical for business enablement. Without it, retailers risk losing customers, damaging brand reputation, costly litigation and a halting of trading.
Zero Trust is about taking the stance that nothing should be trusted, until proven otherwise. This approach to cyber security requires systems to apply regular scrutiny to determine whether a user, application or system should have permission to carry out an action. What this means is that businesses can proactively mitigate chances of a data breach or cyber attack because they build their security controls assuming an attacker could be inside their systems at any time.
More and more, customers have higher expectations and customer loyalty is dependent on whether a retailer can deliver on seamless experiences. A part of that seamless experience is having the peace of mind that the platform they engage with is safe, and any data provided will not be compromised by a breach. If not, they will not hesitate to move to another retailer. In fact, research shows that organisations who suffer a data breach underperform 15.6% on average over the subsequent 3 years. The Zero Trust architecture has never been more important to enabling retail businesses to monitor and respond to advanced threats with speed and accuracy at all touch points.
Leave no stone unturned
The Zero Trust mindset must be entrenched across all aspects of any retailer wanting to take advantage of the opportunities of eCommerce. The concept needs to be considered throughout a business’ entire technology and people landscape, which can be broken down into 8 key pillars: People, Identities, Endpoints, Networks, Infrastructure, Applications, Data, and Analytics. By applying Zero Trust to all areas of a business, retailers can ensure that they are taking a comprehensive approach – leaving no room for gaps or weak links in their organisation’s cyber security posture.
The good news is that implementing a zero-trust model is made achievable with modern technologies available to tailor to any business’ needs. It is both realistic and achievable for even the smallest business that may be just starting their cyber security journey.
Here are six tips to get started on a cybersecurity strategy aligned with zero-trust for retailers:
- Establish strong security training for staff to ensure all members of the team are equipped with the knowledge and tools to be a line of defense against cyber crime. Don’t forget to measure the effectivenessof your cyber security training as well, with continuous social engineering and phishing tests/reports.
- Safeguard email services with configurations to block links that trick staff into visiting malicious sites or opening dangerous attachments. If an email is External, users should be made aware. If an email is received from a remarkably similar name/address to internal staff, quarantine it. In addition, incorporating email protection best practice into cybersecurity training is key to mitigating the chances of compromise due to human error.
- Protect your external attack surface with tools like web application firewalls, continuous vulnerability scanning and secure software development practices. If you rely on a third party for your Ecommerce/website, ask them if they employ the above. Don’t forget as well to protect key business applications by using multi factor authentication and strong password policies for all staff.
- Apply least privilege on your network with strong network segmentation practices. If a server, application or user doesn’t need to communicate with each other, ensure they cannot by segmenting them. This stops a single incident of a compromised device becoming a company-wide breach.
- Mitigate the risk of malware and ransomware with tools including application control, endpoint detect and response (EDR) and real time, cloud aware web filtering. These tools should be cloud-controlled, making them equally effective off-premise and on-premise.
- Protect your customers by showing them you take security seriously. Have an email address where vulnerabilities can be disclosed to posted on your websites and offer multi factor authentication as an option to protect their online accounts.
By following these recommendations, retailers can stay ahead of constantly evolving threats with security protocols in place to protect systems and users against all levels of risk.
Lee Roebig is customer CISO for Sekuro.