Many Australian retailers are doing it tough during the pandemic and face the added problem of increasing cyberattacks. Point of sales systems, inventory management, payment gateways and communications systems to stay in touch with suppliers and customers, are all targeted by cyber criminals. Over the last year, well known retailers such as Noni. B, Sephora and Kathmandu have been hit, with customer data put at risk.
Retailers rely on technology to help protect their systems through tools such as endpoint protection and firewalls. But a critical element of that defence is a well-trained workforce that is aware of the threats and can help to identify and block attackers. That’s why a well-planned and well executed security awareness program for retail staff is so important.
By making your people aware of how they can protect the business, you can stop attackers and identify threats before they become a problem that could jeopardise your brand’s viability. Detecting and remediating an attack can be costly, but if you fall prey to a large-scale attack or breach, there can also be a huge impact on customer trust.
Here are five tips to help you design and run a great security awareness program.
1 – Personalise your approach
Retailers are great at thinking about the specific needs of customers. By analysing customer data and adopting personalised approaches you can boost sales. The same goes for training. A great way to help your staff understand the relevance of online security is to make it personal. Run training on securing personal cloud and social media accounts by using strong passwords and two-factor authentication, and show them why a secure wireless network is important. Once they understand the personal relevance, making the leap to why it matters at work is easy, and will help drive behaviour change.
2 – Encourage positive behaviour
Many retailers are reactive when it comes to cyber-crime. If a team member is the victim of a ransomware attack, they are usually “punished” with further training or some other discouraging action. A better approach, once you’ve run your training, is to incentivise staff to report potential problems. Adding a button to systems to make it easy to report a potential risk enables staff to proactively send a potentially dangerous email to a safe address where it can be assessed. If the email is found to be an attack, the person who reported it should be rewarded.
3 – Tailor your training
Retailers don’t run the same systems as factories or banks. It doesn’t make sense to give a retail operative in a store the same training as a bank teller. Look at your specific risks and focus your training on those. For example, if you have staff responsible for paying supplier invoices, train them to look for the signs of email fraud – where a crook sends a fake invoice that looks real and dupes someone into paying money for a phoney bill. Or help staff understand the impact of opening a link in an email that comes from a stranger.
4 – Be supportive
Retail can be a very high-pressure and fast paced environment. That can lead to people making mistakes. If you have a team member who regularly clicks on dodgy links or opens suspicious attachments, look for the reasons why this is happening. Perhaps they are overworked or stressed. Rather than giving them a hard time, look for ways to support them by putting extra controls around critical data they can access.
5 – Be a team
Retail security teams shouldn’t take an ‘us and them’ approach to security. Successful security teams have made the shift from focussing on threat management to becoming trusted advisors. Instead of running annual security training, run more regular ‘bite-sized’ sessions. That gives people information in more digestible chunks. As well as formal processes like training, informal ‘water-cooler discussions’ are important. This culture change is hard to measure but critically important.
Michael McKinnon is chief information officer at Pure Security