Knowledge — And Speed — Power Retail Security

There are seemingly myriad new technologies retailers are finding to beef up security, both in-store and online. But could some of these new security measures actually be leaving retailers more exposed? We examine several new trends in security to understand the upside and down of adopting new protocols in this week’s Retail Security Tracker.

What You Don’t Know…

There are a handful of new in-store security technologies that seem to be most popular among retailers. According to a recent article by Retail Info Systems News, those include Wi-Fi, IoT (Internet Of Things, which equates to interconnected devices used to manage store inventory and connect multiple in-store systems, including payments), as well as EMV. While these technologies have undeniably increased stores’ ability to spot and deter security breaches, they also may be posing unseen threats.

Wi-Fi, while meant to increase engagement with customers in-store, is often placed in “set-it-and-forget-it” mode (commonly by the marketing department). This lack of constant monitoring and frequent security protocol updates can leave in-store Wi-Fi networks — and thereby the customers who may be using them to complete in-store comparison shopping and, hopefully, transactions — vulnerable to attack.

IoT is more than a buzzword. The future of how retail stores are run lies in the interconnected devices and systems used by management, on-the-floor employees and IT departments. The benefit is the ability to access different systems on demand from multiple access points, but this, too, presents a security threat. As RIS News notes, IoT creates new challenges for retailers, which need to ensure that every endpoint within the organization is secure. The retail IoT market is projected to be worth more than $35 billion by 2020, according to RIS News, as retailers invest in IoT to manage inventory, track theft and loss, enable mobile payments, provide shopper intelligence and create insights for advertising and marketing inventory.

EMV, while intended to be a boon for securing in-store, card-present transactions, has proved to be somewhat of a distraction. As RIS News points out, some merchants have confused EMV’s capabilities with PCI compliance requirements, leaving the systems they are conducting transactions over lacking the necessary security checkpoints they need to safeguard them against data breaches. In order to remain PCI-compliant, merchants must address SSL risk as assessed in PCI DSS version 3.1, by the end of June 2016. But if EMV adoption is any indication, it is likely that many merchants will drag their feet in updating their systems to comply with the new PCI standards.

Time Is Of the Essence

According to a new survey from Tripwire, in which 763 IT security experts were asked about their ability to detect a breach, results show that these experts have more faith in their own abilities than in the automated tools they often use.

As BetaNews reported, the survey questioned professionals from various industries, including retail, energy, financial services and public sector organizations in the U.S., and revolved around seven key security controls needed to quickly spot malicious activity. The key question involved the detection of unauthorized configuration changes as the “hallmark of malicious covert activity,” according to Tripwire.

Sixty-seven percent of respondents could not say exactly how long it would take automated tools to detect unauthorized configuration changes to an endpoint on the organization’s network, according to BetaNews. Meanwhile, 71 percent said it would take “minutes, or hours at worst,” to detect a configuration change to an endpoint on the organization’s network.

“All of these results fall into the ‘we can do that, but I’m not sure how long it takes’ category,” Tim Erlin, director of IT security and risk strategy for Tripwire, told BetaNews. “It’s good news that most organizations are investing in basic security controls; however, IT managers and executives, who don’t have visibility into the time it takes to identify unauthorized changes and devices, are missing key information that’s necessary to defend themselves against cyberattacks.”

In a world where cyberattackers can download thousands of sensitive records in a matter of minutes, time is of the essence, and the less it takes IT professionals (or their tools) to spot a breach, the more safe the information of retailers and their customers will be.