The role of cybersecurity in helping retail open post-COVID-19

September 10, 2020

Retail businesses have arguably been one of the industries hardest hit by the current COVID-19 pandemic, with layoffs across the industry and multiple large retailers declaring bankruptcy in the past few months.

The pandemic has redefined what it means to be a resilient business, especially when it comes to retail. “Essential” businesses that have remained open, such as supermarkets or pharmacies, have had to figure out how to operate safely in this new world. Meanwhile, many retailers around the world have had to close their doors, are trying to understand the changes needed to re-open physical stores, and in many cases build an online presence.

No matter the type of retailer, the importance of cybersecurity hasn’t gone away. If anything, it becomes more important as a cyber disruption could be the fatal final straw for a business looking for a smooth return to operations and maintain its brand image and reputation.

One challenge that retail organizations face is that their environments are flooded with internet-connected devices. While this is not unique to the retail sector, the benefits of sensors and connected devices to enhance the in-store experience has led to a much higher ratio of devices to people in this sector. A typical retail environment has a device to people ratio of 5:1, meaning that for every 100 employees there are approximately 500 devices that need to be secured and managed.

While these devices, such as self-scanners or point of sale (POS) systems, can enhance the customer experience, they can also create serious challenges for the IT and security teams. Not only does the sheer volume of Internet of Things (IoT) and operational technology (OT) devices vastly increase the attack surface for an organization, but many of these devices also rely on vulnerable underlying software and hardware components that can also increase risk and be particularly difficult to fix.

What steps should retailers take to ensure that cybersecurity doesn’t get left behind in the opening process? When it comes to securing connected devices in retail environments, the foundational place to start is to increase device visibility. This gives an organization certainty around how many devices are on the network, where they are, and an understanding of their overall security posture.

From that foundation, an organization can more confidently implement a cybersecurity strategy to reduce risk from those devices. For instance, an organization can consider tools like network segmentation, which allows security teams to have greater control over what parts of the network devices have access to. Network segmentation is particularly applicable to retail environments, as IoT devices like POS systems typically run embedded operating systems, which can make patch management a manual process. Patching also requires change control windows and, if not done correctly, can cause unplanned system downtime.

More significantly perhaps, network segmentation can also prevent the lateral movement of an attack across the network. In practice, this could mean preventing hackers accessing sensitive corporate or customer information or limiting the scope of a ransomware attack. Both of these events could be catastrophic for a retailer in the midst of returning from a pandemic, when customer safety - both physical and digitally - is more important than ever.

Another consideration is to look at retail cybersecurity as a team sport. Historically, the retail industry tends to be less forthcoming when it comes to sharing cybersecurity learnings, largely due to the competitive nature of the business. However, lack of collaboration across peers can lead to slower progress across the industry overall. Boden, a large U.K. fashion retailer, shared some of their key learnings which might help others navigate this tricky landscape.

Retailers undoubtedly face an uphill battle when it comes to assimilating to their “new normal” post-pandemic. While the future remains uncertain for many around the world, by combining a more holistic view to device management and security with industry collaboration, retailers can at least limit one risk factor of many that will be affecting their businesses during this difficult time.

AJ Dunham is Principal Systems Engineer at Forescout Technologies.

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.